12 min read

Things You Need To Know about GDPR - RevM

By Carl Davies on 09-Feb-2018 20:52:48


May 2018 has a lot to offer. Summer will be right around the corner. There’s two bank holidays to look forward to. And hec, it even has that one special day of the year when you can announce “May the 4th be with you” to every colleague you pass. 

But perhaps an even more important date for your calendar, is May 25th. That’s when the new General Data Protection Regulation (GDPR) comes into force to replace the 1995 EU Data Protection Directive (DPD).
We want to share what these changes will look like. That way, when the GDPR
“Force Awakens” in May, you can ensure that your business is complying with the new regulations and staying away from “The Dark Side.”

A contract indicating the GDPR implications for marketing that will take effect on May 25th 2018.Star Wars puns aside, the new regulation sets out to significantly enhance the protection of the personal data of EU citizens. This will have a big impact on the way marketers approach their work and how organisations obtain, store, manage or process the personal data of EU citizens. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

So how much do you really know about GDPR? According to HubSpot, not much. Only 36% of marketers have heard of GDPR, while 15% of companies have done nothing, and are at risk of non-compliance. It will be no good asking "What does GDPR mean for marketing?" when an inspector shows up at your buisness come May 2018. Playing blissfully ignorant will come at a big cost. Depending on the type of violation, companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). And if you think being based outside of the EU makes you exempt from these new regulations, think again. These big penalties show that the regulators mean business and companies cannot afford to ignore the legislation.

On the surface, these new regulations may seem doom and gloom for marketers. However, it’s important to remember these new regulations are designed to benefit data holders and consumers alike. Whilst the individual is at the heart of GDPR, the new regulation will also have a positive impact on the quality of the data used for targeting, the relevance of ads, and the attitude towards those ads on behalf of the consumer, which according to a 2016 Consumer Privacy study by TRUSTe/NCSA, 92% of online customers cite data security and privacy as a concern. This means GDPR will enhance the performance of any digital marketing campaign whilst allow marketers to continue doing positive work in a way that prioritises customer concerns. 

At this point, we could ramble on for hours about how GDPR came about or bore you with an infinite glossary of terms, but we understand that all you really want to know is what does GDPR mean for marketing? So in an effort to keep things practical, let's get to the nitty gritty of GDPR marketing.

A cloud with a padlock indicating the security and transparency of customer data collection.

Stage 1 - Data Collection


The GDPR was designed to ensure that there will be more transparency between the organisations who collect and control the data (the ‘Data Controllers’) and the individuals whose personal data is being collected (the ‘Data Subjects’). This means that any organisation which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for. The individual will need to give their consent to that use and the consent needs to be clear, in plain English and "informed, specific, unambiguous, and revocable". Data subjects also need to be told about their right to withdraw consent.

To illustrate the GDPR implications for inbound marketing, we want to put you in the shoes of a consumer and take you through the buying process. So take your marketing hat off for a second and imagine you’re a car enthusiast looking to purchase a brand new car (lucky you).

You head over to the manufacturers website and arrange to book a test drive. You choose the model you’re interested in, enter your postcode to find your nearest dealership, and then you arrive at the all important page where you enter your personal details.

At this stage, the clever folks at The Car Company recognise this as a prime marketing opportunity to keep your details on record so they can inform you on the latest vehicles, products and services that may be of interest to you in the future. They may also want your feedback for market research purposes and to share your personal data with other authorised dealerships or suppliers. This will need to be communicated clearly to you. It won’t be sufficient for the company to pre-tick the box on a form to send information to you by email, as ‘opt-out consent’ will no longer be permitted under GDPR.

Data Minimisation

GDPR implications for marketing don't stop there. Further consent will also be required from you if they wish to use your data for new purposes not previously mentioned. Any data collected by the organisation which is deemed unnecessary or excessive will constitute a breach of the GDPR.

For instance, once you’ve expressed interest in test driving a car by submitting your personal details, it is acceptable for The Car Company to collect your name, email address and telephone number. As that information is pertinent to  how they liaise with you during the buying process. However, if they were to attempt to collect information about your family, occupation or marital status this would be excessive as that data should not be required by a car company, despite it being of use for market research purposes (demographics etc). 

A broken padlock illustrating that data can only be collected and stored for specified and legitimate purposes.  Stage 2 - Data storage and processing

Purpose and usage limitation

Organisations can only use the data collected and stored by them for specified, and legitimate purposes. The only data that can be collected, shared or used in any way must be explicitly explained in layman's terms and consented by the consumer. 

Let’s suppose that whilst purchasing your new car you see a brochure in the Car Dealership advertising the Ultimate Track Day Experience. You decide you want to sign up for this experience where you can really go “pedal to the metal” in your sporty new car. If the car experience is being run by a third party company on behalf of The Car Company, they, The Car Company will have to ensure that the company providing the driving experience have consent to use your data. In addition, the driving experience company will not be able to use the data for any other purpose other than the purposes you have consented to.   


According to a report published by the Chartered Institute of Marketing, 57% of consumers don’t trust brands to use their data responsibly. The value of personal data makes it vulnerable to theft or misuse. GDPR implications for marketing aim to establish more trust between consumer and brand. The same is true for GDPR b2b marketing.

For that reason, organisations need to ensure data is stored in a secure manner and in accordance with the Security provisions of the GDPR. This means they must use “appropriate technical and organisational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. Depending on the type of data collected and the ways it is being used, companies may need to consider encrypting the data, using pseudonymization or anonymization methods to protect it or segregating the data from other data in their systems.

To continue on your customer journey with The Car Company, once your details are in their hands, it is the responsibility of The Car Company to ensure it is kept safe and secure. Before collecting the data, The Car Company should have assessed the types of data they planned to collect and work with their security team to ensure that it meets the standards of the GDPR.

These standards will vary depending on the kinds of data collected. For instance, security standards will be higher for sensitive data, biometric data or data about children). The same applies for how that data is used. Only employees who need to access that data for the intended purpose have access to it and contracts with any vendors touching that data contain the relevant security protections.


People will now be able to ask organisations at any time to correct or update their data if the information is no longer accurate.

Let’s assume you had a fantastic time on your Ultimate Track Day Experience. So much that you signed up to their membership program to receive discounts on future driving experiences. Suppose several months later you move to a new email address but still want to be kept in the loop on the latest offers. You will have the right to contact the Ultimate Track Day Experience Company to update your new email address.


Playing by the rules is one thing, but showing that you are is another. Not only will your organisation need to keep records to prove compliance (for instance, records of consent for all of the data collected), they’ll also need to ensure they have policies in place governing the collection and use of that data. 

This can be done in the form of appointing a data protection officer (DPO) and implementing a ‘Privacy by Design/Default’ policy that ensures your company is systematically considering the potential impact that a project or initiative might have on the privacy of individuals. Controllers will have to ensure their vendor contracts are updated so that they include the necessary provisions to protect the data being processed by those vendors on their behalf.

Imagine the Car Company want to further promote the third party’s Ultimate Track Day Experience. They decide to run a marketing campaign targeting people like you who have purchased cars from them. Before running the campaign, The Car Company will need to ensure their system has the capability to not only obtain participant’s consent to all uses of their data (including sharing it with the third party), but also to record that consent. They will also need policies about how they will use that data, and ensure the contract with the Driving Experience Company includes the necessary provisions required in Processor contracts under Article 28 of the GDPR.

A human model behind codes of data representing how personal data is is stored after the customer relationship has ended.Stage 3 - End of relationship


Organisations may only hold on to personal data for as long as is necessary to fulfil the intended purpose of collection. If, for whatever reason, the relationship is terminated, the organisation must ensure they have a data retention policy in place which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.

In drafting their retention policies, organisations will need to consider whether there is any law or regulation which obliges them to hold on to some of that data for specified periods (e.g. financial data for auditing purposes by law). While this is permitted, it should be outlined clearly in their retention policy and highlighted to the consumer. Transparency is key before, during and after the relationship. GDPR implications for marketing means there's no exception for complacence, even after the relationship is terminated. 

After all of those driving experiences you've aced the track on so many ocassions you decide it’s time to call it a day and not renew your annual membership. The Ultimate Track Day Experience company will need to ensure they comply with their own data retention policy if they want to hold on to any of your data after your account is closed.


GDPR implications for inbound marketing mean you'll be help the customer even better than before. After all, that's what inbound marketing is all about. If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organisation.

A new lick of paint to your car and a bit of TLC under the bonnet has got the fire in your belly to get back out onto the track. So you find a competitor of The Ultimate Track Day Experience to put your skills to use on a new track. You send an email to request the deletion of your email subscription to the existing company and they follow up quickly with the confirmation of your deletion. The Ultimate Track Day Experience company should ensure that your data is also removed from it’s vendor’s databases.


Unquestionably, the bar has been raised for marketers, who will now have to comply with more stringent regulations when reaching out to and retaining consumers. Tighter control will bring challenges for businesses across Europe and beyond, as well as, severe consequences to those at risk of non-compliance. Those still asking what does GDPR mean for marketing come May 25th 2018 might want to start finding the answers to those questions quickly.

However, GDPR implications for marketing are not designed to stop businesses from communicating with their customers. GDPR will lead to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture with GDPR and marketing. A chance to delve deeper into the needs of their prospects and customers, rather than using the traditional “one-size-fits-all” approach to marketing.

Putting the consumer first is the epitome of inbound marketing, where trust and consent on part of the consumer is essential. Marketing can no longer be viewed as a spiders web, trapping consumers into the vortex of interruptive content. Rather, marketing has to be a process of pollination, there at the right time when the bee awakens from hibernation and is ready to digest all the content you have to offer. Protecting people, empowering the customer and making marketers work harder to target more creatively should be embraced.

The costs to becoming compliant and risks of being fined for non-compliance should not be shunned in wake of a more transparent, efficient and safer data economy. 

By showing your buyers that you understand their problems and how to solve them, you build credibility. GDPR supports this motive by recognising that people want their data protected in more secure and trasparent ways. If you continue helping your customers through inbound marketing approaches they are more likely to view your brand in a positive light, and you will ultimately attract them into your buying funnel of Attract, Convert, Close, and Delight. It’s that simple.

So next time you think inbound marketing, think GDPR inbound marketing.

Discover Inbound Marketing

Carl Davies

Written by Carl Davies

Carl is Founder of RevM