GDPR: Everything you need to know about the General Data Protection Regulation


Unless you’ve been living under a rock, it has been hard to miss the ever-increasing media frenzy surrounding the General Data Protection Regulation (GDPR) set to change on the 25 May 2018.

In 2018, the European Union is getting serious about companies collecting consumer data. On May 25, 2018, the General Data Protection Regulation (GDPR) is going into effect.

Will your company be prepared?

Basically, the GDPR gives EU citizens more control over their personal data. Every time a company wants to collect information from a consumer, they’ll now need explicit consent from the individual.

That data could be anything from their location to their name, to their email address. On top of that, the company will need to tell the person what data they plan to collect and how they’ll use it.

I know what you’re thinking---if my business isn’t in the EU, no problem, right? Well, the GDPR is applicable to any company that collects data on any EU citizen. And U.S.-based companies are actually more prepared for the GDPR than European ones; less than 75% of European companies will be GDPR compliant by May, compared to 84% of American companies.

What happens if your business doesn’t comply? It’s not pretty: you’ll be faced with an EU fine of up to 4% of global annual turnover or 23 million USD---whichever is greater.

So here’s what you need to know…

The Basics

The first step is to make yourself aware of the key facts surrounding GDPR.

Between now and then the enforcement date it is crucial for companies – and their marketing teams/agencies – to change the way ‘personal data’ is obtained, stored and secured, to ensure compliance.

For some, this may only mean a couple of minor tweaks to existing processes. For others, a complete overhaul of data-handling may be required. But whether the necessary actions are major or minor, this isn’t a legislative movement that is going to go away.

What’s more, penalties for non-compliance are very significant, with fines of up to €20m or 4% of global annual turnover for the preceding fiscal year – whichever is the greater!

In Further Detail

Clear consent:

ClearConsent must be given for data processing, and the way the data will be used must be stated in a way that is easy for the citizen to understand.

Multi-level user permissions:

Given that the whole purpose of GDPR is to better protect individuals’ information, it goes without saying that access to this data should be regulated too. From a marketing perspective this should mean creating multi-level user permissions – not only for the comms channel but also according to the topic and subject matter of each channel too.

This sounds like an administrative nightmare (we can almost hear the groans) but the use of technology, such as marketing automation platforms, can make the task much simpler to set-up and regulate!

Strive for a seamless data sync:

Marketers will have to work tirelessly to ensure customer and prospect data remains safe and secure.

One of the key ways to do this is to maintain one central source of robust data storage, via a reputable CRM for example. Then, instead of exporting data out of the CRM and importing a spreadsheet back in to a third-party email marketing platform, the two technologies should be seamlessly integrated to ensure a smooth data sync.

Not only will this ensure security – it also removes the headache surrounding the maintenance of data accuracy.

The right to be forgotten:

Citizens have a right to be forgotten. That is, they can request that all copies of their data be deleted. They also have a right to be easily able to transfer their data from one organisation to another.


The first step in adapting to global regulation change, beyond understanding what the change entails, is preparing as far in advance as possible. With just about five months until implementation, the time to start prepping is upon us. While each individual organisation will ultimately need to develop its own unique strategy, there are certain constants that are recommended for all enterprises to remain GDPR compliant.

Those constants include four key steps, as follows:

Discovery: Identifying what personal data the organization is in possession of and where it resides.

Management: The governance of how personal data is accessed and used.

Protection: Establishing security controls to prevent, detect and respond to infrastructure vulnerabilities and data breaches.

Reporting: Acting on data requests, reporting data breaches and maintaining required documentation.