Blog The marketer’s introduction to GDPR and the Data Protection Bill

The digital era has revolutionized the way brands communicate with their customers and clients. In today’s digital and data-driven world, the smartest brands have been able to take a laser-focused approach to their marketing, cutting through the noise and personalizing their messaging and communication to their customers. By delivering the right message, at the right time, they ensure they speak to the customer on their terms, relevant to their location, preferences and needs.

Underpinning most successful campaigns is data, along with the ability to dynamically act upon that data. However, with the changes coming in May 2018, marketers may have to go back to the drawing board with their data policies and, consequently, their digital marketing strategies.

This is the first blog in our series on all things GDPR and what you need to know as a marketer.

What is GDPR?

The specter of GDPR has been on the horizon for a while, but came to the fore at the beginning of August 2017 with the government’s announcement of the Data Protection Bill 2017. This is a like-for-like replacement of GDPR that will come into force when Britain leaves the EU. If you’re in marketing and missed the news (, you need to get up to speed. And quickly.

General Data Protection Regulation (GDPR) has been written into law by the European Union and is designed to bring data protection laws into the modern era of smartphones, web tracking software and unprecedented volumes of personal data. It sets out to improve the rights of consumers, giving them more control over the data that a business has gathered about them.

Once in play, any organization globally - from a multi-national brand to a small business – that holds data on any resident of the EU, must comply with rules around collection, processing, securing and using personal data. Failure to comply will see brands facing potentially crippling fines.

This has huge ramifications for many businesses, and marketing departments need to act.

When does it come into force?

GDPR was initially adopted as an EU law back in April 2016, but in a move designed to allow businesses time to prepare, it doesn’t come into effect until 25th May 2018. All businesses must be compliant by this date.

How does GDPR change the current regime?

Currently businesses in the UK must comply with the 1998 Data Protection Act (DPA), which was enacted following the 1995 EU Data Protection Directive. GDPR will supersede the DPA to create more consistent protection of consumer and personal data across all EU countries.

In essence, GDPR deals firstly with the personal data you collect, secondly, how you tell people about it, and thirdly, what you actually do with it.

Although the DPA is broadly similar in the underlying principles, crucially GDPR introduces several demanding requirements for organizations handling EU citizens’ data. These are likely to require new policies, new business processes and in some cases, entirely new or updated technology to handle the requirements.

There are five main differences between the outgoing DPA and GDPR. These are:

  • Fines: Businesses can currently be fined up to £500,000 for ‘serious breaches’. Under GDPR, fines this will increase to €20m or 4% of annual global turnover (whichever is higher).
  • Being accountable: GDPR focusses more on accountability. It will require organizations to demonstrate compliance through a series of actions, including the implementation of ‘appropriate technical and organizational measures’. Documentation recording actions taken to ensure compliance i.e. an ‘audit trail’ will also need to be created and kept.
  • Reporting a breach: Under the DPA, organizations did not need to report data breaches. GDPR requires organizations to report breaches to the ‘supervisory authority’ at the earliest opportunity and no later than 72 hours after becoming aware of a breach. Organizations will also have to notify individuals involved if their data has been put at risk.
  • The right to be forgotten: Already established under the DPA, GDPR provides consumers with more power over their personal details. They can request deletion or removal of personal data. The power can be applied to both back-up and archived data, as well as information shared with third parties. The third parties will also need to erase links to or copies of that information.
  • Right to portability: Data portability is a new requirement, and organizations will have to provide the data within a month of receiving a request. Consumers will now be able to obtain their personal data and re-use it for the first time.

Other key privacy and data protection requirements of GDPR include:

  • Requiring the consent of subjects for data processing – which is important to consider for marketers.
  • Anonymizing collected data to protect privacy.
  • Safely handling the transfer of data across member country borders.
  • The appointment of a data protection officer to oversee GDPR compliance.

In our next blog, we will drill further into potential implications of GDPR for you as a marketer.

Please contact us if you would like more information on GDPR and how SmartFocus can help you in the new era of digital customer communications.

Topic GDPR