eBook GDPR: How marketers can seize the opportunity


On May 25th 2018 the General Data Protection Regulation (GDPR) becomes legally binding. Organizations holding EU citizens’ personal data will face fines of up to 4% of global revenue or €20m Euros, for a breach in security or being found guilty of using that data beyond the remit of the stricter new rules.

The new law means companies will have to, in most marketing cases, seek the explicit consent of individuals to store and use their personal data. 

They must also do all they can to keep it stored safely for an appropriate amount of time.

The new law builds on the Data Protection Act, 1998. The definition of personal data has been widened from emails, postal addresses and telephone numbers to include social tags, such as Twitter or Facebook usernames. Also, parental consent is stipulated as mandatory to store and use personal data for under 16s (the age limit can go as low as under 13s in some EU countries).

The new law is a challenge but it is also an opportunity to rebuild relationships with consumers based on informed consent. This will help marketers become more effective and build better performing, personalized campaigns based on a qualified and improved understanding of customer data.


Implications for marketers

Legal basis

There is a very clear, very simple outcome of GDPR. Lazily blasting out messages to all and sundry regardless of whether they are interested in hearing from you will be officially over.

Under GDPR every marketer will need to be able to justify why they are holding each piece of personal information and the legal basis on which is it being used for marketing. 

It is no longer going to be acceptable to operate in the grey areas of adding email addresses on business cards to b2b lists or confusing opt-out clauses in poorly worded sign-up boxes. The same goes for all those postal address, telephone numbers and social ID tags which have been amassed over the years through competitions, polls and perhaps interactions with your brand through a website or mobile app.

Under GDPR, marketers need to be operating under a firm legal basis. This will ultimately come down to a choice between justifying marketing lists as either legitimate interest or consent.

Under legitimate interest, marketers will need to show that a group of consumers and prospects have been happily receiving and interacting with their company’s marketing messages over a period of time. Customers who have neither gone for the ‘unsubscribe’ option nor ignored messages, but instead interacted with a company’s campaigns, could be seen as demonstrably interested in what the company has to say. 

Under consent, marketers will need to be able to prove that a person has given their fully-informed approval to have their personal information stored and used for marketing. This needs to be opt-in because GDPR is the official end of pre-ticked boxes and relying on opt-out to keep list numbers high.

Informed consent needs to be made by the consumer through a clear mark, such as ticking a blank box or moving an on-screen slider. It must also be clear what the person is giving permission for (a newsletter, telephone contact, direct mail) and it must be freely given. In other words, you cannot make signing up to a newsletter a precondition of fulfilling an order. Ultimately, the major implication for marketers is GDPR will cause their lists to shrink. That will not just be email lists but also those used for telemarketing, direct mail and SMS.

There are also huge implications for lead generation and third party lists, just in case marketers are thinking this will be a way of overcoming having fewer consumers and prospects to talk to. Any organization working with a third party to gather contact details for future communications is going to have to make sure such lists are GDPR compliant. Time will tell, but buying in personal data of any kind is going to become far more risky to a company’s brand image because it relies on that third party list provider, rather than the organization itself, to have ensured lists are fully compliant.


Individual rights

Individual rights are strengthened by GDPR. Any person has the right to ask a company what data they hold on them and request for it be erased. Alternatively, they can ask for it to be corrected, if they feel a mistake has been made. Organizations will need to be able to deal with such requests in an efficient and timely manner and can be reassured that people who persistently ask for checks on information can be asked to pay for further searches.

For marketers this means department must be ready to respond to questions over what personal data they hold on an individual and being able to delete or correct it if required.

Profiling and automated decisions

There are also knock-on impacts on profiling and automated decisions. The wording of the GDPR is still being interpreted into guidance by the Information Commissioner’s Office, so there is no official ruling on what is allowed and what it not.

However, the legislation does make it clear that citizens can request not to have their personal data used for automated profiling. So, departments that are trying to make assumptions about consumers and fit them in to particular segments will need to ensure they have permission to do so, if it is done automatically. Manual profiling is not explicitly referenced in the GDPR’s wording.

Similarly, if decision-making is automated, consumers will have the right to question the outcome and ask how it was reached. So, marketers will need to be able to access personal information that might be used in making automated decisions about customers’ suitability for their products and services, and flag up what impact it had on a decision.

All in all, marketers are going to have to get better at finding data held on customers in case they are called on to delete or correct it and also to explain what part it had in decision making.

This requirement will mean marketing has to forge a relationship with their organization’s Data Protection Officer, or whoever has been put in charge of ensuring the business is GDPR compliant. Large companies and public bodies are required to appoint a Data Protection Officer but, whatever an organization’s size, it is useful to have someone in that role to coordinate compliance efforts and to be a point of contact with the Information Commissioner’s Office (ICO). 



Security and data breaches

The other huge impact for marketing might appear to be an IT security issue but, actually, the huge penalties for security and data breaches could have a serious impact on brand image and favorability. One need only think of cases such as TalkTalk’s hacking scandal, to get an idea of how badly a brand name will be affected by making the headlines for what will undoubtedly be a record fine.

To date, the ICO has taken an understanding approach to breaches that were reported as early as possible. However, with more at stake under GDPR, many predict that it won’t be as lenient in the future. The maximum penalty under GDPR is €20m or 4% of global revenue. Brands on the receiving end of any new massive fine will find the impact is far more than financial.


What can marketers do to prepare?

Data Maps

Data Maps are hugely important and are a good reason to have somebody in charge of GDPR compliance, whether or not their official job title is Data Protection Officer.

The top priority is to discover what personal information is held by different parts of the organization and under which level of permission. 

Marketers are going to have to look high and low here. It will not just be a variety of email marketing lists, but any sets of data with personal information will need to be identified. It could be postal addresses provided by sales contacts, telephone numbers from competition entries and online enquiry forms, address from competition entries or social ID tags and emails provided through online polls. Wherever personal information is stored, it needs to be mapped out with the Data Protection Officer, just like any other part of the business. 


The acid test with all this data is simple – can marketers prove that informed consent has been given for that personal information to be stored and used for marketing? If companies have been opt-in for a long time and have asked permission to use their personal data to stay in touch, then there may not be an issue. 


However, if this cannot be proven, the next test is whether each person represents a legitimate interest. Even if they cannot be proven to have given explicit consent to contact, if a person has been responsive to marketing campaigns and has continued to be a customer, then it is possible to say they represent a legitimate interest who has not chosen to ‘unsubscribe’ from your marketing lists.

For those who do not appear to fit in either camp, they neither gave consent and have been unresponsive, the challenge is to regain permission to stay in touch. This repermissioning can take several forms but typically a brand might wish to simply ask if that person wants to keep on hearing from them via email, telephone or SMS (whichever is applicable, maybe all three). So long as the future relationship is clearly outlined, then clicking on a ‘yes’ would constitute consent. Those who do not click or just ignore the messages need to be deleted before GDPR comes in to effect.

It is hard to see how future marketing lists of new customers and prospects could be put together with anything other than consent. So it is good advice to immediately update the corporate privacy policy and, particularly for marketing, ensure that your sign-up consent forms are compliant. Just be honest about why you want that person’s email, postal address and perhaps their telephone numbers and leave a ‘yes’ box unticked and you are on the right path. 

CRM tools are the key here to ensure repermissioning goes smoothly and that new sign-ups and those signing up again can be clearly demonstrated to have given an affirmative mark.


Better relationships the GDPR way

No industry is ever going to instantly respond favorably to a new set of regulations. It is natural that any new laws will be at first viewed as an extra compliance hurdle.

However, there is a positive side. Improved regulation which offers more control to consumers over who can contact them and for what purpose, can only lead to better relationships with customers.

GDPR is an opportunity to reset relationships based on freely-given, informed consent and can only result in improved trust between a marketing department and its prospects and customers. 

At the moment, consumers have to navigate complicated statements where one box may assume they are opted in and another that they are opted out, until they opt in. It really can be that confusing! Fail to read the small print correctly, and second guess its intent, consumers find they are inadvertently signed up for communications they have no or little interest in.

Also, by mapping the personal data a company holds within its database means organizations have a greater feeling of control over their data. Once it has been mapped, accounted for and better organized, it can be put to better use in devising more attractive, personalized messages for consumers.

Five marketing tricks that GDPR will kill off:

  1. Conference goldfish bowls for business cards will not be usable for building lists.
  2. Assumed opt-in will be gone forever, no more pre-ticked boxes

  3. No more complicated double negatives in rambling consent statements.

  4. Long T&C’s lists which in legal jargon will need simple clarification.

  5. The end of third-party mass-database emailing services, if you want to send marketing emails, you will need to use first-party data.



The future of marketing under GDPR

Responsive marketing

Responsive marketing is the end-game marketers will have in sight. As they get better at mapping and responding to the data that an organization receives, they will get insight from a better qualified core of customers and prospects. This will allow a company to make swifter, better informed decisions that can keep up to date with changes in market conditions and customer tastes.

With the siloes of data gone, insight will no longer be hidden across various data sets spread through various departments or in folders belonging to different campaigns. 

It may not be a process all marketers would willingly begin without being legally required to, however, once data is organized and made compliant, it will allow an organization to go forwards with a smarter and more focused data set that has broken free of siloes and been whittled down to what the company needs. The result opens up the possibility of a single view of customers that can be lead to deeper insights and move marketers closer to the nirvana of one-to-one conversations. 

Better metrics

Better metrics are one of the many advantages marketers will enjoy in the near future, once GDPR comes in to place.

Over the years, lists of personal data will have been built up but not always under the new stricter rule of informed consent. That means most companies will currently have many people they think want to hear from them who, if truth be told, are not really all that bothered. Taking away people who have been added under less stringent rules will shorten lists but it will ultimately improve engagement. 

If you take away people who routinely ignore marketing campaigns you are left with a better qualified group and so open rates and click through rates will improve. This is a firm basis to build lists up, concentrating on the keen, not just those who have somehow ended up on a list.

Life boat charity, the RNLI, is a good case in point. It revealed at last year’s Festival of Marketing in London that its early work in reaffirming permission to stay in contact with supporters showed it was retaining older customers but losing millennials. The take-away was clear: to future-proof the charity, it had to redouble efforts to appeal to a younger audience.


Communications will become more relevant 

Communications will become more relevant because the deeper the trust between consumer and marketer the better able a company becomes in tailoring messages to individual customers, or at least highly defined segments. 

Data deletions 

Data deletions arising from customers asking to be removed from lists or simply not taking up the opportunity to reaffirm their permission to be contacted will help businesses focus. There may be a particular type of person whom an organization has failed to engage properly in recent years and repermissioning will bring this to the fore.

Automation and personalization 

Automation and personalization are buzz words in marketing but without the best customer profile data, it simply cannot work. To run campaigns that pick out people in a certain area or fit a demographic profile, an organization needs to have earned trust to gather that data and the permission to act on it.

Combined with tools to track where customers and prospect are in the pipeline of research, awareness, favorability, purchase and, hopefully, endorsement; the marketing suite will have a firm basis to run automated, personalized campaigns which tap in to triggered events and timed reminders.

The work put into organizing data and keeping it compliant, and the trust that affords a brand, makes all this possible. Trying to achieve personalization and any degree of automation without first taking these steps to improve data and base campaigns around permission will likely to frustrate and alienate customers, rather than make them feel a brand understands their needs.


Call to Action – The 10 Point To-Do List

  1. Give ownership of GDPR to an executive, perhaps a Data Control Officer.
  2. Map personal data across the organization, break down the siloes.
  3. Understand permission levels for use of personal data.
  4. If data is based on consent which cannot be proven, seek repermission.
  5. Invest in tools to help repermissioning which also prove consent.
  6. Tighten IT security, train staff to be vigilant.
  7. Ensure your tools will reveal if a breach has occurred.
  8. Develop the ability to tell people what data you have stored for them.
  9. Ensure person data, used on a consent basis, can be erased or corrected.
  10. Develop closer engagement with consumers which leads to personalization and improve ROI on marketing budget.


Conclusion — new rules, a new opportunity to lead

Organizations are transitioning from being in denial over GDPR, to finding it arduous, before now actually realizing it is a great opportunity to improve customer relationships and differentiate their brands around respect and trust. 

However, earlier this year, the Direct Marketers’ Association (DMA) found that a quarter of marketers felt their organizations were unprepared for the new law. Nearly a third believed they would not be ready in time for May 2018’s deadline.

Those who do not prepare are risking fines and brand damage through being seen to have disregarded new rules offering consumers greater protection. They also miss out on the opportunity to tear down siloes and make sure their organization has a single view of the customer that is based on mutual respect and trust, as demonstrated through informed consent. 

GDPR should be seen as part of a journey towards the best possible solution to marketing automation and personalization. By establishing a more trusting, consensual relationship with consumers and improving their view of customers, marketers are tooling up for a far brighter future.


It appears your Web browser is not configured to display PDF files. Download adobe Acrobat or click here to download the PDF file.

Click here to download the PDF file.
Topic GDPR

Sign up to Smart Focus

To opt in to receive marketing communications from us, promoting our products and services, thought leadership, sponsored events or digital marketing best practices please select YES across your preferred channel/s:

Verbal phone conversations promoting our products and services, thought leadership, sponsored events or digital marketing best practices
Printed collateral promoting our products and services, thought leadership, sponsored events or digital marketing best practices
To prevent automated spam submissions leave this field empty.