GDPR for marketers: What do you need to know?


The General Data Protection Regulation (GDPR) has arrived, full force (pretty much) and although the effect it'll have on the majority of businesses is yet to be realised, one of the major sectors it'll impact straight from the off is marketing.

The ICO is already pretty active in fining businesses that don't comply with the UK's existing Data Protection Act and there are numerous examples of this - including a penalty for a PPI firm that made 8.7 million unsolicited calls to those who were completely unaware of their services. That particular company was charged 300,000 for non-compliance.

But the GDPR will significantly increase the value of fines. In fact, businesses could be charged up to 20 million, or 4% of a company's global turnover (whichever is higher) if they fail to comply with the new regulations - a vast amount of money for any company, let alone a small business and certainly enough to put a company into administration.

Marketers are likely to be one group targeted harshly by the ICO and so it's vital anyone in marketing carefully considers what their duties are and how they can make sure they sit on the right side of the law when it comes to data privacy.

Obtaining consent

One of the most important points of GDPR is that data must only be collected for a specific purpose and that purpose must be made crystal clear to those you're collecting data from.

Although it makes the process of collecting data more difficult, it will ensure that the customer will only receive emails they have opted in for, that they are happy to receive. If you want to use the data for a purpose other than that specified, you will have to gain further consent.

Another factor is explicit and informed consent. EU residents must give this type of consent and thus rules out the use of pre-checked boxes or any attempt to get a form of implied consent.

Constant plays a big role in digital marketing. The data controller and processor has to adhere to a clear set of restrictions. The rules around consent is that it is "freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to him or her".

What is personal data?

What constitutes personal data is greatly expanded from previous definitions enforced by the UK. It now includes identifiers such as IP addresses, cookies, mobile IPs and even search engines searches. This will be an issue for marketer's digital efforts as cookie are not generally collected with a person's consent.

GDPR also applies to automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

The EU: in or out?

It also won't matter that your business is outside the EU. If you have any personal data on EU residents, your organisation needs to comply with the rules. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

Making sense of it all

With it makes sense for marketers to put compliance efforts front and centre of their efforts to protect and use customer data. It will likely present a temporary issue for marketers. This means a changed approach to database building, data management, and the collection of consumer data.

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.