GDPR for marketing

The impending GDPR changes, to be implemented in May 2018, look to change the way we conduct marketing activities across the UK. The announcement of the changes has reverberated across marketing departments, agencies and independent marketers, with many confused on what the changes are, how they will affect them and the core ways they need to change their ways of working.

Preparation for the new GDPR changes is key. Without your staff and management effectively clued up on how to operate and perform marketing activities, post-May 2018, your company could face a hefty fine. We’ve already seen intense preparations beginning in large UK businesses, with companies such as Lloyds Banking Group investing a considerable amount of time and money into producing rejuvenated CRM strategies.

The three core areas of concern for marketers, in brief, include:

  • Opt in’s, opt out’s and consent

  • A customer’s right to be forgotten

  • Legalities of processing personal data

Marketing departments and agencies are entrusted with a whole host of personal data, meaning almost indefinitely, their day-to-day tasks will be affected by the changes brought about by GDPR. Failing to comply will not only risk losing current and potential customers but also evoke a hefty fine to boot. In order to refrain from negative experiences with customers and charges, businesses must ensure that their employees are trained and educated to the highest degree, to ensure compliance. Through exploring the three core areas for marketers, we will aim to better educate our customers and those working in marketing across the UK.


Opt in’s and Opt out’s

In the UK, almost everyone is aware of how to leave or join a mailing list. Many of us unsubscribe regularly whilst simultaneously subscribing to alternative mail sources, often across a whole host of services, from FMCG brands, retail, fashion and travel. Up until the introduction of the new regulations, users were often finding themselves bombarded with news and updates from companies that they are no longer interested in or services they no longer use.

The opt-in and out changes will mean that customers will need to opt in to direct marketing materials that target them either at home or in the office via electronic message. This could prove to be troublesome for many businesses who rely heavily on email blasts to instigate purchasing decisions regularly. This also relies on businesses regularly reassessing how they will ensure compliance going forward.

In simplest terms, customers should now have to explicitly ‘opt-in’ to receiving information (e.g direct mail) and for their data to be stored and used. No longer will pre-ticked boxes of any kind (opt in or opt out) be recommended or relied upon to determine consent. Businesses will also have to actually show how and when this has been done too, with documented information prepared and ready for auditing.

Customer consent

As mentioned previously ‘Under the GDPR, consent must be “freely given, specific, informed and unambiguous,’’’ which is the essence of the policy, but in addition ‘with a clear affirmative action’. Therefore, unlike in previous times, silence, pre-ticked boxes, and inactivity do not equate to customer consent.

This brings us back to the argument that the customer must clearly and willingly surrender their data, whilst being fully aware of how it will be used and how to opt out at any point. The current conversation echoing across both the EU and the UK is as to whether or not the action of a customer ‘opting out’ is really customer consent, consequently, GDPR changes have resulted in the upcoming ‘opt-in’ instead. Because customers can be easily confused or not fully aware of their actions, due to misleading wording or small tick boxes, lots of information can continue to be stored and used, without the customer’s knowledge. Consequently, the new regulation when a customer chooses to ‘opt-in’, will require companies to give full information and transparency as to how their information will be used.

Further to this, the new policy will require businesses to research, organise and closely monitor existing information the company already holds and also that of customers that do ‘opt out’. No longer will it be presumed that data can be kept ‘on file’ even if the customer has opted out in the first instance.

The potential benefits to EU marketers

On a more positive note, ‘Smart Insights’ suggest that the effect of customers actually ‘opting in’ could mean that marketing activity could have a much more enhanced effect, as customers should in effect only receive ‘adverts’ that are really relevant to them. In turn, this could also mean that advertising and marketing agencies and departments are able to better spend their budgets, saving vast amounts of cash, to drive more specific customer campaigns.  

The effects on customers and customer loyalty, whilst finding alternative ways to target them, will ultimately need to be built into future business plans. This not only will help ensure financial protection from fines, but also minimise any confusion for customers, which can ultimately result in loss of custom.

One key thing to think about is how the ‘opt-in’ and additional information is displayed and communicated to customers.  ‘Smart Insights’ have said the display of such information needs to be engaging and clear whilst remaining simplified. 

Legalities of processing personal data

The legalities of processing data are equally as important as the previous two elements of GDPR that we’ve discussed. This comprises of how companies treat the personal information of their customers and stakeholders and how they keep this protected.

In order to comply with these new regulations, companies must alter how they collect and store their personal data, following these rules more closely to ensure compliance. They must consider all legalities when it comes to managing and processing data, to ensure that their customer’s data is kept safe and in specific types of databases utilising the guideline provided by governing body.

Following the systems set out in the new GDPR regulations, all customers and stakeholders must willingly offer their consent before any data can be collected and managed. Following this, the data must be kept in a safe database that is not accessible to any other business.

Companies must also be conscious of a customer’s right to opt out at any point, ensuring that they comply with this request immediately to remain compliant. This falls into the previous area of the GDPR legislation that sets out a customer’s right to be forgotten or have their data erased from a system.

It’s all about transparency

Although some of the GDPR wording may be vague, it’s important to remember that the core of the changes reflects transparency from within a business. Customers should have complete control over their data. It is also crucial for businesses to inform consumers of how their data is being used, for what purposes and for what length of time.

Companies must also provide a reason behind their data collection, alongside the amount of the time that they intend to keep and store this data. Making this information easily accessible and available to their customers, for them to obtain with little confusion or trepidation.

Finally, companies must ensure that they follow through with what they have promised. This means that if a consumer allows a company to send them particular offers via email, it does not instantly entitle the data holder to share their information with third parties, for them to do the same. To do this, companies must obtain explicit consent from the customer in which they are completely aware of how and where their data will be used.


This is the process of data masking that is suggested as a way for companies to manage their customer data. By keeping a customer’s full name away from their data and using a coding system instead that assigns each customer a random word or name, they can better protect personal data.

This could require businesses to store their data across two separate databases that can be used alongside one another. However, they must exist in isolation to ensure that data breaches are less likely and less damaging. GDPR may also prompt sites who haven’t already to convert to an HTTPS site, with an SSL certificate, which will ensure better encryption of data and support. Finally, files should be equipped with file keys or codes that are required to access it.

A customer’s right to be forgotten

Overall, GDPR legislation changes are being brought into place in order to protect customer and business data. It also aims to support customers in accessing their data, without the need to pay for the privilege of finding out what information a company holds about them.

Once the changes commence, the customer’s right to be forgotten must be at the forefront of your busines’s GDPR plan. This crucial marketing and business practice means that a customer, at any point, can request the removal of their data on your systems, known as opting out. Customers must also be able to remove their data with ease and without the requirement of long-winded and complex processes.

Companies will no longer be able to make presumptions about customer information usage, with heavy fines implemented on those that fail to comply. Companies who fail to manage data correctly or do not comply with a customer’s request to remove data will face being slapped with a hefty bill. These errors can be avoided by making sure that regular data audits are carried out internally to ensure that data is being managed in line with the new legal requirements.

Differing from previous methods where many companies would store customer details, even after they had opted out of marketing or future communications. These would be sold or shared with third parties, with little or no repercussions. This leads to customer dissatisfaction and irritation, unwelcome correspondence and ultimately, a misuse of personal data. However, this did not come with any penalties. GDPR is likely to be welcomed by many customers, with the expectancy of less spam and better management of their details.

The majority of companies have already begun laying down plans to strategically manage their data and remain compliant with the new GDPR regulations. The implementation of new internal frameworks has required their staff to begin working with the new regulations now, so as to be compliant well ahead of the changes. All companies who collect and manage data need to be aware of how GDPR will affect them. It is also recommended that larger companies appoint a compliance manager to ensure that regular reviews are frequently undertaken and can be held accountable for the management of these new changes.

Database construction and management

Once a customer has given permission for their data to be kept, the database also needs to record when the individual permitted what they agreed to. This may be the details of what they were told or shown when they signed up. The management must also distinguish what will happen once an individual opts out and the process that will ensure that their data is removed and that they cease to receive any further correspondence, this could include a ‘do not contact’ database during the remaining time that the company holds the data.

Google Analytics

One key element that must not be overlooked is the use of Google Analytics. Often used to track traffic, demographics of users, bounce rate and further website data, this will now need to be more heavily regulated. With the storage of an individual’s IP address now falling under the scheme of protected data, this information must also be handled more carefully. Companies must ensure that they explicitly detail how this will be stored and used, within their privacy policies, which also must be easily accessible to customers when required.

If you would like to know more about GDPR or have any questions about the effect this will have on direct marketing, please contact Absolute DM today!

Generate Coordinates