The General Data Protection Regulation (GDPR) is just around the corner. Coming into force on May 25th 2018, the new regulation aims to overhaul the integrity and transparency of data protection within the EU.

The regulation will apply to organisations around the world that process or handle the personal data of people living within European Union borders, and will change how companies obtain and explain consent for new and existing customers whose personal details are stored within CRM systems and other databases.

What are the risks of non-compliance?

Non-compliance puts organisations at risk of being hit with fines to the tune of €20 million or 4% of global annual turnover.

Beyond financial levees, firms not seen to be processing data compliantly – even displaying an individual’s personal data on a computer monitor is deemed as data processing – put their trustworthiness in customers’ eyes at risk and stand to lose hard-won industry reputation.

So after the smoke from the headline risks clears, what are the real-world implications for marketing teams?

Broadly speaking, GDPR will significantly clip the wings of a data hoarding culture that has seen companies and marketing teams hang on to personal information for no clear reason. Marketing teams need to prepare to only hold data that is relevant for the purpose, and the citing of a new purpose will call for further consent from the individual in question.

In turn, this will call for storage overhauls, with investigations being made into databases to identify and delete information as necessary, and to ensure that consent has been given for all pieces of data in line with new practice under GDPR.

It is important to note that GDPR is not a tick box exercise. Rather, compliance depends on an evidenced and ongoing commitment to how marketing teams meet the new legal requirements. In all likelihood, this will start with organisations creating a fresh data privacy notice for customers and clients. A fundamental change is that now consent will have to be obtained properly and explained in an easy-to-understand way for the data subject.

Data subjects must give evidenced consent. What does ‘consent’ mean?

No longer to be assumed or buried beneath a landslide of technical jargon, ‘consent’ of the data subject “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (the General Data Protection Regulation).”

Marketing departments will have to record how and by whom consent was given, and the data subject must be just as easily able to withdraw their consent at any time. Again, each of these steps must be evidenced.

Crucially, staff will not be legally able to process data under GDPR if they have not had the required training. If a data breach is discovered, the first knock will come on the door of HR and training records will have to be evidenced. Inadequate training will be an aggravating factor to any potential fines, whereas good practice will be a mitigating factor.

A stronger data subject bond

Ultimately, GDPR will be about transparency and working with customers to establish more precise, honest relationships. And this is how it should be, after all – the consumer knowing exactly why they’re communicating with you, knowing the value of that communication, and trusting that data exchanged is handled with a responsibility that befits the digital age.

For more information on the next Roadmap for Marketers, visit the website. This one day conference will explore the effects that GDPR will have on marketing processes, and will provide attendees with a roadmap to compliance.

By Stephen White, Features Editor, Digital Marketing Magazine

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus