GDPR: What you need to know

GDPR: What you need to know

Next year the new General Data Protection Regulation (GDPR) will come into effect on May 25th 2018. With new definitions and requirements that have been labelled as draconian by some, a year isn’t much time for companies to get compliant. Even more worrying, many still aren’t fully aware of the GDPR or how best to tackle the changes, particularly regarding the potential effects on digital marketing.

What is the GDPR

Any organisation that handles or processes personal data from EU residents will be required to meet a wide range of new regulations, many of them much stricter than those in the previous Data Protection Act (DPA). Additionally, as the GDPR aims to protect all individuals in the EU, UK businesses shouldn’t expect a last minute save by Brexit. Businesses in the UK that offer goods or services to those in the EU, as the majority do, will still need to be compliant. The UK government has confirmed that Brexit will not affect the commencement of GDPR.

The key principles of the GDPR are similar the DPA and aim to ensure data is processed lawfully and with legitimate purposes, is transparent to consumers and is kept securely. The key difference with the GDPR is the aim that data protection should be by design and by default, not as an afterthought. This has resulted in clearer definitions and more stringent regulations, most notably with new accountability regulations that require organisations to keep full records of data processing activities and to show their systems comply with the GDPR when necessary.

Digital marketers & businesses alike will be impacted by the new regulation, as GDPR takes a stricter stance on all aspects of personal data and how this is handled.  Important measures for the new world of digital marketing have also been introduced, many of which the DPA could not have foreseen or accounted for.

GDPR regulations will cover the collection and processing of personal data, which is any data that can be used to identify individuals.

GDPR and digital marketing

If you’ve only just heard about GDPR or are still unsure about how it might affect your marketing activities it might not be time to start worrying just yet. Many of the regulations that concern digital marketers shouldn’t be too much of a problem and are in line with many current best practices. Customer focused marketers should already be compliant or are already on their way to meeting the consumer-focused GDPR standards. We’ve selected the key points from the new regulations that will impact digital marketers so you can check where you might be missing out.


How marketers gain consent is the biggest highlight from the GDPR and is one of the most important for many digital marketers. At present, most companies that collect and process data as part of their marketing activities do so on the lawful basis of consent. However, under GDPR if you’re not complying with the new regulations that define consent you’re putting your legitimate right to process data, and your digital marketing activities, at risk. So, what is now considered appropriate consent?

It should be completely clear that the consent has been given according to the individual’s wishes, such as with hard or double opt-ins. Pre-ticked boxes or accepting silence as consent by asking individuals to tick a box to not agree isn’t acceptable. The new regulations clearly favour hard consent methods, such as double opt-ins that ask customers to click an email link to confirm they wish to be on the list. If previous consent received under the DPA or the EC Data Protection Directive meets the current GDPR requirements then fresh consent is not required.

Domino's are just one of many companies that still use a soft opt-in and take silence as a sign of opt in, asking people to instead check the box if they don't wish to have opt in.

While many marketers have long understood the value of customer data collected from double opt-ins, even some of the biggest brands in the business are still using softer consent methods. Brands like Dominos continue to take silent consent even though click-through rates can improve 15% to 35% with a double opt-in scheme. Not only will a quality email list improve engagement rates, you’ll also be able to able to use superior insights from an audience made up of your ideal customer for optimised campaigns.

As well as improving your email marketing, insights and communications, double opt-ins help protect your list from bad email addresses and malicious email floods from competitors that may negatively impact your sender reputation. If the fear of GDPR isn’t enough to sway your opinion, maybe the prospect of getting more value from your data will be.

Right to be informed

The GDPR further insists that all individuals have a right to be fully aware and informed about data processing. While many companies provide privacy notices explaining when and how they process, use and store personal data, they can often be hard to find or difficult to understand. Whether companies have been intentionally obscure with their information or simply haven’t spent the time to assess the clarity of their communication, the GDPR wants customers to be able to make more informed decisions and have more control over their personal data. Here’s what the GDPR say about supplying processing information:

  • The information you supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

While providing accessible and understandable processing information shouldn’t be difficult, many of the guidelines for this part of the GDPR are still arguably ambiguous. For example, while UX best practices tell us that the navigation at the top of the page is the most accessible place to users, privacy notices and other additional company information is usually relegated to sitelinks at the bottom of the page. These are still accessible to users and many know to find additional information there, but if not everyone knows or thinks to look there, is it being obscured from them?

Everyone has the right to know why and how their data is processed and stored under the new GDPR regulations.

Similarly, there will no doubt be many interpretations as to what constitutes ‘clear and plain language’ that is intelligible to everyone across age and education. Companies may choose to target their content to their understanding of their own customer demographics but be at the risk of excluding some key but smaller customer groups, or simply excluding potential ones not accounted for by known demographics.

We recommend keeping it as simple as possible to avoid falling into grey area traps. Make the information accessible in your main navigation if it fits under a current parent category and display a clear link and some simple introductory text at any point you collect email addresses or other personal data, including in any sidebars. Have friends and family from a range of age groups and backgrounds read the information and provide feedback on any confusing areas you may have missed.

Right to object, access and erasure

The right to erasure is also known as the right to be forgotten, but does not provide individuals an absolute ‘right to be forgotten’. Unlike the DPA, the right to erasure isn’t limited to processing that causes damage or stress to the individual and controllers are responsible for informing any third parties about erasure requests. There are various instances where this might apply.

  • The data is no longer necessary for the purpose it was originally collected for.
  • The individual withdraws their consent.
  • The individual objects to the processing and there is no overriding legitimate basis.
  • The data collection or process was in breach of the GDPR.
  • There is a legal obligation that requires the data to be erased.

Similarly, all individuals have a right to object to the use of their personal data and the right to access it at any point.

For digital marketers, this might mean loosening the reins on current processing methods to avoid unexpected problems later. While it doesn’t strictly break the regulations, obliging new customers to create an account to purchase could interfere with their right to object. Customers who do have their personal data processed in this way may later feel they have a right to erasure based on ambiguous processing.

You may also need to rethink your entire data processing and storing systems, as information will need to be more easily accessible and easy to erase. As with your customers right to be informed, explaining their rights and your subsequent responsibility to them could save you a GDPR headache later. For example, if your unsubscribe button simply removes the customer data from your mailing list rather than erasing the data completely, this should be explained to avoid problems later.

Profiling, behaviour tracking and direct marketing

For direct marketing, the same regulations from the DPA also apply concerning the right to object. Any individual has the right to object to direct marketing, including profiling. Cookies and behaviour tracking now also fall under the GDRP, as IP addresses are considered personal data. When cookies are used to uniquely identify the device or can be used in conjunction with other data to identify an individual, then this is considered personal data. This is true even in the case that pseudonymous identifiers are used.

Cookies are now considered part of personal data as IP addresses and other tracking information can be used either individually or in combination with other data to identify individuals according to the GDPR.

For behaviour tracking, in particular, digital marketers will now need to create new systems and account for a process that has previously had no definitive governance, ensuring that data is collected in a way that can be easily organised and accessed at any time. Consent for cookies will see the biggest change, as the new understanding of cookies as personal data will obligate marketers to gain consent in line with the GDPR’s stricter definition. Automatic tracking and cookie pop-ups as we know it will have to make room for a hard opt-in solution, disabling any tracking until the individual clearly opt-ins. This could additionally see changes to browser settings, enabling users to control their cookie settings on a site by site basis.

A new system

While digital marketers that already adhere to best practices and consider data security at every point of collection and processing have a head start on preparing for GDPR, there is still plenty for everyone to consider. The emphasis on accountability means marketers and business are both responsible for maintaining compliance; many should expect to rethink their whole processing system, ensuring every step has a customer first approach that clearly reflects the values of the GDPR.

The ICO will continue to issue guidance on GDPR as the regulation is laid out, so make sure to check back if you have any questions or queries. To discover more on digital marketing best practices and how to stay compliant contact one of our team today.