What does GDPR Mean for Digital Marketing

At the end of May 2018, the General Data Protection Regulation (GDPR) was passed. This legislation affects businesses ranging from marketing to banking and medicine that rely on personal data. In short, this regulation changed the way we share our data. The policy labels information that relates to people’s private, public and professional life as personal data. 

Personal information is gathered at an alarming rate: the pictures you upload to social media, the calls you make and the websites you visit are cataloged and leave a digital footprint. This footprint has become a valued asset.  

The Economist refers to personal information as, “the world’s most valuable resource”. It’s more coveted than gold or oil because our digital footprints influence how businesses interact with customers. It’s also crucial in providing a pleasant customer experience.  

And since personal information is valuable, it is liable to misuse or outright theft. Consumers want to be sure that their data is securely stored, and won’t be used improperly. A study carried out by Truste/NCSA reports that 92% of online customers worry about privacy and security of their data. What should concern brands is that, 57% of consumers don’t think that businesses handle their data properly.   

Most shockingly, however, is that 90% of companies consider deleting consumer date to be a too taxing. And 60% of companies claim that they haven’t implemented measures to delete customer data.  

The rift in approach to how consumer data should be handled by businesses was one of the catalysts for introduction of GDPR.  

GDPR empowers consumers by giving them more control over how their personal information is collected and used. This means that marketers need to have clear permission to use data within the borders of the European Union. The legislation is pushing companies to find new ways to do business while taking into account personal information.  

The regulation was drafted because the EU wants to safeguard its citizens’ privacy from the threat of rapid technological advancement that places users’ data at risk. Brussels wants to rebuild trust between consumers and tech companies that has been shaken by latter’s disregard for people’s privacy. Just think of all the trouble Facebook kept getting into for inappropriately handling their users’ data. The EU also stipulated punitive measures for companies who ignore the legislation. 

GDPR presents an unprecedented challenge to marketers, with over 40% claiming to not fully comprehend the legislation and ways to protect customer’s information. Therefore, a law that addressed these issues was long overdue and was finally introduced in 2018 to ensure that companies were treating their customers responsibly.  

In this post we will look at GDPR in greater detail and the reasons the legislation was introduced. Then, we look at how to avoid being fined for failing to comply with legislation by learning from mistakes made by brands that have already been penalized. Finally, we will include several useful tips that will help your business be GDPR compliant. 

General Data Protection Regulation (GDPR)

This digital regulation forces companies to set privacy settings as default into their digital tools, such as websites and apps. Also, brands are required to carry out privacy assessments, find explicit ways to secure permission to use consumer information as well as provide a record of how they use data. Businesses are expected to continually work on how they report data breaches. 

There is no way that companies can choose not to comply with GDPR – it’s the law. Therefore, failure to comply will result in heavy fines that can total up to 20 million Euros or 4% of a company’s global turnover.  

Just ask British Airways or Marriott International if GDPR is something to take lightly. British Airways could pay a fine of 200 million Euros after it was revealed that customer data was stolen from their website. The hackers collected the names, email addresses and credit card information of BA customers. If this fine is imposed, then it would represent 1.5% of the company’s global turnover.  

Marriot International is on the hook for almost 100 million Euros for a data breach that occurred between 2014 and 2018. An investigation concluded that Marriott didn’t implement adequate security measures to protect their customers’ personal information. 

The EU is not afraid to go after major companies who don’t comply with GDPR.  

GDPR Replaces Outdated Legislation

Companies misusing customer data is nothing new: it’s been going on for years. So why did the EU decide to wait so long to pass GDPR? 

The primary reason for passing the GDPR now is that the former data privacy regulation used by the EU was outdated. Embarrassingly outdated. The previous legislation was based on documents drafted in 1980 and amended in 1995!  

Therefore, the previous policy didn’t cover social media, new web technology, or smartphones. However, most damning of all is that the regulations were only a directive, which allowed businesses to ignore them. 

What Does GDPR Mean for Digital Marketing?

Digital marketers might feel overwhelmed, even terrified of failing to comply with GDPR. However, the good news is that there are only 3 main fields digital marketers need to focus on: data permission, data access and data focus. 

GDPR and marketing
Image Source: SuperOffice

Data Permission

This refers to the way marketers handle email opt-ins. GDPR stipulates that you can’t take it as a given that people want to hear from your business. From now on, consumers need to give marketers explicit permission in a “freely given, specific, informed and unambiguous” manner.  

This is a mouthful. How does one obtain such consent?  

You must have physical proof that your lead, prospect or customer agrees to have contact from your business. Be sure that you’ve clearly asked for permission to contact your target audience instead of only assuming that they wish to hear from you.  

This means that you can’t assume that people who fill out a web form wish to have promotional emails from your brand sent to their inbox. Instead, your web forms must have a clearly designated box that needs to be ticked. This way you know that they are interested in receiving emails from you.  

A graphic example comparing a non-compliant webform on the left, and a GDPR compliant version on the right.
Image Source: 1WL

There is one exception: a refer a friend program. These schemes work when a prospect or existing client provides their friend’s email address to claim an offer, like a discount. An email that is sent to the friend from the company is only a notification and not “promotional” in nature. 

This means that the data is not stored by the company, and the program complies with GDPR. The key point here is that no marketing communication can be made without explicit consent. 

Data Access

Another important feature of GDPR is the right to be forgotten. It outlines the process which allows consumers to have their personal information completely erased. Companies like Google have already complied with this part of GDPR by removing some pages from its SERP.  

Complying with this feature of GDPR is not difficult for digital marketers. You simply need to come up with a seamless way for your prospects/customers to access their data and prohibit its use. 

This can be as simple as adding an unsubscribe link on your newsletter or promotional email. Or you can provide a link to the customer’s profile which lets them adjust their email settings: 

Subscription management settings inline with GDPR compliance
Image Source: SuperOffice

Pretty simple, right? 

Collect Only the Data You Need

Many marketers get carried away with the amount of data they gather on their customers. GDPR stipulates that you must explain why you collected and processed the personal information. Therefore, only focus on the data that is absolutely necessary and nothing more. If you want to know whether your visitor went on a holiday last summer, then you’ll need to prove why you need that sort information. If it’s only a “good to know” type of information, then don’t request it. 

Typically, B2B marketers only need the name, address and maybe the name of the company where the person works. Asking for more personal information is overkill.  

Who Needs to Be Careful in Digital Marketing?

There are 2 key roles in digital marketing that will need to adjust the way they do business in order to comply with new regulations. 

Email Marketing Specialists

An email address is the necessary piece of personal information of any successful lead generation campaign or sales process.  

Since GDPR prevents businesses from sending unsolicited emails to leads/prospects/customers, many companies will have to find different ways of reaching out to potential clients. 

Email marketing campaigns that used lists of addresses scraped of websites are now a thing of the past. Email marketers can’t automatically add people to their email list and then give them the option to opt out. GDPR compliant email marketing campaigns need to have express consent from consumers before brands can contact them. For example, a visitor to your website might give their email address in order to read more content. As long as the visitor understands that they will be contacted by the company, everything is above board. 

Marketing Automation Specialists

While marketing automation is an extremely powerful tool, marketing automation specialists will need to be careful that email addresses in their CRM database are accurate and that people who have unsubscribed from the email list don’t receive them. 

Therefore, if a person unsubscribes from an automated email process, email marketing specialists need to make sure that additional emails are not sent. 

There’s Nothing to Worry About

All these new changes may be overwhelming at first glance, but digital marketers really have nothing to worry about. The outrageous penalties are frightening, and you might think that you need a whole new marketing strategy.  

But actually, all that GDPR does is push marketers to target people who have an interest in your brand and wish to be contacted. 

Think about it. Since you need unambiguous consent to use someone’s personal information, your potential customers can request to see what the sort of information your business has and what you’ve done with it.  

By asking for consent, customers have a wide array of options to choose from and see what piques their interest. It also helps businesses better understand the needs of each individual, allowing you to tailor your marketing campaign according to their interests instead of relying on a generic campaign. 

Transparency is Good for Business

We want to do business with companies that we trust. A surefire way to build trust is through transparency. If your business can convince consumers that their personal data is used responsibly and is stored safely, then you will earn their trust. Transparency shows that you see consumers more than just a potential sale. As a result, your business relationship with consumers will grow. 

Ways to be GDPR Compliant

The first and most important thing you should do is review your mailing list. If you can’t find evidence of someone agreeing to be on your email list, delete them. Also, send an automated email to new subscribers notifying them of their opt-in.  

Next, a good way to acquire email addresses from prospects is by implementing a content marketing strategy. Create high-quality tutorials, eBooks and white papers that you can offer prospects for their email address or other contact information.  

Also, engage prospects on social media instead of getting in touch with them by email. Your sales team should share valuable content and respond to any questions and comments prospects might have about your brand. 

Finally, use push notifications, which can show up various devices. They are a great way to reach out to your subscribers. Note that push notifications don’t actually process personal data and people must give consent in order to get notifications. 


GDPR doesn’t present operational uncertainty for digital marketers. It isn’t meant to prevent businesses from reaching out to prospects or communicating with their existing customers. Rather, GDPR will push marketers to get a more insightful understanding of the needs of their potential customers. This may require more work, but marketers will only engage interested individuals, and consumers will have a streamlined buying experience. 

It’s not difficult for digital marketers to comply with GDPR. Only reach out to individuals who have expressed interest in being contact by you. Do not send content that they didn’t request and forget about cold contacting prospects. If you stick to these principles, then your business will be GDPR compliant.