The date is set, and the countdown has well and truly begun: now, as marketers ready themselves for the enforcement of GDPR, thoughts inevitably turn to the issue of data privacy. This is, of course, a challenge that the industry has faced many times before, though with GDPR the stakes are now higher than ever.

First, it’s important to note that while GDPR does differ from previous legislation, it is not calling for a wholesale transformation of all your organisational processes. Indeed, the Information Commissioner’s Office (ICO) has always been clear that if a business has made efforts to follow industry best practices when it comes to data privacy, then preparing for GDPR is less of a leap and more of a small hop!

The legislation places the consumer – officially – at the heart of data privacy discussion. New rights such as the right to be forgotten and data portability are relatively minor changes but carry a major implication: when it comes to data, organisations must always act in the best interest of their customers.


The real change can be summed up in a single word: accountability. Organisations are now going to be held to account for their actions; the onus has shifted from proving that you haven’t done anything wrong, to proving that you’ve done everything right.

Documentation, will be crucial. It would be naïve to think that following the implementation of GDPR there will be no more data breaches – after all, hackers are working around the clock to steal consumer information – however, organisations need clear proof that they have done everything in their power to prevent this from happening.

Consumer privacy can’t be an after-thought, but must be built into the core of any strategy. When working with high risk data or implementing new technology, Data Protection Impact Assessments (DPIA) are a must, and should take place at the start of the project, before even the first steps have been taken.

I’d encourage all marketing departments to take a cold, hard look at the processes they currently use, put them under the microscope and test them against potential risk to consumers’ data. If the risk is too high, then you need to add in security levels that can help mitigate it, change the process entirely or not process that data.

Going Forward Together

While there is a lot of fear around GDPR, it’s worth noting that the ICO has very publicly stated that it wants to work with the industry. And it’s likely that people will make mistakes – we are only human – but that doesn’t mean your organisation is going to be automatically hit with an eye-watering fine. Those organisations with comprehensive documentation that have followed the legislation need not worry, it is those who flagrantly ignore the call to accountability that should be wary.

Part of the apprehension comes from the fact that the consequences of GDPR are forcing boardrooms to shine a spotlight onto an area that has typically been overlooked. Board directors who have tended not to think about data have heard the headline fines in GDPR and are now asking probing questions of their marketing departments. Unfortunately, the lack of guidance has meant many businesses adopted a wait-and-see approach while the uncertainty of Brexit slowed down UK response times further. Ultimately, people have waited longer than they should, and many marketing departments are in for a stressful run as we move towards Friday 25th May.

Change for the Better

At its heart, GDPR is an opportunity for organisations – not a threat! When done right, GDPR compliance will make brands more customer focused, allowing them to build stronger more genuine relationships with consumers which should be better for business in the long run.

There is, however, a big challenge in ensuring that privacy statements are communicated to consumers using language that can be easily understood. Ultimately, as this is a matter of law, ensuring that wording is compliant means it will likely fall to an organisation’s lawyers to make sure everything is above board and consumers have all the information they need to make a consenting decision about whether to share their data.

While this may work in theory, in practice it is not so clear cut. For most of us the jargon and technical terms of ‘legalese’ is a foreign language. I’ve sought to address this in my role as Chair of the Responsible Marketing Committee at the Direct Marketing Association (DMA) and we’re currently working on a project to develop standardised iconography surrounding data privacy, ensuring that customers can quickly and easily figure out what’s going on (and whether they want to supply their consent).

Although it has been a long time coming, the arrival of GDPR heralds a new era in discussion over data privacy. It ably demonstrates that customers are now better aware of the value of their data than ever before. Giving them the power to share however is vital in their role as consumers; and in those terms the move to add accountability has never been more important.

By Skip Fidura, Client Services Director, dotmailer

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus