GDPR for Marketing: The Definitive Guide for 2018

GDPR for Marketing: The Definitive Guide for 2018

Post summary:

  • How does GDPR impact marketing?
  • Seven practical tips on GDPR for marketing
  • Why GDPR is a golden opportunity for marketing teams

In today’s connected world, personal data is being collected at an incredible rate.

The websites you use, the calls you make, the places you visit and even the photos you take are all recorded, measured and leave a digital footprint – a footprint that is fast becoming a prized resource.

In May 2017, The Economist called personal data “the world’s most valuable resource’ ahead of oil, because of how much it now informs the way companies communicate with their customers and how it positively impacts customer experience.

However, because personal data is so valuable, it’s vulnerable to theft or misuse and this has led to consumers demanding to know how companies use and store their personal data. This is because, overall, consumers are not convinced companies are doing enough to protect them.

A 2016 Consumer Privacy study by TRUSTe/NCSA found that 92% of online customers cite data security and privacy as a concern. While, according to a report published by the Chartered Institute of Marketing, 57% of consumers don’t trust brands to use their data responsibly.

Another concern  is that Symantec’s State of European Privacy Report found that 90% of businesses believe it’s too difficult to delete customer data and that 60% (!) do not have the systems in place to help them do so.

Clearly, there’s significant disconnect between consumers, their personal data and how the companies that collect it, use it.

Challenges organizations face if customers ask to have their data modified or deleted

It’s even more concerning when it comes to GDPR for marketing as 41% of marketers admit to not fully understanding both the law and best practice around the use of consumer’s personal data.

That’s right!

The people that use customer data the most don’t fully understand how they should use it.

It’s clear that something needs to be done to regulate the management of personal data, to protect consumer interests and police the companies that collect, store and use the data.

This is why in 2018, the European Union is introducing GDPR – a new set of laws designed to safeguard personal data and inform the decisions of marketers in all member states.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new digital privacy regulation being introduced on the 25th May, 2018. It standardizes a wide range of different privacy legislation’s across the EU into one central set of regulations that will protect users in all member states.

Put simply, this means companies will now be required to build in privacy settings into their digital products and websites – and have them switched on by default. Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways they use personal data and improve the way they communicate data breaches.

And, because it’s a regulation and not a directive, it is legally binding – meaning it cannot be opted out of, or ignored. In fact, failing to comply could lead to fines of up to €20 million or 4% of your global turnover!

So, it’s fair to say that the EU is taking this extremely seriously.

Why introduce GDPR now?

GDPR is ‘the most far-reaching change to data protection in a generation’ and is a dramatic shift in the way the EU wants personal data to be managed.

The EU’s new approach to online privacy puts individuals first, believing they should be protected and empowered, rather than exploited or ignored.

This new approach to data protection is the EU’s way of keeping companies big and small more accountable for their actions. EU regulators believe that companies have been exploiting personal data for their own gain and aren’t being transparent about how they were using it. GDPR has been designed to end all that and put the power back in the hands of the consumer.

But, why introduce it now?

The main reason for introducing this now is because the current EU data privacy regulations are still based on a document that was first adopted in 1980 (later updated in 1995).

This means that the data privacy principles that the EU works are outdated on don’t include considerations for social media, smartphones, or even advanced web technology (i.e Artificial Intelligence, Virtual Reality, etc).

Plus, the current regulation is only a directive, so companies (and countries) could easily opt-out.

From 25th May, 2018 this will no longer be the case.

While consistency in data privacy regulations across Europe should be good news for all marketers, GDPR also comes with quite a few challenges that impact marketing teams – especially marketing teams that communicate to customers based in the EU.

How does GDPR impact marketing?

On the surface, GDPR might seem extreme, especially for smaller businesses or solo-practitioners. Realistically though, there are only 3 key areas that marketers need to worry about – data permission, data access and data focus.

Let’s take a look at each of these individually.

GDPR and marketing

1. Data Permission

Data permission is about how you manage email opt-ins –people who request to receive promotional material from you. You can’t assume that they want to be contacted. In the future, they need to express consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.

Wait, what does that mean?

In practice, this means that leads, customers, partners, etc. need to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted. Therefore, a pre-ticked box that automatically opts them in won’t cut it anymore – opt-ins need to be a deliberate choice.

For example, instead of assuming that visitors who fill out a web form want to receive marketing emails from SuperOffice (left), we now ask visitors to specifically opt-in to newsletters by ticking the sign up box (right).

GDPR compliant forms on website

2. Data Access

The right to be forgotten has become one of the most talked about rulings in EU Justice Court history. It gives people the right to have outdated or inaccurate personal data to be removed and has, in some instances, already been implemented by companies like Google, who were forced to remove pages from its search engine results in order to comply.

The introduction of the GDPR offers individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten.

As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.

Practically speaking, this can be as straightforward as including an unsubscribe link within your email marketing template and linking to a user profile that allows users to manage their email preferences (as shown in the example below from Twitter).

Email preference settings from Twitter

3. Data Focus

As marketers, we can all be guilty of collecting a little more data from a person than we actually need. Ask yourself, do I really need to know someone’s favorite movie before they can subscribe to our newsletter?

Probably not.

With this in mind, GDPR requires you to legally justify the processing of the personal data you collect.

Don’t worry; this is not as scary as it sounds.

What this means is that you need to focus on the data you need, and stop asking for the “nice to haves”. If you really need to know a visitors shoe size and inside leg measurement, and can prove why you need it, then you can continue asking for it. Otherwise, avoid collecting any unnecessary data and stick with the basics.

The cost of failing to comply

The deadline for GDPR in May 2018 isn’t that far away and many businesses have already switched into “panic mode” to make sure they’re compliant way ahead of time. The trouble with this is that this leads to mistakes. And these mistakes can be costly.

Especially as the Information Commissioner’s Office (ICO) starts to clamp down even harder on the misuse of personal data.

In fact, the ICO has already reported two incidents that involve household brand names who tried to use well-known email activation strategies to reach out to their database. The campaigns, which were sent out by Flybe and Honda, asked customers if they wanted to be contacted by email.

How did they contact their customers, you might ask?

Well, they contacted them by email – even those that had previously opted out.

And this is a serious breach of compliance.

Flybe fined £70,000

In August 2016, Flybe sent an email to 3.3 million people in their database with the subject line “Are your details correct?”

It sounds like a smart strategy in theory, but unfortunately, these 3.3 million people had previously opted out (unsubscribed) to marketing emails and thereby gave no consent to be contacted.

Flybe fined for not being GDPR compliant

Image source

The result? A fine of £70,000.

Key take away: If your customers have opted-out of marketing emails, don’t email them – it’s as simple as that. You are breaking the law if you do.

Honda Motor Europe fined £13,000

In a separate incident, Honda Motor Europe sent an email to 289,790 subscribers between May and August 2016 asking their database “would you like to hear from Honda?”.

This email was sent in order to clarify how many of the 289,000 subscribers would like to receive marketing emails going forward. But, once again, this email was sent to individuals who had specifically opted out.

This mistake earned Honda a £13,000 fine as a result.

Key take away: If you do not have explicit consent to email your customers, then don’t email them! Even asking for consent is classed as marketing and is in breach of the upcoming GDPR regulations.

These two examples should act as a clear warning sign to businesses – both big and small – to make sure you’re doing things right ahead of May 2018.

Who is affected most by GDPR in marketing?

If you have customers, then everyone inside your company will be affected by GDPR. But, in the marketing department, there are three roles that will see the biggest change in their everyday work.

Let’s take a closer look at who this affects and how.

1. Email marketing managers

For B2B marketers, email addresses are the lifeblood of lead generation programs.

Often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an “opt in”.

This is in stark contrast to firms that buy email lists or scrape (or copy) them from a website. Under the new GDPR regulation, buying lists (or scraping them) will be strictly forbidden.

Ensuring users opt-in to your B2B email marketing campaigns and give consent to be contacted will be a requirement, rather than automatically adding them to your email list and then waiting for them to opt out. While this is best practice today, it will be an EU law in 2018.

2. Marketing automation specialists

Marketing automation can be extremely powerful tool.

But, it can also land you in trouble with GDPR if not set up correctly.

If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties from the ICO if an email is sent automatically to someone who has opted out.

You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent. And no, having the next email already scheduled is not a valid excuse.

3. Public relations execs

Pitching new product releases or company information to journalists is no different than marketing to an employee of a business. While it’s possible that the liability for this consent will lie with media databases such as PRweb and MyNewsDesk, journalists will still have to give consent to be contacted by you instead of the traditional email outreach program.

This consent could be given through platforms like HARO, where journalists are asking you to contact them, or through requests made on social media platforms. So if you’re not on those platforms yet, now is the time to sign up!

Of course, if a journalist reaches out to you directly, they’ve expressed interest in talking to you.

GDPR is a golden opportunity for marketers

At this stage, you’re probably thinking that the way you do business will never be the same again.

But, there’s no real need to worry.

Sure, GDPR does sound intimidating and the fines issued by the ICO are enough to make you rethink your entire marketing strategy. But, in reality, this new legislation isn’t a set-back. In fact, it’s a great opportunity for you to do what marketers do best – that is create targeted marketing campaigns with people that are engaged with your brand.

Here’s why:

1. Gaining Consent

With GDPR, you need explicit consent to use an individual’s data. Your customers can also ask you exactly what information you have on them, who it is shared with and the purpose it has been used for.

The opportunity here lies in the fact that instead of a simple yes or no option when asking customers about data, you can now provide them with a range of options so that they can find out what they’re interested in. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.

This not only helps to be compliant with GDPR, but it also helps you further segment your customers and focus your communication based on specific interests, rather than sending a “one size fits all” email campaign.

2. Right to be Forgotten

Under GDPR, every individual has what’s called the “right to be forgotten”.

If requested by a customer, your business will need to remove all data you hold on that specific individual, across the whole organization. If you keep data in different places for different purposes, then this can cause issues.

The solution to this is to have a single platform that hosts the consent record of every single user. Having a single platform, like a CRM system, will help you keep track of all your permissions data and ensure you’re GDPR compliant.

The advantage of having a single platform is that it gives your customers the opportunity to switch consent on and off, for different purposes. This, in turn, gives you the opportunity to learn more about your customers and target them with more specific or relevant campaigns.

3. Transparency

People do business with other people (or organizations) that they know, like, and trust. Building trust comes through projecting transparency. You have to be upfront and honest about who you are and what you’re doing.

A study by Harris Interactive found that 93% of online shoppers cite the security of their personal data as a concern. You can overcome these concerns by being transparent with data. You need to demonstrate that an individual’s data is being treated with respect and held securely. If you can do that and show that you have your customer’s best interests at heart, then you will strengthen both trust and engagement with your customers.

7 practical tips on GDPR for marketing

In January 2017, Osterman Research, Inc published a paper and found that 73% of businesses are not ready to satisfy the compliance obligations of the GDPR. While a 2016 study by Symantec found that 23% of businesses feel they will only be partly compliant by the May 2018 deadline.

The good news is that there are some things that you can start doing right now to make sure your business is GDPR complaint ahead of May 2018.

Here are seven practical tips that you can get started with right now:

  • Start auditing your mailing list now. According to a new study by W8 data, up to 75% of marketing databases will become obsolete by 25th May, 2018 and only 25% of existing customer data meets GDPR requirements. Therefore, remove anyone where you do not have a record of their opt-in. For new subscribers, make sure that the potential subscriber confirms that he or she wants to join your mailing list by sending an automated email to confirm the subscription.
  • Review the way you’re currently collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list. While that might be a terrifying prospect for some, you’re then guaranteed with a list of engaged and interested readers.
  • Do you create content that is tailored to your potential customers? Invest in a content marketing strategy by creating white papers, guides and eBooks that visitors can access and download in exchange for them sharing their contact information.
  • Invite visitors to add themselves to your mailing list by launching a pop up on your website. You can keep your mailing list neatly segmented by creating specific pop ups for product news, blog posts and general company news. Just remember to link to your privacy policy though, to ensure compliance – like we do at the bottom of our website pop ups.

GDPR compliant website pop up

  • Educate your sales team about social selling techniques. Essentially, sales reps should connect with prospects on social media and share relevant content – rather than trying to reach new prospects by email.
  • The time for using Google docs or Excel spreadsheets to store customer data is over. Start centralizing your personal data collection into a CRM system. And make sure your users can access their data, review its proposed usage, and make any changes as necessary.
  • Understand the data you’re collecting in more detail. Is it all necessary, or are there elements that you can do without? When it comes to sign up forms, only ask for what you need, and what you will use. For B2B marketers, full name, email address and company name is usually more than enough.


The months leading up to May 2018 are set to be challenging for businesses across Europe and beyond. GDPR is a big change to the way in which companies operating in EU countries handle personal data, with fines of up to €20 million if you fail to comply. That’s why it’s important for you to seek advice from a lawyer as to what is or is not a legal requirement for your business.

Remember, GDPR isn’t designed to stop businesses from communicating with their customers. GDPR will lead to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture in that it’s an opportunity to delve deeper into the needs of their prospects and customers, rather than using the traditional “one-size-fits-all” approach to marketing.

That being said, the rules for GDPR compliance are quite simple – don’t contact someone unless they specifically ask to be. Don’t assume they want to hear from you. Don’t cold contact them, and don’t send them irrelevant information that they didn’t request.

If you can do all that, then you’re taking a huge step towards being GDPR compliant.

Is your marketing team ready for GDPR?

P.S. If you enjoyed reading this post, you can share it easily here.

GDPR for Customer relationships

Disclaimer: The content in this blog post is not to be considered legal advice and should be used for information purposes only.


About Steven MacDonald

Steven MacDonald

Steven Macdonald is an online marketer based in Tallinn, Estonia, Steven has more than ten years experience in the online marketing field and is driven by creating success stories. You can connect with Steven on LinkedIn and Twitter.


Darren Revell

about 4 months ago

Amazing read Steven, thanks for your hard work. I work with recruiters and there seems a theory that you must by the 25th of May next year re-ask the people you hold data on for a new GDPR compliant permission to market to them. By way of an example a 5 year old recruitment firm might have 30,000 candidates in its CRM, 80% of it maybe for candidates they did not place, but held onto the data as they may suit future jobs. Is there anything you can share on that?


Steven MacDonald

about 4 months ago

Hi Darren. Thanks for the comment and I appreciate the kind words. This is a great question! Personally, I would only store candidates that I have consent from. This way, you can be 100% confident of being GDPR compliant.


Simon Neal

about 4 months ago

Really interesting and eye opening read. Implications are potentially huge, especially with the much spoken about UK ICO "Public know your rights" campaign !


Steven MacDonald

about 4 months ago

Completely agree, Simon!


Kevin Nightingale

about 4 months ago

Hi Steven, I'm updating sign-up forms on my company site and found your article really helpful. Thanks!


Steven MacDonald

about 4 months ago

Thanks, Kevin! This is exactly why I wanted to share this new post - to provide helpful tips to marketers working with GDPR.



about 3 months ago

Hi! What about advertising? Especially about remarketing campaigns? And one more question - this great article was posted 8 September, 2017. But comments - "about 1 month ago"??


Steven MacDonald

about 3 months ago

Great question, Roman! GDPR shouldn't impact marketing retargeting campaigns, as these campaigns are retargeting to anonymous visitors. As for the date, we continue to update this article based on new information that is published on the GDPR. Hence comments from the past.


Will Broadfoot

about 2 months ago

Hi - interesting article but doesn't address the B2B marketing world, where the key consideration is 'legitimate interest' rather than expressed opt-in. Would be nice to see a follow-up on this? Cheers


Steven MacDonald

about 2 months ago

Great comment, Will. I'll get right on it!



about 4 weeks ago

Great read, Steven! As we are moving to a world of positive opt ins, if our current consent process and audit trails originate from automatic opt in (tick boxes to opt out), would we then have to re-permission all of these records or can we still use that original consent?


Steven MacDonald

about 4 weeks ago

Thank you. Ash! At SuperOffice, we're going to use original consent and not re-permission. However, just as with anything GDPR related, I do recommend you seek legal advice on how you communicate to your opt-in list, just to be sure.



about 3 weeks ago

this may sound a daft question but if you have been using a database that contains opt outs - is it okay to mail those that havent specifically opted out to ask them if they are happy to hear from you? Also existing customers who have signed a joining form that expresses we will be contacting them with relevant information (some signed it many many years ago) - does that allow us to continue to contact as it is a membership agreement or do we need to go back to all customers (ie members) to ask for permission? many thanks


Steven MacDonald

about 3 weeks ago

Hi Sian, There's no such thing as a daft question when it comes to GDPR. My comments below. 1. As long as a subscriber has not officially opted-out, it should be OK to send an email asking if they are happy to continue hearing from you. 2. For customers, you have every right to contact them. However, you should also allow them to choose the type of communication they receive, rather than send them all of your campaigns. Things like product updates, changes to T&C's etc, will be fine. And as always, I recommend speaking with someone on your legal team, just to clarify. Hope these answers help.



about 2 weeks ago

Great post, thank you. A question for you - we have some corporate customers who email us directly with product orders. Each individual product ordered relates to one of their employees. So they also email us each employee's email address. We then email the product to the individual employee and we also manually enter each employee into our CRM to market to them. That email address is usually the employee's company email address, but sometimes is a personal email address. So.... would an order for employees placed by an employer be deemed 'consent' to email those individuals marketing information? Also, where an individual who doesn't yet exist on our database orders from us online, is that consent to email them in the future? ie. is a purchase consent? Or do they have to have some sort of tickbox like we will have for marketing signups? Confusing! Thank you so much!


Steven MacDonald

about 2 weeks ago

Hi Catriona, thanks for commenting. Great question! It does sound confusing, which is why unfortunately, I'm not sure I can give an answer here other than to speak with your legal team.


Leave a Comment

Sign up to a free SuperOffice CRM trial.

It’s free for 30 days. No credit card required.

Start Free Trial