Select Page

GDPR for Marketers

The new General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and it’s going to impact your business. Use this guide to get your marketing team up-to-speed on GDPR implications and best practices.

Personal data is being collected at a breakneck pace, and beginning on May 25th, a new regulation will go into effect that will impact businesses that don’t protect their data according to GDPR rules. Dell and Dimension Research found that 80% of businesses do next to nothing about GDPR. And, despite being a European Union legislation, GDPR has major implications for US-based businesses. In this article, we’ll make sure you’re properly in tune with GDPR compliance so that you can put in place the appropriate safeguards when dealing with customer personal data before the GDPR compliance deadline.

Get to know the GDPR Requirements

GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen the rights of data subjects with regard to how their personal data is used and how it’s protected. Personal data as defined under GDPR language is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

In a B2B setting, it’s easy to overlook GDPR compliance, but the individual relationships that drive b2b interaction – the information sharing and personal interactions — must fall under careful consideration. It’s important to take the following measures against GDPR :

  1. Transparency on how data will be used and what it will be used for.
  2.  Ensuring that the data collected is used only for the purposes explicitly specified at the time of collection.
  3. Limiting the data collection to what is necessary to serve the purpose for which it is collected.
  4. Ensuring the data is accurate.
  5. Storing the data for only as long as necessary within its intended purpose.
  6. Prevention against unauthorized use or accidental loss of the data through the deployment of appropriate security measures.

What are the Implications for Marketers?

It’s important to understand that the majority of your business’ activities —the websites you visit,  the calls you make, workshops and conference you attend, and even the photos you take are all recorded and measured, and in many cases, they leave a digital footprint that impacts customer experience and privacy. Because of this, consumers often find themselves in a vulnerable position, not convinced companies are doing enough to protect them. GDPR requires that individuals are given the opportunity to demand deletion of data, opt out of future data collection, view the data a company holds, and download that data in a format that they can move to competitors. For the 90% of organizations that say they are now storing sensitive data on the cloud, how they choose to address these requirements and the means in which they collect, use, and secure personal data will be under increased scrutiny. It’s important that you take the necessary steps to review past, current, and future practices as it pertains to the health your data management.

How will GDPR impact digital marketing?

Email marketing

Moving forward, you’ll need to establish proof when and how an email subscriber opted in (or re-opted in). This information would typically include the IP address of the subscriber and the applicable form. You can continue to email market to your existing database but will need to get them to opt-in to a standard compliant with the new legislation.

Remarketing advertising

If you are remarketing based on website visits, you’ll need to disclose this information to website visitors via your privacy policy and cookie opt-in. You need to get opt-in for all cookies on your website, even those that don’t track personally identifiable information such as Google Analytics.  If someone chooses not to opt-in to cookies then you need to obey their wishes and not track them.

Remarketing using personal contact information such as emails or phone numbers will be permitted as long as you have collected permission to do it when you gathered the contact information.

For remarketing based on social media activity, the social media service acts a the default data controller. Permission to do this is covered by the terms and conditions of the social media website.  

What Can Businesses Do to Prepare for GDPR regulation?

There are 12 steps to achieving GDPR compliance as outlined by the EU International Commissioner’s Office. We’ve further refined this under the microscope of b2b marketing scenarios to give you a better understanding of how GDPR affects businesses rather than individuals.


You should make sure that decision-makers and key people in your business well are aware of the GDPR laws. Begin by taking a hard look at your organization’s risk register or risk committee, if you have one. Remember, the most aware are generally those that are most prepared.

Information Held

Start by creating an information audit so you can document the information you hold in its entirety. Where did the information come from and with whom did you share it?

Individuals’ rights

Check your procedures to ensure they reflect the rights of individuals. Build a plan for how you would delete personal data or provide data electronically should someone make such a request.

Businesses that adhere to GDPR rules for individuals:

  • Provide access data,
  • have inaccuracies corrected,
  • have information erased,
  • prevent direct marketing,
  • prevent automated decision-making and profiling, and
  • have data portability ability.

Can your systems easily locate and delete the data? Who in your company will make the decisions about personal data deletion and as a result needs be involved in this process?. If you use paper print-outs or an unusual electronic format to keep track of personal data, look to make the necessary adjustments to make this a seamless transition.

Communication privacy information

Be sure to thoroughly review your current privacy notices and set into motion a plan for making changes in time to adhere to GDPR changes. In addition to issuing out a concise and easy-to-understand privacy notice for collecting personal data, GDPR requires the following: An explanation of your lawful basis for processing the data, your data retention periods, and the right individuals have to contact the applicable Data Protection Authority you fall under.

Consumer Access Requests

What happens when your customer asks you for proof of GDPR compliance? You should update your procedures and plan how you will handle these types of requests under the new GDPR rules to take account of the new rules. If you elect to refuse a request, you must tell the individual why (for example excessive information) —and that they have the right to complain to the supervisory authority. For frequent requests, you could consider systems that allow individuals to access their information easily online. Organizations should conduct a cost/benefit analysis of providing online access to do this.

Legal Basis for Processing Personal Data

Make sure you identify the lawful basis of your processing activity in the GDPR, and document it. You will have to explain this in your privacy notice and when you answer a subject access request. The legal basis in the GDPR is broadly the same as those in the DPA it should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.


The GDPR references both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent, under GDPR language, is defined as;

  • A “clear affirmative action” taken by the data subject (user)
  • Freely given by the data subject
  • Specific, informed, and unambiguous
  • Documented in detail by the data controller (the company that determines how the data will be processed)
  • Easily withdrawn

You should read in detail the guidance the ICO has published on consent under the GDPR. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data. If you rely on individuals’ consent to process their data, make sure it will meet the standards required by the GDPR.

Children’s Data

GDPR will aim to bring in special protection for children’s data, and you’ll need to be on top of verifying individuals’ age and if necessary, implementing systems to obtain parental or guardian consent for using data from a minor. If your organization offers online services to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.

The GDPR sets the age when a child can give their own consent to this processing at 16. If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

Data Breaches

In the event of a breach, you will need to develop procedures to detect, report and investigate the breach accordingly. WHen you assess the type of data you hold (as outlined above), make sure you set aside information for what type of personal data would be categorized as requiring a notification in the event of a breach. Larger organizations will need to develop policies and procedures for managing data breaches – whether at a central or local level. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Data Protection by Design and Data Protection Impact Assessments

Get acquainted with Privacy Impact Assessments (PIAs) and work out how to implement them in your organization. The Privacy Impact Assessment (PIA) is a decision tool used by DHS to identify and mitigate privacy risks that notifies the public: What Personally Identifiable Information (PII) DHS is collecting; Why the PII is being collected; and. How the PII will be collected, used, accessed, shared, safeguarded and stored.

You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?

Note that where a PIA (or DPIA as the GDPR terms it) indicates high-risk data processing, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

Data Protection Officers

If you don’t have the bandwidth to hire a formal external data protection advisor, designate a Data Protection Officer to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.

The GDPR will require some organizations to designate a Data Protection Officer (DPO), for example, public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organization, or an external data protection advisor, take proper responsibility for your data protection compliance and has the knowledge, support, and authority to do so effectively. Therefore, you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.

International Considerations

If your organization operates internationally, then determine which data protection supervisory authority you fall under. The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented. This is only relevant where you carry out cross-border processing – ie you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states. If this applies to your organization, you should map out where your organization makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority. Put simply, the lead authority is determined according to where your organization has its main administration or where decisions about data processing are made.

Get GDPR-ready with Macon Raine

Many businesses approach this new GDPR data privacy regulation as an obstacle. At Macon Raine, we see it as a chance to create positive outcomes and new insights thanks to an uptick in consumer touch points for your business.

To ensure that your marketing strategies are GDPR-compliant, Macon Raine will assist with Google Analytics, updating internal processes, comprehensive review of strategies, platforms and services, and more.


Get GDPR-ready with Macon Raine

Many businesses approach this new GDPR data privacy regulation as an obstacle. At Macon Raine, we see it as a chance to create positive outcomes and new insights thanks to an uptick in consumer touch points for your business.

To ensure that your marketing strategies are GDPR-compliant, Macon Raine will assist with Google Analytics, updating internal processes, comprehensive review of strategies, platforms and services, and more.

Take advantage of this FREE B2B Web Audit Today:

  • Keep detailed summaries of your content
  • Audit your current marketing strategy
  • Gain insight in how to improve your content to stay compliant

Enter Your Email To Be Directed To Your B2B Download!

Get started generating more revenue today!