New guide: Thriving in tough times
A leaders guide to successful business growth

GDPR for Marketing: The Definitive Guide for 2023

GDPR for marketing

Post summary:

  • GDPR has changed the way that companies communicate with prospects and customers, but what is GDPR and why introduce the new privacy law now?
  • Failure to comply with GDPR can lead to hefty fines. In fact, 3 household brands have already been fined. Learn from their mistakes before you schedule your next marketing campaign.
  • To comply with GDPR, we share a marketing checklist that we have used, which includes 9 practical tips to help you get closer to meeting those EU requirements.

 In today’s connected world, personal data is being collected at an incredible rate.

The websites you use, the calls you make, the places you visit and even the photos you take are all recorded, measured and leave a digital footprint - a footprint that is fast becoming a prized resource.

In fact, digital footprints have become so valuable that The Economist called personal data “the world’s most valuable resource’ ahead of oil, because of how much it now informs the way companies communicate with their customers and how it positively impacts customer experience.

However, because personal data is so valuable, it’s vulnerable to theft or misuse and this has led to consumers demanding to know how companies use and store their personal data. Essentially, consumers are not convinced that companies are doing enough to protect them.

A Consumer Privacy study by TRUSTe/NCSA found that 92% of online customers cite data security and privacy as a concern. While, according to a report published by the Chartered Institute of Marketing, 57% of consumers don’t trust brands to use their data responsibly.

Another concern is that Symantec’s State of European Privacy Report found that 90% of businesses believe it’s too difficult to delete customer data and that 60% (!) do not have the systems in place to help them do so.

Clearly, there’s significant disconnect between consumers, their personal data and how the companies that collect it, use it.

Challenges organizations face if customers ask to have their data modified or deleted

It’s even more concerning when it comes to GDPR for marketing as 41% of marketers admit to not fully understanding both the law and best practice around the use of consumer’s personal data.

That’s right!

The people that use customer data the most don’t fully understand how they should use it.

It was clear that something was needed to be done to regulate the management of personal data, to protect consumer interests and police the companies that collect, store and use the data, which is why in 2018, the European Union introduced GDPR – a new set of laws designed to safeguard personal data and inform the decisions of marketers in all member states.

What is GDPR?

The General Data Protection Regulation (GDPR) is the digital privacy regulation that was introduced on the 25th May, 2018. It standardizes a wide range of different privacy legislation's across the EU into one central set of regulations that will protect users in all member states.

(Note. In Switzerland, the new FADP goes into effect in Septemeber 2023. Here's how the FADP differs from GDPR).

Put simply, this means that companies are now required to build in privacy settings into their digital products and websites – and have them switched on by default. Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways they use personal data and improve the way they communicate data breaches.

And, because it’s a regulation and not a directive, it is legally binding - meaning it cannot be opted out of, or ignored. In fact, failing to comply could lead to fines of up to €20 million or 4% of your global turnover!

Here's a few recent examples of how high these GDPR fines can be:

  • British Airways are facing fines of up to €200 million for a data breach that occurred in September 2018
  • Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018

So, it’s fair to say that the EU is taking this extremely seriously.

Why introduce GDPR now?

GDPR is the most far-reaching change to data protection in a generation and is a dramatic shift in the way the EU wants personal data to be managed.

The EU’s new approach to online privacy puts individuals first, believing they should be protected and empowered, rather than exploited or ignored.

This new approach to data protection is the EU’s way of keeping companies big and small more accountable for their actions. EU regulators believe that companies have been exploiting personal data for their own gain and aren’t being transparent about how they were using it. GDPR has been designed to end all that and put the power back in the hands of the consumer.

But, why wait until now to introduce it?

The main reason for introducing this now is because the previous EU data privacy regulations were still based on a document that was first adopted in 1980 (later updated in 1995).

This means that the data privacy principles that the EU worked on were outdated on don’t include considerations for social media, smartphones, or even advanced web technology (i.e Artificial Intelligence, Virtual Reality, etc).

Plus, the previous regulation was only a directive, so companies (and countries) could easily opt-out.

From 25th May, 2018, this has no longer been the case.

While consistency in data privacy regulations across Europe is good news for all marketers, GDPR also comes with quite a few challenges that impact marketing teams – especially marketing teams that communicate to customers based in the EU.

How does GDPR impact marketing?

On the surface, GDPR might seem extreme, especially for smaller businesses or solo-practitioners.

Realistically though, there are only 3 key areas that marketers need to worry about – data permission, data access and data focus.

Let’s take a look at each of these individually.

GDPR and marketing

1. Data Permission

Data permission is about how you manage email opt-ins –people who request to receive promotional material from you. You can’t assume that they want to be contacted. In the future, they need to express consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.

Hang on, what does that mean?

Well, in practice, it means that leads, customers and partners, need to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted. Therefore, a pre-ticked box that automatically opts them in won’t cut it anymore – opt-ins need to be a deliberate choice.

The only caveat here is when it comes to refer a friend programs.

In most cases, refer a friend programs work when a prospect or customer enters a friends email address in order to claim an offer (i.e. a discount, sale, bonus, etc). Once they have entered a friend's email address, an email is automatically sent from the company to the "friend" without gaining explicit consent to contact them. These emails are typically "notifications", rather than promotional.

Providing this data is neither stored or processed, then it is considered GDPR compliant.

However, if the data is stored and used for marketing communications, then you are in violation.

To be clear:

No marketing communication is to be sent out to the referee's email address.

2. Data Access

The right to be forgotten has become one of the most talked about rulings in EU Justice Court history. It gives people the right to have outdated or inaccurate personal data to be removed and has, in some instances, already been implemented by companies like Google, who were forced to remove pages from its search engine results in order to comply.

The introduction of GDPR offers individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten.

As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.

Practically speaking, this can be as straightforward as including an unsubscribe link within your email marketing template and linking to their customer profile that allows users to manage their email preferences (as shown in the example below).

Subscription management settings inline with GDPR compliance

Of course, it sounds easy enough.

Yet, in our own B2B email marketing benchmark report (a study of 4,500 email campaigns) we found that 8% of all emails do not include an unsubscribe link!

3. Data Focus

As marketers, we can all be guilty of collecting a little more data from a person than we actually need. Ask yourself, do I really need to know someone’s favorite movie before they subscribe to our newsletter?

Probably not.

With this in mind, GDPR requires you to legally justify the processing of the personal data you collect.

Don’t worry; this is not as scary as it sounds.

What this means is that you need to focus on the data you need, and stop asking for the “nice to haves”. If you really need to know a visitors shoe size and inside leg measurement, and can prove why you need it, then you can continue asking for it. Otherwise, try to avoid collecting any unnecessary data and stick with the basics.

The cost of failing to comply

The deadline for GDPR has now passed and many businesses are already in “panic mode” to make sure they’re compliant.

The trouble with this is that this leads to mistakes...

...and these mistakes can be costly.

Especially as the Information Commissioner’s Office (ICO) has started to clamp down even harder on the misuse of personal data.

In fact, the ICO has already reported several incidents that involve household brand names who tried to use well-known email activation strategies to reach out to their database. The following 3 campaigns, which were sent out by Flybe, Honda and Morrisons, asked customers if they wanted to be contacted by email and to update their preferences.

How did they contact their customers, you might ask?

Well, they contacted them by email – even those customers that had previously opted out.

And this is a serious breach of compliance.

1. Flybe fined £70,000

In August 2016, Flybe sent an email to 3.3 million people in their database with the subject line "Are your details correct?"

In theory, this sounds like a smart strategy, but unfortunately, these 3.3 million people had previously opted out (unsubscribed) to marketing emails and thereby gave no consent to be contacted.

Flybe fined for not being GDPR compliant


The result? A fine of £70,000.

Key take away: If your customers have opted-out of marketing emails, don't email them - it's as simple as that. You are breaking the law if you do.

2. Honda Motor Europe fined £13,000

In a separate incident, Honda Motor Europe sent an email to 289,790 subscribers between May and August 2016 asking their database if they "would you like to hear from Honda?”.

This email was sent in order to clarify how many of the 289,000 subscribers would like to receive marketing emails going forward. But, once again, this email was sent to individuals who had specifically opted out.

This mistake earned Honda a £13,000 fine as a result.

Key take away: If you do not have explicit consent to email your customers, then don't email them! Even asking for consent is classed as marketing and is in breach of the GDPR regulations.

3. Morrisons fined £10,500

In late 2016, UK supermarket chain Morrisons re-launched their "Match & More" loyalty program.

In a bid to get more members to take advantage of their offers, they sent out an email to all 230,000 members from their database, asking subscribers to update their account preferences. Unfortunately, this included 131,000 subscribers who had previously opted out and unsubscribed.

This slip up led to a fine of £10,500.

Key take away: In this case, it was a customer that reported Morrisons to the ICO. So, you have to be 100% sure that the subscribers you send an email to have opted-in. Now that customers are taking action into their own hands, you have to be even more careful.

These three examples should act as a clear warning sign to businesses – both big and small – to make sure you’re doing things right in a post-GDPR world.

Who is affected most by GDPR in marketing?

If you have customers, then everyone inside your company is affected by GDPR.

But, in the marketing department, there are three roles that have seen the biggest change in their everyday work.

Let's take a closer look at who this has affected and how.

1. Email marketing managers

For B2B marketers, email addresses are the lifeblood of lead generation programs.

Often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an "opt in".

This is in stark contrast to firms that buy email lists or scrape (or copy) them from a website. Under the new GDPR regulation, buying lists (or scraping them) is strictly forbidden.

Ensuring users opt-in to your B2B email marketing campaigns and give consent to be contacted is now a GDPR requirement for email marketing and you can no longer automatically add them to your email list and then wait for them to opt out.

2. Marketing automation specialists

Marketing automation can be extremely powerful tool.

But, it can also land you in trouble with GDPR if not set up correctly.

If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties from the ICO if an email is sent automatically to someone who has opted out.

You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent. And no, having the next email already scheduled is not a valid excuse.

3. Public relations execs

Pitching new product releases or company information to journalists is no different than marketing to an employee of a business. While it’s possible that the liability for this consent will lie with media databases such as PRweb and MyNewsDesk, journalists will still have to give consent to be contacted by you instead of the traditional email outreach program.

This consent could be given through platforms like HARO, where journalists are asking you to contact them, or through requests made on social media platforms. So if you’re not on those platforms yet, now is the time to sign up!

Of course, if a journalist reaches out to you directly, they’ve expressed interest in talking to you.

GDPR is a golden opportunity for marketers

At this stage, you might be thinking that GDPR has a negative impact on the the way you do business today.

But, there’s no real need to worry.

Sure, GDPR does sound intimidating and the fines issued by the ICO are enough to make you rethink your entire marketing strategy. But, in reality, this new EU legislation isn’t a set-back. In fact, it’s a great opportunity for you to do what marketers do best – and that is to create targeted marketing campaigns with people that are engaged with your brand.

Here’s why:

1. Gaining Consent

With GDPR, you need explicit consent to use an individual's data. Your customers can also ask you exactly what kind of information you have on them, who it is shared with and the purpose it has been used for.

The opportunity here lies in the fact that instead of a simple yes or no option when asking customers about data, you can now provide them with a range of options so that they can find out what they’re interested in. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.

This not only helps to be compliant with GDPR, but it also helps you further segment your customers and focus your communication based on specific interests, rather than sending a “one size fits all” email campaign.

2. Right to be Forgotten

Under GDPR, every individual has what's called the "right to be forgotten".

If requested by a customer, your business will need to remove all data you hold on that specific individual, across the whole organization. If you keep data in different places for different purposes, then this can cause issues.

The solution to this is to have a single platform that hosts the consent record of every single user. Having a single platform, like a CRM system, will help you keep track of all your permissions data and ensure you're GDPR compliant.

The advantage of having a single platform is that it gives your customers the opportunity to switch consent on and off, for different purposes. This, in turn, gives you the opportunity to learn more about your customers and target them with more specific or relevant campaigns.

3. Transparency

People do business with other people (or organizations) that they know, like, and trust - and building trust comes through projecting transparency. You have to be upfront and honest about who you are and what you’re doing.

A study by Harris Interactive found that 93% of online shoppers cite the security of their personal data as a concern. You can overcome these concerns by being transparent with data. You need to demonstrate that an individual's data is being treated with respect and held securely. If you can do that and show that you have your customer’s best interests at heart, then you will strengthen both trust and engagement with your customers.

9 practical tips on GDPR for marketing

Research by Osterman Research, Inc found that 73% of businesses were not ready to satisfy the compliance obligations of the GDPR. While a study by Symantec found that 23% of businesses felt they were only partly compliant by the May 2018 deadline.

The good news is that if you're still not sure if your business are GDPR compliant, we've created a short checklist that includes 9 practical tips to help you get closer to meeting those requirements.

  • Audit your mailing list. According to a study by W8 data, up to 75% of marketing databases have become obsolete from GDPR and only 25% of existing customer data meets GDPR requirements. Therefore, remove anyone where you do not have a record of their opt-in. For new subscribers, make sure that the potential subscriber confirms that he or she wants to join your mailing list by sending an automated email to confirm the subscription.
  • Review the way you’re collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list. In the UK, pub chain JD Whetherspoon took the unprecedented step of deleting their entire email marketing database (more than 650,000 email addresses). In a letter from their CEO (shown below),  John Hutson informed customers that all customer emails will be securely deleted. While that might be a terrifying prospect for some, it's something to consider as you will then be guaranteed with a list of engaged and interested readers.

JD Whetherspoon deletes email marketing database

  • Do you create content that is tailored to your potential customers? Invest in a content marketing strategy by creating white papers, guides and eBooks that visitors can access and download in exchange for them sharing their contact information.
  • Invite visitors to add themselves to your mailing list by launching a pop up on your website. You can keep your mailing list neatly segmented by creating specific pop ups for product news, blog posts and general company news. Just remember to link to your privacy policy though, to ensure compliance - like we did with our GDPR website pop up before the deadline.

GDPR compliant website pop up

  • Educate your sales team about new sales techniques. Essentially, sales reps should connect with prospects on social media and share relevant content - rather than trying to reach new prospects by email. Invest in strategies like social selling and account-based marketing.
  • The time for using Google docs or Excel spreadsheets to store customer data is over. Start centralizing your personal data collection into a CRM system. And make sure your users can access their data, review its proposed usage, and make any changes as necessary.
  • Understand the data you're collecting in more detail. Is it all necessary, or are there elements that you can do without? When it comes to sign up forms, only ask for what you need, and what you will use. For B2B marketers, full name, email address and company name is usually more than enough.
  • Try using push notifications. A push notification is a pop up message that appears on a desktop or mobile device. Marketers can use push notifications to send a message to subscribers at any time. However, unlike email marketing campaigns, push notifications do not process personal data (IP addresses are anonymized) and users are required to give explicit consent in order to opt-in and receive notifications.
  • Update your privacy statement.  Review your current privacy statement and amend the statement accordingly to comply with GDPR requirements. Is the content in your privacy statement difficult to read? Or are you purposefully using terminology so that potential customers do not know what they are signing up to? If so, rewrite it and make it easy to read - like we have done here.


GDPR has changed to the way that companies operating in EU countries handle personal data, with fines of up to €20 million if you fail to comply. That's why it's important for you to seek advice from a lawyer as to what is or is not a legal requirement for your business.

Remember, GDPR hasn't been designed to stop businesses from communicating with their customers. Quite the opposite, in fact. It's led to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture in that it’s an opportunity to delve deeper into the needs of their prospects and customers, rather than using the traditional "one-size-fits-all" approach to marketing.

That being said, the rules for GDPR compliance are quite simple – don’t contact someone unless they specifically ask to be. Don’t assume they want to hear from you. Don’t cold contact them, and don’t send them irrelevant information that they didn’t request.

If you can do all that, then you’ve done your job in being GDPR compliant.

Is your marketing team ready for GDPR?


Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

Back to articles