How will GDPR affect digital marketers in 2018?

Successful marketing activity rests on the collection of useful personal data. From engaging in email marketing to using Google Analytics to track visitor activity on your website, marketers must change their approach to data gathering and processing, and start implementing the changes necessary to comply with a rather important new law.

The EU’s General Data Protection Regulation (GDPR) comes into force on 25th May 2018. This affects how businesses and organisations in the EU – or working with those inside the EU – use and manage personal data. There are few businesses out there today which do not use personal data in some capacity, whether it be client data, supplier data or employee data.

But data, and the clever use of data, is everything for marketers. Data is insight. Data allows marketing companies to drive sales and source leads. The GDPR will have an impact on a marketing company’s ability to use personal data to target specific consumers.

The ICO have created a 12 step plan, which you can find in full here.

General Data Protection Reg 1 - How will GDPR affect digital marketers in 2018?

Image credit:


  • Consent and the ‘right to be forgotten’
    The crux is consent. Consent must be obtained before a company can use someone’s personal data. According to the GDPR guidelines, consent should be ‘freely given, specific, informed, and unambiguous’. The ‘data subject’ must actively give consent for their personal data to be used. In other words, opt in boxes should not be pre-ticked – the data subject must choose to tick the box. And if you want to use an individual’s personal data for more than one purpose, you must make this clear, and get consent each time. If consent is given, you must then make a record of when consent was given, and always make it easy for the data subject to unsubscribe or opt out at any time.

The ‘right to be forgotten’ is another salient feature of GDPR. This will give individuals the right to ask companies to erase their data at any time. This follows a key aim of GDPR: to give individuals more control over how their personal data is used and for how long it can be used.


  • ‘Legitimate interest’
    The concept of legitimate interest and what it will mean in practice is nebulous at best. The GDPR states that the ‘processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. This doesn’t mean that marketers don’t need to obtain consent, it means there may be a ‘legal basis for processing’ personal data in certain circumstances.

For legitimate interest to be a justifiable defence, the interests of the company cannot outweigh the fundamental freedoms and privacy rights of an individual (the data subject). There could be legitimate interest if, for example, there already exists a relationship between the data controller and the data subject, ‘such as where the data subject is a client or in the service of the controller’ or ‘for the purposes of preventing fraud’. But the data controller must be able to prove legitimate interest.


  • GDPR and email marketing
    You will need to ‘repermission’ everyone on your current email contacts list. This means sending an email to each contact giving them the option to opt in. If a contact opts in (by ticking a box), only then will you be able to send them email marketing. You will need to be specific and unequivocally state what will happen with their personal data, and for purposes of accountability, you must make a record of when the customer opted in. Again, you must always make it easy for contacts to unsubscribe/opt out.

Our advice? Start getting consent from email marketing contacts now. Don’t wait for the deadline to come. This will almost certainly result in the shrinking in size of your email marketing contacts database, but why does that matter? Those who remain on the list will have chosen to be there, which means you can expect a greater level of engagement when you market to them.


  • GDPR and remarketing
    Remarketing allows you to display ads to people who have visited your website. It does this by placing a cookie into the visitor’s browser. Marketers will need to make it clear to visitors that they may use cookie data for this purpose, and state this clearly within the privacy policy. The visitor then has the option to give consent or not. The same is true for Facebook remarketing. You must ask users to opt in and show them clearly how to opt out.


  • GDPR and Google Analytics
    Some cookies simply exist to enable certain functionalities within the website to enhance user experience. These cookies have nothing to do with marketing, so we don’t believe this type of cookie is relevant to GDPR. GDPR rules only apply if a cookie is being used for marketing purposes, and marketers will need to get consent from the website visitor in the usual way.

Google Analytics uses cookies to track website visitor activity. This data is then used to inform marketing strategies. With the use of Google AdWords as well as Google Analytics, a marketing company is not responsible for what Google does with the data, but the onus is on marketers to make website visitors aware of the use of cookies, stating clearly what they will be used for. If a visitor agrees to the use of cookies for marketing purposes and tracking tools and actively opts in, then consent has been given.


  • GDPR: a reason to panic or be positive?
    Even though the UK intends to break away from the EU, GDPR will remain relevant for any companies which do business with customers based in the EU. Failure to comply may result in heavy fines. Fines may amount to 4% of global annual turnover or €20 million, or €10 million or 2% of global annual turnover, whichever is greater. Such a fine could drive some marketing companies out of business altogether, but it’s important not to succumb to scaremongering. Companies will face a warning first and be instructed to make changes to the way in which they collect and process personal data. A fine is a last resort.

Marketers can look with a positive eye on GDPR. Though a certain amount of disruption is inevitable, poor quality contact data is, generally speaking, an annoyance for marketers. The inclusion of poor quality data in any digital marketing campaign can negatively affect lead generation results, open rates and click-through-rates.


  • New data protection laws are timely
    An upgrade of UK data protection laws is long overdue. So instead of viewing GDPR as an inconvenient, disruptive or draconian development, it’s in the best interests of all marketing companies to make the necessary changes (how consumer data is collected and processed, how data is managed etc) and embrace them.


It should be the nature of marketing companies to continually strive to be ahead of the curve, to be energised and pioneering, and to be an advocate for the lawful gathering and processing of personal data. If every marketing company adopts the same enterprising approach to achieving full compliance with the new standards set by the GDPR, then they can expect to shine.


Tags: , , ,


  • This form collects and stores the information provided by you, so that we can contact you about your requirements. Please read our privacy policy for full information on how we manage and protect your submitted data.
  • This field is for validation purposes and should be left unchanged.