The EU’s General Data Protection Regulation (GDPR) comes into effect in 2018, and its implications for marketing are significant and far-reaching.

A particularly wide-ranging regulation, it’s supposed to improve – and simplify – data protection for EU citizens, residents, and businesses. The scope of the GDPR has stoked fears among many in the enterprise community; some see the laws as draconian, complicated, and antithetical to their commercial interests.

And while the UK’s impending exit from the EU will affect several areas of public and private life, it won’t affect the need for its businesses to comply with the legislation. The GDPR affects any organisation that collects and processes the data of an EU citizen – so there will be few UK businesses that will never have to comply with it, and by 2019 at the very earliest, there will be none.

But what does it actually mean for marketers – and what can they do to adjust to it?

How the GDPR affects marketing

The GDPR is not quite as stringent as many fear, but it does affect marketing in three critical areas.

The first is regarding opt-ins, opt-outs, and consent regarding communications. The GDPR mandates that consent must be ‘freely given, specific, informed, and unambiguous’, and articulated by a ‘clear affirmative action’. That means you can’t assume consent based on ‘inactivity’, and that a pre-ticked box isn’t going to cut it. Prospects and customers must agree that their data can be used and that they can be contacted.

The second is the much-discussed right to be forgotten. The GDPR is designed to confer more control to individuals over how their data is collected and used – and this means giving them some means of accessing and removing their data. They can do this when there’s no legitimate reason to process their information, when they withdraw consent for it to be used on the original terms, and when it’s been unlawfully processed.

The third change is to the legal basis for processing personal data. Practically speaking, this will necessitate better housekeeping on the parts of marketers – and less collecting data for unnecessary, or frivolous reasons.

How marketers can prepare for the GDPR

Fail to comply with the GDPR and you may be subject to extremely high penalties: for some breaches, the fine may be around €20 million or 4% of global annual turnover (the greater figure); for others, the fine is €10m or 2% of global annual turnover. While in practice, you likely won’t face these fines, you will need to adjust your approach to collecting and processing data.

This doesn’t have to be a bad thing. Collecting data indiscriminately doesn’t benefit marketers: it hinders them. Some 42% of B2B marketers believe that a lack of quality contact data is the single biggest barrier to lead generation; 51% of email marketers believe the same. Focusing on accumulating and processing important, useful, and legally compliant information is a smart move – and if the GDPR provides some incentive for that, then marketers will be better off for it.

Of course, to comply with this legislation, it’s necessary to understand it – and while there is no formal requirement to appoint a dedicated Data Protection Officer, for businesses of a certain size it could still be a good idea. Having an expert on hand to work with the IT department will help them understand their obligations, negotiate any grey areas, and avoid the potential calamity of noncompliance. Crucially, they’ll be able to undertake routine data audits and understand whether your company is remaining compliant over time.

Marketers also need to set themselves up to react appropriately to requests to view, amend or destroy prospect or customer data. While they don’t yet have to provide online access, they need to be able to facilitate some kind of access: it will be a legal right, and though many may choose not to exercise it, it is good practice to make it as easy as possible for those who do.

Finally, it’s going to cost you in terms of time and money. Educating your team, adjusting your systems, and reordering your strategy for full compliance will take manpower and financial resources – allocate them in advance of 2018 and you’ll be in a far better position.

A new age of marketing

The GDPR will likely cause temporary difficulties for marketers. They may well need to change their approach to database building, data management, and the collection of consumer data. Nonetheless, the introduction of this regulation won’t be unmanageable. For example, the deluge of “right to be forgotten”-inspired information requests that critics anticipate probably won’t materialise. It will be a fine time to be a marketing services provider or a lawyer specialising in data protection regulation, but more than anything, the major change is the degree to which marketers – and all other data processors – are required to take responsibility for the way they collect information.

We are accountable to our prospects and customers as well as our bosses and coworkers. The GDPR is a frustrating, multi-layered piece of legislation – as all transcontinental regulations are – but if nothing else, it serves as a timely reminder of this principle.


By Jason Lark, managing director at Celerity


GDPR Conference Europe will be taking place on 27th April 2017 and will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

The GDPR Conference Europe has been specifically designed for business generalists rather than data protection or privacy specialists and will provide delegates with a comprehensive picture of the new regulations and a practical understanding of the implications and legal requirements needed for compliance.

Further information and conference details are available at


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus