It is less than a year until the new EU-wide General Data Protection Regulations (GDPR) come into force. Starting May 25, 2018, organisations could face potential heavy penalties for misuse of consumer data in a bid to give EU citizens better control of their personal information. According to a recent survey from the Direct Marketing Association, around a quarter (24%) of companies have yet to start a plan of attack, while only a little over half think that their organisations will be ready for the 2018 deadline. But what does the GDPR really mean for marketers and how can you take steps to address it now, so you don’t leave it too late?

What the GDPR means for marketers

The purpose of the GDPR is to unify data privacy principles and practices across Europe, giving EU citizens more control over their data and increased capacity to dictate how organisations may use that data. If you have an EU data subject that you are marketing to, then regardless of where you are located in the world you will have to comply with the GDPR.

Previous EU directives addressing customer data were more like digital rules, and have been interpreted in many different ways by different EU member states - some countries, such as Germany, have much more restrictive interpretations of existing methods than others, like the UK. Conversely, the GDPR is a law, meaning that all countries will have to abide by it in the same way.

The GDPR is the most comprehensive law coming into effect for the last 20 years, and will affect every company in some way, shape or form. It will most certainly have a dramatic effect on digital marketers. To begin with, there will be a lot of confusion. Can you track someone using their data? Can you share this data with third parties? If a customer wants to leave, do they have the right of erasure, and will companies have to return certain data? At the moment, it’s a very grey area, especially as the definition of personal data has been expanded to include online identifiers such as cookies and IP addresses. However, it is also a chance for marketers to reassess the data value exchange between business and user, and I believe it will ultimately lead to better digital marketers.

What should companies do to prepare for the GDPR?

If you’re a marketer in any sector, it’s important that you are thinking about your current data acquisition and customer contact practices and how these need to be adjusted in order to meet compliance. Come May 25th, companies will need to show that they are working to comply with the regulations, and those found non-compliant could very well be hit with a substantial fine.

The first thing I would advise marketers to do today is research how the GDPR affects them and their company, and re-evaluate their outreach and onboarding strategies. The essential thing to establish is that a consent trail exists so that it’s clear which data your customers have agreed to share. 

Reviewing who is responsible for obtaining consent

Once you’ve reconnected with your customer database to ensure their consent statements will be GDPR-compliant, the next step you as a marketer can take today is to review contracts. Companies’ contracts will need to be updated within the media supply chain to clarifying exactly who has the obligation to obtain consent, and also who has the obligation to provide transparent information about how customers’ data is used.

Each country will have a Data Protection Authority (DPA) that will coordinate GDPR compliance; in the UK, the Information Commissioner's Office (ICO) is that body. They have a lot of great information that will provide you some insights on what is required and how to prepare for the new rules of the digital road.

As a result of all the confusion and dread around the GDPR, the directive will definitely take some time to get used to. However, marketers must remember that it could ultimately improve the customer experience, which in turn will make us better digital marketers in the long run.


By David Fowler, chief privacy & digital compliance officer at Act-On


GDPR Summit Series will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at 

The GDPR Summit Series has been specifically designed for business generalists rather than data protection or privacy specialists and will provide delegates with a comprehensive picture of the new regulations and a practical understanding of the implications and legal requirements needed for compliance.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus