The General Data Protection Regulation (GDPR) is effective from 25 May 2018. Now is the time to get up to speed with what GDPR means for marketers and to learn how you can make sure that both yourself and your business are compliant by the deadline. With businesses facing a big potential fines of £20M or 4% of your turnover, compliance with the 2018 General Data Protection Regulation (GDPR) is an important issue for your company. In particular, the legislation will change a number of aspects of digital marketing compliance. These include:
  • the definition and implementation of opting in and consent
  • transparency about the use of cookies in activities like remarketing
  • what your privacy policy needs to cover and how it should be written
  • keeping a record of how you got the data, where from and how long you are keeping it for
While the impact on digital marketing is huge, we believe it also presents  opportunities for marketers and their businesses. This post offers insight into how the regulation will impact Marketers and in particular, the work of Digital Marketers. In order to ensure full compliance we advise you to seek legal advice and take the time to conduct some further reading on the subject yourself.


The General Data Protection Regulation (GDPR) changes the way data is captured, used and managed, for all individuals in the EU. The purpose is to give all individuals increased control over how their personal data is captured and used.


25th May 2018 This is the final deadline and there is no transitional or grace period after this date.


The regulation affects everyone resident in the EU, but there are some specific points that Marketers and Digital Marketers should be aware of. Any organisation that holds, collects or uses customer data for their marketing or business communications will need to review their processes and ensure they are compliant by the deadline.


The associated fines of non-compliance are up to €20 million or 4% of your global turnover, whichever is greater.


Due to the nature of digital marketing, there are many areas that will be affected by the GDPR changes and should be taken into consideration, to ensure that you comply.

Email Marketing

Offering website visitors something in return for opting in can be an effective way to build your database. This can be a whitepaper or a piece of content for example. However, under GDPR, opting in must be an optional tick box, otherwise the consent is not be freely given. Things to cover in a re-engagement email:
  1. How you got their personal details
  2. Why you are contacting them
  3. What sort of content you will send them in the future if they opt in
  4. How they can update their communication preferences and opt out


This works by using cookies to track your activity online. You will specifically need to outline in your privacy policy that cookies are being used.

Website Forms

Forms must no longer include pre-ticked boxes as this assumes that implied consent is not freely given. Offering downloadable content on your website is an effective way of collecting data to use in future campaigns. The ‘thank you for downloading’ completion pages are a good place to gain consent. A simple click through call to action, to ‘opt in’  would work well here.

Social Media Advertising

If you are planning to use email addresses to build lists for social media targeting, then you will also need to tell users about this. They will need to opt in and also be offered the option to opt out too. You will need to obtain consent for the data used on social platforms and the social platforms are also then responsible for the safety of that data.


As per the 2011 regulation The Privacy and Electronics Communication Regulation, advertising the use of and requiring acceptance of cookies became law. The use of cookies and what the information collected will be used for should be outlined in your privacy policy. Users also can opt out of cookie tracking in their browser’s privacy settings.

IP Tracking

There are many software providers that will give you a  tracking code to embed on your site and they can provide you with identifiable details of your visitors. This is different to the anonymous data that can be found in Google Analytics. You will also need to make sure that any IP tracking you do is also stated in your privacy policy as IP addresses are classed as ‘personal data’.

Privacy Policy

Your privacy information must be: ‘concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.’ The ICO provides some information on what should be included in a privacy policy and this can be viewed here. Check your existing privacy policy (if you already have one) The key point here is the language that is used is simple and easy to understand,  jargon is not acceptable.


Consent is not Forever
Under GDPR, consent from an initial campaign does not mean you have consent to email the customer about all further marketing activity. You must get explicit opt-in to continue marketing to your database.
Implied Consent
A pre-ticked opt-in box is not accptable. The individual must freely and willingly opt in to receive further information.
Using Bought Data
Consent must be gained from the individuals on the list of bought data within a reasonable time frame or on the first correspondence. Even if the third party has gained consent, that does not mean that you are covered.  


More Quality, Less Quantity
The potential results from your marketing campaigns will be much more relevant, as those individuals have specifically opted in and will be more engaged with your content. This should deliver higher click through and engagement rates, which is a good thing. Preparing for and adhering to  GDPR regulations means you finally have to ensure your data is up to date.


  1. Think about your ‘opt in’ campaign and how you can gain consent
  2. Review your current data and whether or not you would be able to show where consent was gained for these contacts if you were asked
  3. Revisit your privacy policy and make sure that is it easy to read and covers all relevant areas
  4. Update all the forms on your website so that they are in line with the regulations, eg no pre-ticked boxes etc
  5. Store information on how consent was gathered using your CRM
  6. Decide how you are going to offer individuals the chance to view, update and remove the data which you hold about them.
  7. Decide on how long consent is valid for in terms of your business and also a process for gaining consent after this time elapses
  8. Think about alternative marketing methods alternative to email.

Further information

If you are unsure about anything relating to GDPR and your business, we advise that you seek some independent legal advice.

Online resources

The ICO has compiled the below documents: 12 steps to take to prepare for the GDPR An overview of the GDPR

Leave a Reply

Your email address will not be published. Required fields are marked *