A helpful guide on GDPR for Marketing


In today’s world of Social Media, Artificial Intelligence and smartphones, personal data is being collected at an alarming rate. So much so, that personal data has been recognised as the world’s most valuable resource according to The Economist (May 2017). This is down to how much it now informs the way companies correspond with their customers and how it undoubtedly impacts the customer experience.

On the 25th May 2018, the EU brought in the new General Data Protection Regulations, or GDPR, replacing the 1995 Data Protection Directive. This new legislation which has taken over 4 years to draft and refine, is designed to inform the decisions of marketers, and help safeguard personal data in all EU member states.

So, what is GDPR?

The General Data Protection Regulation (GDPR) was a new digital privacy regulation which was introduced on the 25th May, 2018. Across the EU, one central set of standardised regulations will protect users in all member states.

Hold on, what about Brexit? On 21 June 2017 the UK Government revealed its legislative programme for the coming two years. As well as pressing ahead with the UK’s withdrawal from the European Union, the Government has confirmed its intention to bring the EU General Data Protection Regulation (the “GDPR”) into UK law, ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data.”

Why are they introducing GDPR now?

The biggest reason for introducing the GDPR now is because the current EU data privacy regulations are still based on a document that was first adopted in 1980s (later updated in 1995 & 1998 in the UK).

It should be fairly obvious then, that the data privacy principles that the EU currently works to are pretty outdated. They don’t take smartphones, social media, or even advanced web technology like Artificial Intelligence (AI) into consideration.

Shockingly, Symantec’s State of European Privacy Report shows 90% of businesses believe it’s too difficult to remove customer data and 60% do not have the processes in place to do so.

When it comes to GDPR, the stats are even more worrying. The study shows that companies that use customer data the most don’t fully understand how they should use it. While 41% of marketers admit to not fully understanding both best practices, or the law, around the use of consumers’ personal data.

Shockingly, 90% of businesses believe it’s too difficult to remove customer data, with 60% not having the process in place to do so.Symantec

In a modern world, where we are constantly at threat from cyber security breaches, ransomware attacks and identity theft, the Government has identified a clear need for companies to do more to protect the personal data of businesses and individuals. The GDPR has been designed to put the power back in the hands of the consumer, so they are more in control of their personal information.

Whilst we’re on the subject of keeping your consumer data safe…does your website have an SSL certificate?
If you take any form of payment online, you must have an SSL certificate to protect your customers and yourself from fraud. Google has now started to rank websites based on how secure they are, so this is more important than ever. Speak to us today about getting an SSL certificate for your website. Prices start from just £120 per year.

[wd_hustle_cc id=”get-an-ssl-certificate”]

How does GDPR impact marketing?

Data Permissions

Data permission is all about how you manage email opt-ins – people who request to receive promotional or informative material from you. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted.

A pre-ticked box that automatically opts them in won’t cut it anymore – opt-ins need to be a deliberate choice in a ‘freely given, specific, informed, and unambiguous’ way.

Form Examples

Now’s the perfect time to change your site to record explicit opt-in.
Ask for our ‘opt-in, tune-up’ service to get your site compliant which starts at £99. Or if you don’t currently use forms to collect consumer data, speak to us today about how we can help you make a start collecting data safely. Prices start from £149.

Data Access

The right to be forgotten has become one of the most talked about rulings in EU Justice Court history. This means that the Data Controller (you) has the obligation to erase all data concerning the prospect or customer, without delay. Conditions for this might include withdrawal of consent, unlawful processing or illegitimate use of data.

As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.

This can be as straightforward as including an unsubscribe link within your email marketing template, and linking to a user profile that allows users to manage their email preferences (as shown in the example below from Twitter.)

Twitter Example

Or, why not talk to us about building an ‘opt-out landing page’ for you. These start from as little as £199.

Data Focus

GDPR requires you to legally justify the processing of the personal data you collect.

What this means is that you need to focus on the data you need, and stop asking for the “nice to haves”. If you really need to know a visitors shoe size and favourite film, and can prove why you need it, then you can continue asking for it. Otherwise, avoid collecting any unnecessary data and stick with the basics.

What marketing areas are affected most by GDPR?

Email marketing

For B2B marketers, email addresses are often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an “opt-in”.

This is in utter contrast to firms that buy email lists or scrape (or copy) them from a website. Under the new GDPR regulation, buying lists (or scraping them) will be strictly forbidden.

The new regulations should result in cleaner, more relevant data. From a marketing perspective, that’s brilliant news.

Marketing automation

If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties from the ICO if an email is sent automatically to someone who has opted out.

You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, you must ensure that both systems are updated to ensure that no further emails are sent.

The cost of failing to comply

The deadline for the GDPR in May 2018, is slowly creeping up on us and many businesses have already switched into “panic mode” to make sure they’re compliant way ahead of time. The trouble with this is that it can lead to mistakes. And these mistakes can be costly, with fines of up to €20 million or 4% of your global turnover, yikes!

These mistakes can be costly, with fines of up to €20 million or 4% of your global turnoverprivacy-regulation.eu

Especially as the Information Commissioner’s Office (ICO) starts to clamp down on the misuse of personal data.

In fact, the ICO has already reported a number of incidents involving household brand names who have tried to use well-known email activation strategies to reach out to their database. One of those campaigns, which was sent out by Morrisons, asked customers if they wanted to be contacted by email and to update their preferences. However, those customers had previously opted out, which is a serious breach of compliance.

Morrisons fined £10,500

In late 2016, UK supermarket chain Morrisons re-launched their “Match & More” loyalty program.

In an attempt to get more members to take advantage of their offers, they sent out an email to all 230,000 email addresses in their database, asking members to update their account preferences. Unfortunately, this included 131,000 customers who had previously opted out and unsubscribed. This slip up led to a fine of £10,500. Nothing, compared to the potential €20 Million fines once the GDPR kicks in, but still a scary thought for most of us.

More importantly, in this instance, it was a customer that reported Morrisons to the ICO. Now that customers are starting to take action into their own hands, businesses must be even more careful. You need to be 100% sure that the subscribers you’re sending emails to have opted-in.

Wait! GDPR can be a golden opportunity for marketers.

This new legislation isn’t a set-back. It’s a great opportunity for marketers to do what they do best – create engaging, targeted, marketing campaigns.


People do business with people. Even better, people do business with people that they know, like, and trust. Building trust comes through projecting transparency. You need to be upfront and honest about who you are and what you’re doing.

If you can demonstrate that an individual’s data is being treated with respect and held securely, then you will strengthen both trust and engagement with your customers.

Gaining consent

With the General Data Protection Regulations (GDPR), you need explicit consent to use an individual’s data. Your customers can also ask you exactly what information you have on them, who it is shared with, and the purposes it has been used for.

Now, instead of a simple yes or no option when asking customers about data, you can provide them with a range of options – so that they (and you) can find out what they’re actually interested in.

This will give you a better insight into each individual’s interests so you can provide them with information that they really want to receive, and further segment your audience. Focusing your communications based on specific interests, rather than sending a “one size fits all” email campaign will get your brand serious brownie points!

A few more tips on GDPR for marketing

There are some things that you can start doing right now to make sure your business is GDPR complaint ahead of May 2018.

1. Start auditing your mailing list now – Remove anyone where you do not have a record of their opt-in. For new clients & subscribers, ensure you make it crystal clear what you intend to use their data for, with opt in and opt out options for individual subjects.

2. Review the way you’re currently collecting personal data – If you’re still buying mailing lists, now might be the time to start fresh with a new mailing list.

3. Know where your data is kept – If you hold customer data, understand exactly what systems this data exists on and make sure you know the steps required to edit or remove it. Symantec’s State of European Privacy Report found that 90% of businesses believe it’s too difficult to delete customer data, and that 60% do not have the systems in place to help them do so.

4. Invite visitors to add themselves to your mailing list – You can keep your mailing list neatly segmented by creating specific pop ups for different topics, such as product news, blog posts and general company news. Just remember to link to your privacy policy.

5. Start centralising your personal data collection into a CRM system – Make sure your users can access their data, review its proposed usage, and make any changes they wish to.

6. Understand the data you’re collecting in more detail – Is it all absolutely necessary, or are there elements that you could do without? When it comes to sign up forms, only ask for what you need, and will actually use.

Is your marketing team ready for GDPR?

We’ve put together a helpful interactive checklist, guiding you through some of the steps you need to take with your website and digital marketing to make sure you’re compliant before 25th May 2018.

[wd_hustle_cc id=”gdpr-test”]

GDPR isn’t designed to stop businesses from communicating with their customers. It will in-fact lead to an increase in quality data, which is why the best and most resourceful marketers are seeing the bigger picture – that it’s an opportunity to dive deeper into the needs of their prospects and customers, rather than using a blanket “one-size-fits-all” approach to marketing.

The key principle for GDPR compliance is quite simple – don’t assume people want to hear from you! Don’t contact someone unless they specifically ask you to. Don’t cold contact them. Don’t send them irrelevant information that they didn’t request.

If you can do all that, then you’re already on your way towards being GDPR compliant.

What Next?

If you’re already one step ahead, then why not talk to us about what you can do with data. We will be looking to host a number of short training sessions to educate small businesses on the best ways to harness the power of Google Analytics and how to monitor their web presence.

If you’d like more information on any of the services mentioned above, call us on 0333 121 2013 or pop an email to [email protected] and we’ll get back to you.