What Marketers Need to Know About GDPR


What Marketers Need to Know About GDPR

As a marketer or digital marketer, your job is to get the word out regarding your organization’s products and services. With the advent of new data privacy laws like the European Parliament’s General Data Protection Regulation (GDPR) which went into effect May 25th, 2018 – your job just got more difficult.

Under this large-scale, data protection law, citizens have greater control over their consumer data privacy and how organizations use personal data as well as their data processing activities. GDPR is by no means all doom and gloom. Compliance is necessary on many levels and protecting end-user data should be important to all countries.

In order to better understand the impact of the General Data Protection Regulation on your business, it is necessary to first get a baseline of what GDPR is and how supervisory authorities want it to be implemented.

What Is GDPR?

This data protection act, at its core, is a legal framework. The framework outlines data protection rules around what is and is not allowed with the collection and processing of personally identifiable information (PII) for citizens of the European Union (EU).

While the GDPR data protection directive is focused on EU individuals in Europe. This includes EU countries and EU member states. It will also affect companies in the United States that do business with customers of the EU.

These regulators are meant to oversee the protection of personal data and cybersecurity measures. This is similar to the California Consumer Privacy Act, but for EU citizens. There are seven key principles in the lawful collection and processing of personal data. The seven principles are:

  • Lawfulness, fairness, and transparency – Personal data needs to be fairly and transparently processed in a lawful manner when it belongs to an individual. Examples of personal data include genetic data, identifiers, biometric data, and IP addresses to name a few.
  • Purpose limitation – Data must be collected for a specific and legitimate purpose and not processed in a manner that is incompatible with the initial purpose
  • Data minimization – Data subjects must be kept in the form which permits the identification of subjects for no longer than is necessary for the purpose of data processing.
  • Accuracy – Every reasonable step must be taken to ensure that personal data is accurate, processes for its intended purpose, and erased without delay.
  • Storage Limitation – Personal data may be stored longer than its initial purpose, but only if the data will be processed for scientific, historical, or statistical purposes.
  • Integrity and Confidentiality – Personal information must be processed in a manner that ensures the security of the data, including protection against unauthorized access or unlawful processing. Specific care must be given to accidental damage, destruction, and loss.
  • Accountability – Controllers and processors of data are accountable for their processing and must demonstrate compliance.

The seven GDPR principles set out to define the lawful processing of personal information. Data processing includes alteration, collection, communication, erasure, restriction, storage, and use.

Which Aspects Of GDPR Matter For Marketers And Marketing Campaigns?

With a solid understanding of GDPR requirements, which areas should marketers pay special attention to? Typically, marketers have extensive databases, email marketing initiatives, and operations. The seven GDPR principles have become top of mind for marketers but there are a few areas that especially matter. The three areas of most concern are data collection, data permission, and data storage/processing/erasure.

Data Collection

Data collection can come in many forms. Since there are now massive data privacy laws, it’s often recommended that organizations use data protection officers to help mitigate privacy data.

When it comes to data collection, whether you are talking about email opt-ins, survey collection, website data collection, social media, or e-book download; individuals must now consent to wider use of the data.

A good example of the GDPR process would be a user opts-in to receive an artifact from your website and you collect the user’s information (like first name, last name, and phone number).

Before you can use that information again for any other reason, you must contact the user and get permission. The key is to add specific data points that the user must agree to terms and conditions as well as opt-in for additional content like a newsletter or email list.

Data Permission

When collecting customer data to say convert newsletter signup to a lead, be careful in what information is collected. Remember, the collected data must be scoped for a specific purpose and relevant only to the initial purpose.

An example of collecting only the right information is a web form collecting information for a whitepaper. For the form and data collection to be GDPR compliant, the questions need to stay in the spirit of the white paper.

Think to yourself, do I really need to know how many people are in the prospect’s household or how long they have lived at an address if the information you really need is a first name, last name, and email address.

Data Storage/Processing/Erasure

As you learned above, any data that you collect, and store must only be used for specific and legitimate purposes. You are only allowed to collect marketing data for its intended purpose for which it was collected.

If you plan to share the data you collected with another company, you need to have the consent of the person that you collected the data from. Organizations must also make sure that the stored data is protected at rest and in transit. This protection extends to access, alteration, destruction, disclosure, and loss of PII data.

The Marketers GDPR Checklist

For typical marketers, or service providers, the GDPR checklist is as follows:

Do you process or store EU citizen information – First and foremost, when it comes to your GDPR checklist, make sure that you process or store the personal data of EU citizens before doing anything else. While strong data governance practices are a great idea for any organization, if you are certain that you have no EU citizen’s data, you need to conduct a data protection impact assessment to ensure you’re handling it properly.

Do you have the staff to implement the proper controls – Information technology and information security teams are critical to GDPR compliance. And data processors need to understand how to protect personal information as well as support decision-making around upcoming initiatives of database inventory, privacy policy, information requests, breach prevention, and database life cycle management.

Update your privacy policy – The privacy policy must be visible, concise, easy to access, and transparent. The policy will provide a meaningful overview of your intent to use and store information that anyone can understand.

Do you use website cookies? – You are required to inform visitors to your landing page or website what types of cookies you use and get explicit consent. Be sure to look at all the marketing automation and publishing tools you use to make sure you’re including the right verbiage about your cookies.

Inventory your current database – What sensitive data do you have in your database today? Under GDPR you should be looking to include things like where the customer or prospect lives, opt-in data points, and overall data protection.

Once you know what you have, re-opt in – Once your database is up to date it is time to prove that your customers and prospects have accepted your new terms of service, privacy policy, and opt-in. The best way to do this is via email acceptance or web form.

Who else has access to your database? – As a marketer, you may share information and have the right to access personal data with other firms. Make sure you know who has the “right of access” to your database and what they can do with the information. This goes both ways and if another organization grants you information to the database they have, make sure they are following policy.

The new normal of information requests – Automation and orchestration of information requests is critical in GDPR compliance. Make sure that customers and prospects can view in real-time what data you have, how it is being used, and give them the ability to opt-out or unsubscribe with full erasure in real-time.

Assume Breach – A good rule of thumb in information security is to assume breach. There are harsh penalties for non-compliance and organizations that suffer a data security breach and fail to have safeguards in place. Look at frameworks like Zero Trust in order to minimize or prevent breaches and seek legal advice before making sweeping changes.


Being a marketer in the post GDPR era is going to different. Many organizations are having to rethink the way that they approach marketing, and in many cases, hire a data controller. But they can also use the shift as an advantage and avoid personal data breaches within their organization. Customers and potential customers should be enticed with the added value of a GDPR ready organization.

Consumers are clamoring for transparency and want to know how their data will be used. With data breaches on the rise, marketers that focus on security first will be the ones that companies gravitate towards. What, after all, is peace of mind worth?

Topics: ,

Related Posts: