How Does GDPR Affect Online Marketing?

gdpr marketing

Digital marketing has emerged to become a comprehensive tool that can help businesses target specific audiences which could be turned into potential customers. While the majority of businesses including both small and large organizations have extensively used the tool for advertising their products and services, they have been heavily criticized for paying little attention to their users’ privacy. User data and privacy have been the talking point for the industry, especially after the whole Facebook-Cambridge Analytics lash-out. You know things are serious when the world’s largest social media platform gets cornered for its lack of attention towards privacy laws that are even rumored to have profoundly influenced the results of major elections throughout the world.

Now that all of that isn’t in the dark, the users are especially concerned about their privacy on the internet and are thus becoming more and more aware of their rights. This has led the European Union to pass a law called General Data Protection Regulation or simply GDPR. The law will be reinforced on May 25 and will exclusively focus on the privacy rights of the people living in any of the 28 countries of the European Union. However, in our comprehensive overview of the GDPR, we will help you understand how that will affect the people living outside the EU as well. First, let us walk you through what GDPR really is.

What is GDPR?

GDPR or the General Data Protection Regulation is a regulation in the European Union Law which primarily focuses on the privacy rights of the individuals living in the EU. It aims to unify the regulation within the EU nations to simplify the regulatory environment for International businesses. The citizens will have control over whether their personal information can be used by the organization or its third party associate companies.

The law was adopted on 14 April 2016 and was in its transition period. However, it will now become enforceable on May 25, 2018, after a period of almost two years. It is important to know that the previous data laws that were in place were more than 20 years old and were introduced in the year 1995 (Data Protection Directive). The GDPR becomes even more critical because the agencies could do very little with your data twenty years ago when compared to their capabilities today. It is not a coincidence when a product that you were watching out on Amazon suddenly starts to appear in your Facebook news feed. The social media platforms can do that because they place cookies on your web browser and can trace your internet activity even after you have closed the corresponding tab.

What does the General Data Protection Regulation Actually Propose?


The term ‘personal data’ is the root of all the chaos for digital marketers that are worried about what other data it carries under its umbrella. The European Union has clarified that any name, phone numbers, email addresses, pictures, physical addresses, posts on social media, bank details, medical information, and even a computer’s IP address will all be treated as personal data.

Since the privacy of EU citizens is at the center of this regulation, any data processor or data controller that is based in the EU will have to comply with these laws. However, if you are someone living outside the EU like Canada or Australia and possess the personal data of EU citizens, these regulations still affect your style of business. Of course, you could prevent this problem by geo-blocking the people from the European Union to visit your website. But then again, the European Union consists of 28 countries and a population of more than 510 million which is a huge customer base that you can cater to. People in these geographical locations can be your potential customers and contribute to the revenue of your business. Choosing to comply with these rules is a far better way than to stop catering your services to 510 million potential customers.

Another example is the data controllers in the EU that employ people outside the EU jurisdiction to process their data. For instance, you have an e-mail list of the people that signed up for your freebie. You send the information to your third-party processors in the United States that use it for e-mail marketing or advertising purposes on Facebook. Since you are the data controller of that list, it is your job to comply with these regulations. Once your customers know that you’re not GDPR compliant, you could even start losing customers.

Violation Of The Law Even If You’re Only Storing User Data

An essential tool for Digital Marketing is the user’s personal data. If there is no data to process, you cannot advertise your products or services to a specific audience anymore. Acting upon the data already available to communicate or advertise your products to the customer is processing it. However, there are a lot of businesses that possess personal user data and do nothing about it. These people tend to think that they aren’t doing anything wrong and therefore do not need to worry about GDPR. The truth is even storing this data will be treated as processing it.

Fair Play

It is essential that you are fair to your customers. Being transparent about your dealings is the number one rule of a good businessman and can significantly help in building trust between the two parties. Firstly, you need to let the people decide what data are they sharing with you and secondly, you need to be upfront about what you are planning to do with that data. For instance, you are collecting emails from your customers that you plan to use for advertising purposes. It will make up for an excellent practice a paste a link to your privacy policy there itself. Make sure it is incredibly transparent and upfront through which you can communicate to the user how you intend to use their personal information. Prevent using technical terms wherever possible and keep the language reasonably easy to understand. This way the users will be able to give their consent by taking a well-informed decision.

Put in the specific details of the data you will be collecting. If you plan to send it to third party associates, make sure to mention their names and explain how they will be using it. The users are more likely to agree your terms if you are completely honest about your intentions. You are entirely ‘responsible and accountable’ for the user data once it is shared with you.

Data Limitation

Being fair isn’t enough. You need to convey to your customers what you propose to do with their personal information. If you are using it for say, marketing similar products to what they recently bought then you cannot decide to sell their data to third-party advertisers which they did not agree to. You use it only and only for the purposes you mentioned and not something they did not sign up for. Imagine how frustrating it gets when you get endless calls from telemarketers trying to offer you services that you do not require. Well, your users will be going through pretty much the same.

Another thing to keep in mind is to only ask for the information that can be relevant to you. Think of an email subscribing box on a car maintenance website. What information will you need and more importantly what will you need it for? Obviously, you would need their names and emails or perhaps even contact numbers, but do you really need their marital status, their bank details or their physical addresses? In fact, ask for a phone number if it is significantly relevant to your service.  Most users like to be communicated for advertising purposes via mail only.

Storage Limitation

Another thing that will require your attention once the GDPR regulations are in place is storage limitation. This primarily relates to the duration of the relevancy of the data. You cannot keep the user data longer than what you have told your users off. You cannot digitally market a product to a customer on the grounds of data you have dating back to ten or more years. Something that is of high relevance to a user today might become utterly useless for them a few years later. No one needs to buy something similar to what they bought five years ago. They might already possess something similar, or that product might not fit into their current lifestyle.

Since this data is now irrelevant for you, it will be good practice to erase this data. Think of it as good list hygiene. In fact, the new regulations allow a user to request you to delete all their personal data even if it is relevant to you. The ‘right to erasure’ as it is called in the new GDPR is a huge step up from 2014’s ‘right to be forgotten’. The users are also given a right to access their data and see how exactly it was processed.


The General Data Protection Regulation also consists of pseudonymisation. According to the GDPR, Pseudonymisation is described as a process when the data is stored in a way that it transforms the personal data in such a form that someone without additional information cannot access it. What that essentially means is that the companies need to take appropriate measures to ensure that the personal data that could trace back to a particular individual should be completely encrypted so that external sources cannot read it. Only the people with the right authority will be able to access the data with the help of an encryption key. This ensures the safety of your data even if it gets compromised in cyber attacks or finds its way to the wrong people.

This is particularly interesting now since the popular coffee chain Starbucks was heavily criticized for storing user credentials without encryption. In more straightforward terminology, the Starbucks mobile application was saving user data along with their passwords in pure text form.

Data Protection Officer

According to the General Data Protection Regulation, there should be an expert that must be appointed to assist the data controllers or processors in processing operations that require regular and systematic monitoring of the data subjects. The Data Protection Officer should possess expert knowledge of data protection law and practices. The core function of the officer will be to assist the organization in complying with the latest regulations mentioned by the GDPR. The DPO is also expected to be proficient in IT Processes, data security and other critical business continuity issues corresponding to storing and processing personal user data.

However, we believe that the appointment of such an individual in a large organization can be especially challenging for the board as well as the individual. Given the nature of the appointment, the companies will need to address challenging governance and human factor issues. Additionally, the Data Protection Officer needs to be assisted by a team of people who will function independently of the organization similar to mini regulators.

Fines and Sanctions

By failing to comply with these regulations mentioned in the GDPR, then you could be looking at some severe fines and sanctions as per European Law. There could be a fine of 10 Million Euros or 2% of the annual worldwide turnover (whichever is higher) if your company is infringing the provisions in the Article 83, Paragraph 5 & 6 of GDPR. However, in case of non-compliance with Article 83, Paragraph 4 of GDPR, you could be fined with 20 Million Euros or 4% of the total worldwide revenue (of the preceding year). You could also be let off with a written warning in case of non-intentional first-time infringement of these laws.

These are substantial fines for any organizations by any means. In fact, Facebook itself is looking at a fine of over $109 Billion which is 4% of their turnover in 2017. Even if you are not fined by the EU, there is a considerable reputation of your organization at stake which can eventually lead to losing customers and therefore revenue. It is best to comply with these rules and avoid the legal trouble that follows negligence. It also represents the ethics of your business’ model.

According to Clayton Hasbrook of OklahomaLawyer, fines for GDPR have been very rare but there were cases happening around his state – mostly by website visitors looking to exploit loopholes and get some extra cash through lawsuits.

Data Breaches

If there is a data breach, the companies and organizations are required to notify the supervisory authority without undue delay immediately. They only need to do that if the breach is likely to result in the violation of the rights and freedom of the individuals. The GDPR also clarifies that the authorities are to be notified within 72 hours of the event. Organizations might also require informing their users of the data being compromised if adverse effects are determined. The only event when it is not necessary is if the user data is heavily encrypted and cannot be decoded by any external groups or individuals. You can read the regulations at length in Article 33 and Article 34 of the General Data Protection Regulation.

However, the General Data Protection Regulation would not be applicable in the cases of lawful interception, national security, military, police, and the justice department. The committee has also clarified that any individual processing the personal data for purely personal and household activities will not be charged with the infringement of privacy laws mentioned in the GDPR.

Now that we know what the GDPR regulation says, let us move on to what you can do to comply with these rules. The first and foremost thing you need to consider is that whether the data you store is ‘personal’. If it isn’t then you are good to go. You do not need to worry about any laws and regulations as of yet. However, if the data that you store (or process) can be used to identify a person then you will need to make appropriate changes to the way you process that data.

Some simple steps that can help you with the process are:

The most important thing that will form the foundation of your new processing mechanism is the consent of the users. The way it used to work is very different to what the guidelines require now. If you ever made a purchase from an e-commerce website, they will have your address, phone numbers and of course your email details. They would regularly send you promotional emails a day in and out unless you ‘opted out’ by unsubscribing to their emails. You never chose to receive these emails and only had the option to unsubscribe later. However, now you need to have a clear affirmative consent from the user.

There should be an ‘opt-in’ where users will be able to give their consent to receive your promotional emails and calls. You will also need to mention what exactly they are agreeing to with a link to your full privacy policies placed right next to the checkbox. In the privacy policy, you need to explain to the user how you are going to process this data and what modes of communication might be used to reach you. Providing the entire information in an honest and transparent manner will enable to establish trust and help the customers to make an informed decision about their choices.

Legitimate Interest

This is a debatable topic on its own. We say that because it is up to you to decide whether you need the consent of the user or there is a legitimate interest. This is never black and white and usually a moral grey area. However, we strongly suggest balancing your arguments and make sure that the recipient is not suffering. You might feel at times that your marketing falls under the legitimate interest of the user and you do not require consent for that.

For instance, there is an emailing list of people that have bought a specific product from you in the past and there is an excellent product which makes sense for exactly those people. In a scenario like this, we believe you could go with legitimate interest. Since direct marketing has often been termed as legitimate, we see no problem with that. Since these people have already been your customers and it is within their reasonable expectation to hear from you, we say you go for it. However, if these people have made purchases from you a couple of years back then this interest might not be legitimate since they aren’t expecting to hear from you and might take it as an act of hurting privacy.

Take A Granular Approach

When it comes to different processing purposes, we strongly recommend you take a granular approach. Since we have already established the advantage of tick boxes and ‘opt-in’ options, it makes up for a great practice to break down the questions. For instance, most of the businesses have an ‘opt-in’ option with a question which is followed by an agreement to terms and conditions. Only a handful of people will take out the time to review your privacy policy and might not give you their consent. However, by making transparency your priority you can break the tick questions in fragments which will give your customers a better idea of what they are getting themselves into. One of the examples of granular approach is given below:

  • By clicking here you allow us to send you promotional emails
  • By clicking here you allow us to share your data with third parties for promotional and marketing emails

This will give the users the freedom to choose how they would like to be contacted and more importantly by whom they want to be contacted. You do need to remember, however, that no one likes to tick on tens of tick boxes.

Handling Sensitive Data

Okay, we have discussed extensively ‘personal data’ but what about data that is extremely sensitive? By ‘sensitive data’ we mean data that might be consisting of information corresponding to a racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, and more. Basically, this is the data which is extremely private and could result in a tremendous impact on the rights and freedom of the concerned people if it finds its way to the wrong people.

In such a case, the consent becomes all the more important and you might need what they call is an ‘explicit consent’. This is usually a signed statement or a dual ‘opt-in’ which acts as a two-stage verification process. It serves as a separate ground on top of your lawful ground of processing this data. You can let the users know that there is this special category data that deserves more protection by flagging it.

The Cambridge Analytica was accused of using such data from Facebook to manipulate the results of major elections in countries like the United States and India. However, those remain to be just ‘allegations’ as of now.

Give Your Users The Freedom

You might think that offering your users an option to ‘opt out’ of your email subscription might be enough. However, the GDPR or the General Data Protection Regulation might give the power back into the hands of the citizens of the European Union which means that they will be able to decide whether they want to ‘opt in’ on your marketing and advertising emails. The users must have the option to unsubscribe at the bottom of each mail and a specific ‘opt out’ email should be sent every two years. The main purpose of this mail will be to educate the users of their rights and remind them that they can always choose to unsubscribe from your promotional emails. The GDPR basically wants to enable the users to withdraw their consent at any time they want. Giving consent does not mean that they cannot change their decision later. Make the best use of your marketing skills and let your customers know that they can unsubscribe from your emails while simultaneously making it sound like a stupid idea.

Maintain Records

Let us come to the significance of maintaining records. Expect the frequency of privacy complaints and user feedback to increase when the laws are in place. This means that you are more likely to be presented with a challenge than before. However, you can easily get out of those tricky situations if you have been maintaining your user data. In an event when you are facing backlash you will be able to point out to your records and prove the users that they gave their consent for certain purposes mentioned in your policy at a particular date.

Another great practice can be keeping a record of all your privacy policies that you ever implemented. At times you will need to introduce a new privacy policy for your users and we strongly recommend that you keep the copies of the preceding ones with you. You may need to update the policy due to the implementation of new laws by the government or because of a loophole that your legal advisers discovered in the terms and conditions. Do not forget to keep a track of the dates, both of implementation and termination.

Experts suggest maintaining a spreadsheet with all the information about your leads. It should contain all your contacts, where you got it from and more importantly how they gave you their consent to use their personal data. The second part of the job is to think long and hard about what your legitimate grounds of processing really are. Another crucial point to note is that, if you are planning on getting a fresh consent for your marketing and advertising mail list, then make sure you do that before the implementation of the General Data Protection Regulations which come into force on May 25.

The General Data Protection Regulations focus mainly on the privacy of European Union citizens and aim to simplify the regulatory environment in International businesses. Therefore, the rules and regulations mentioned in the GDPR will apply to all the EU member states. However, each state will be required to establish an independent supervisory authority (SA) to tend to complaints and sanction administrative offenses. These Supervisory Authorities will need to co-operate with each other thus providing mutual assistance and organizing joint operations.

A lead Supervising Authority will be appointed when investigating a business that has multiple establishments in the European Union. The SA in the state where the headquarters of that business is located will be designated as the lead SA. This Supervising Authority will then act as a one-stop shop which will be responsible for supervising all the processing activities throughout the EU.

Now that the General Data Protection Regulation comes into effect on May 25, you might need to make significant changes in your organization. You will need to comply with these changes even if you are an organization that is based outside of the European Union. This is especially true for companies that hold the personal data of EU citizens. You might not directly possess this data, but if you happen to have customers, prospects, employees, or even suppliers in the European Union, then these regulations apply to you. Talking about the United Kingdom, Brexit or no Brexit, they too will need to comply with these rules since they want to maintain free data transfer flow into the rest of Europe which means they need to have the same standards of data protection as other nations of the European Union.

In fact, it is only a matter of time till more countries come up with similar or perhaps even stricter regulations in the coming months. Therefore, it is imperative to stay ahead of the tide and streamline your data processing mechanisms. Even if there are no such laws in your jurisdiction, we strongly recommend you adhere to these regulations. These practices are bound to become standard in the industry in coming months and implementing these will help you establish your business as more ethical compared to the competition.

Other popular articles