• Share
  • Share
  • Share
  • Share
  • Share

Posted by Dave Lister on 18 January 2018

How marketing professionals can prepare for new data protection regulations

The General Data Protection Regulation (GDPR) will come into force on the 25th of May 2018, meaning that by this date, all organisations that hold and process data from EU residents must conform to this law (and will be fined if they don’t!). So, what does this mean for marketing professionals? And which steps do you have to take to ensure your marketing practices are in line with the new regulation? In this article we’ll talk about the impact of changing regulations on marketing practice and what you can do to comply.

What is the GDPR?

The GDPR is a new EU regulation that enforces stricter laws on data storage and processing. The legislation applies to all businesses who hold or deal with any personal data belonging to any EU resident (this includes businesses outside the EU). Personal data refers to any data which can be used to identify a particular individual. This could be anything from a name and email address to an IP address, cookie information or anything in between.

The GDPR consists of 99 articles which set out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing individuals to have easier access to the data companies hold about them, a new fines regime and a responsibility for organisations to be more transparent about the way they process and store personal data, including the obligation to obtain active consent from the people they collect information about. 

GDPR in practice: Preparing your business 

Regardless of the size of your company, the changing regulations mean that you'll have to review and make changes to the way you handle your data. We’ve compiled a list of steps every business needs to take to ensure data compliance before the May deadline:

  1. Implement education programmes and/or training to raise internal awareness of data privacy issues
  2. Conduct a data audit to map data flows
  3. Update your website’s privacy policy
  4. Hire or appoint a Data Protection Officer
  5. Review the process of asking for, recording and managing consent from your customers
  6. Launch a repermissioning campaign (to ensure pre-existing consents are compliant)  
  7. Implement processes to ensure disposal of and/or access to personal data when an individual requests this.
  8. Implement processes to allow the secure transfer of personal data from one environment to another.
  9. Check compliance from third-party services (e.g. your CMS, CRM, Marketing Automation platforms etc.)

If you want to know more about how to prepare your business for the new data regulation, check out this handy list of GDPR resources created by the Information Commissioner’s Office (ICO).

How does the GDPR impact marketing?

As a marketer it is very likely that you rely on data collection for lead generation and nurturing. The GDPR will have an impact on the way you store and use this data, so take the time to familiarise yourself with the implications to ensure compliance and avoid fines.

The 3 key areas marketers need to worry about are data consent, data access and data maintenance. In this article we’ll set out the three marketing practices that will be most affected by those areas:

1. Email Marketing

The GDPR states that before you can send a marketing email to prospects you will need to obtain their explicit permission to do so. This means you can’t just send promotional emails to anyone who signs up for your product or service, or use purchased mailing lists for direct marketing purposes (unless all people on the list have given prior consent).

Email list subscribers will also need to be able to easily withdraw their consent (unsubscribe to your mailing list), access their data and practice their ‘right to be forgotten’. Under the GDPR, marketers will also need to start keeping records of all instances in which consent was given. This includes detailed information about what people have given permission for, the information they were given which facilitated consent, and the method of consent.

2. Marketing Automation

Marketing automation is a powerful tool, helping marketers to optimise and automate lead generation. But this is also where the danger lies. Marketers need to ensure their systems are up-to-date at all times and that the system only sends out communication to people who have given you permission to market to them. When set up in the right way, however, your marketing automation system can be a great tool to help manage and record consent.  

3. Downloads and subscriptions 

Personal data that has been collected as a result of someone requesting to download content from your website, can only be used to send a link to the requested content. Marketers are no longer allowed to use personal data from people who’ve downloaded content on their website, for the distribution of other marketing communications. The only way around this is to ask your prospects for their permission (i.e. to receive additional marketing communications, sign up for blog updates or receive your newsletter) at the moment they sign up or request information.  

4. Cookies 

Many marketers use cookies to collect information about the way people use their site. As cookies are identified as personal data under the GDPR, this means that the change in regulations will affect your cookie policy. Does this mean you are no longer able to track and analyse the behaviour of your website visitors? No. But it does mean they'll have to give you permission to do so, and you have to offer them an easy way to withdraw this permission through an active opt-out option. 

GDPR in practice: Obtaining consent

In the past any disclaimers outlining the use of personal data would have hidden in lengthy privacy policy pages full of legal and corporate jargon. However, in line with the new regulation the purpose of data collection has to be unambiguous, clear and simple at the point of consent. So, how do you ensure you are being clear and specific about the way you will use your customer’s data?

We’ve set out some guidelines and examples below:

1. Consent requests must be made separate from your terms and conditions and consent shouldn’t be a precondition of signing up to a service (unless that service specifically requires it).

2. People have to make an active decision to opt-in. Don’t use pre-ticked boxes or any other type of consent by default.  

Opt-in and Opt-out Example

3. Use a double opt-in process to ensure the person you are contacting has agreed to your communications. E.g. by sending an email to verify the subscription

4. Consent needs to be purpose specific. Give people the option to consent separately for different types of communication wherever appropriate.
Hyundai_Example1 - Copy.jpg

Hyundai allows subscribers to select what kind of information they want to receive. They even provide email samples and the option to personalise based on the subscriber’s interest. The toggle buttons are a good example of an active opt-in method.

5. Don’t just name your organisation, but also provide the names of any third parties who will be relying on consent. A category defined as third-party organisations will not be acceptable under the GDPR.





In the example above, Age UK clearly states which third-party organisations will have access to and are responsible for handling your data.

6. People need to be informed about why you are collecting their data and what you’re going to do with it.












In this example from the BBC, clear information is provided about how the person’s data will be used.

7. Inform people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent.

RedCross_Example4 - Copy.jpg

When you sign up to become a fundraiser the Red Cross ask for permission to sign you up for their mailing list. They also clearly explain how you can withdraw your consent in case you decide to change your mind.

Now that you've updated your consent forms, it's time to start looking at the way you manage and record this vital information. 

GDPR in practice: Recording and managing consent 

Under the GDPR, all companies will need to maintain records of the consents they have – i.e. what users were told and how, when and where they gave consent. 

For companies that have more than 250 employees, there’s an additional need to have documentation on why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place.

If you can’t provide this information, you can risk hefty fines. So start today by implementing clear data management processes which guarantee the correct handling of personal data under the GDPR. 

Will the GDPR require new consent from existing customers?

Will the GDPR require new consent from existing customers? In most cases, the answer to this question is “no”. For email marketing the rules are straightforward - do not send marketing messages to individuals unless they are a customer (on the grounds of “legitimate interest”) or they have opted in to receive them when they signed up to your mailing list.

The GDPR states that it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of the regulation. In other words, if the consent was “unambigious” and you have records that demonstrate when and where (and for which channels) the people in your database have provided consent, you can continue to rely on that consent post-GDPR.

Launching a repermission campaign

So what if the individuals in your mailing lists have given their consent to receive marketing communications, but you aren’t able to demonstrate when, where and how you’ve obtained their consent? In this case you have two options: (1) you delete their personal data from your database or (2) launch a repermission campaign to record their consent. 

Note that repermissioning campaigns can only be shared with individuals who have previously opted in to receive marketing messages. If you are unsure if someone has given consent to receive your emails, it is best to delete those contacts from your email lists. Sending emails to determine whether people want to receive marketing without the right consent (e.g. to individuals who have previously opted out) is against the law and can lead to hefty fines.

Need help?

We hope this post will help you and your business prepare for the GDPR. If you have any questions about the content in this article or need help conducting a GDPR website audit - please don’t hesitate to get in touch. Also keep an eye out on ICO’s General Data Protection Regulation (GDPR) page as they’ll be publishing regular updates leading up to the May deadline.

 The content in this blog post is not to be considered legal advice and should be used for information purposes only.


UX / UI Designers

4 Ways User Experience Design Increases Website Conversion Rates

How to improve user conversion by making the user experience your number one priority

7 minutes

Smiling faces on chalk board

The P of Psychology: Brain Based Marketing that Delivers Results

The added value of psychology as a marketing tool

6 minutes

7 Steps to Winning at Inbound Marketing

How to guarantee success with your inbound marketing strategy

6 minutes


If you think we might be a good fit for your business, fill out the form at the link below and we'll send you our agency playbook. It contains lots more information about us and what we're like to work with.

Send me the playbook