Do you feel like GDPR compliance is stifling your creativity as a marketer? It doesn’t have to if you understand the regulations and know how to work with them. As marketers, we must be aware of how the General Data Protection Regulations (GDPR) affect our marketing activities and what we need to do to stay on the right side of the law whilst balancing our creativity and client briefs.
This blog does not constitute legal advice but you’ll still find helpful information to explain the fundamentals that reinforce what you might already know or help you move towards a deeper understanding of the topic.
There is a lot of ground to cover here, and you may be looking for the answer to just one question – if so, use the links below to navigate straight to it.
Looking for digital marketing services from an agency that’s clued up on the latest in data protection compliance? Contact our team today.
There is a lot of ground to cover here, and you may be looking for the answer to just one question such as:
- What is GDPR?
- Is GDPR the same as the Data Protection Act in the UK?
- Does GDPR still apply after Brexit?
- How does GDPR work?
- What are the penalties for not abiding by the regulations?
- Do businesses actually receive penalties for GDPR breaches?
- How GDPR benefits consumers
- What are consumers’ rights within GDPR?
- How is GDPR great for marketers?
- GDPR means we have better-quality data
- GDPR means potential customers are more likely to want to hear from us
- GDPR compliance builds trust between businesses and their customers
- What you need to include in your website’s privacy policy
- Helpful resources from the Information Commissioner's Office (ICO)
- What to do if you experience a data breach
- Storing data on your website or CRM
- What if I do business through email?
- Cookies and GDPR
- GDPR and Google Analytics
- Do not track on Apple devices
- Do not track on Chrome
- GDPR and remarketing ads
- GDPR and Facebook
- GDPR and TikTok
- GDPR and email marketing
- What to do if you’re not sure about GDPR
What is GDPR?
GDPR came into force on 25th May 2018 and has been an important topic of discussion for businesses and marketers since the EU announced the new regulation in April 2016.
You’ll have heard a lot about it if you were working in marketing before May 2018 and you may have different thoughts and perspectives if you have started working in marketing after this date so you may find a little recap or brief introduction helpful.
GDPR stands for General Data Protection Regulations and is an EU regulation that affects the way businesses can collect, store and manage data.
The announcement of the new regulations sparked long discussions in the business, legal and marketing communities because failing to comply would mean huge financial and reputational consequences.
There were countless webinars on the topic, training sessions and LinkedIn posts but as May 2018 came and went, we’ve settled into a new world where data is legally required to be treated with the care, attention and respect it deserves.
It doesn’t matter if you’re running simple email marketing campaigns, postal campaigns or SMS campaigns, everyone has to follow the same rules as someone else who is running a more complex social media ads campaign using Metasearch, Google Ads or Microsoft Ads to reach people on their Xbox.
We are reminded that we are talking to real people who aren’t just anonymous figures in our measurement tools, they have real problems to solve and they need to consciously opt-in and consent to sharing their data.
Is GDPR the same as the Data Protection Act in the UK?
It can be confusing but whilst very similar, no, they are not the same. UK-GDPR and EU-GDPR are very similar but let’s give ourselves a very brief reminder of how we got here: Before GDPR in the UK, we had the Data Protection Act 1998 but the Act couldn’t keep up with the speed of the changing digital landscape in the early part of the new century. The world was becoming increasingly connected which led to the EU seeking to protect its citizens’ personal data thus introducing EU-GDPR in the mid-2010s.
EU-GDPR was more comprehensive than the UK’s 1998 Data Protection Act and had the benefit of being able to be applied consistently across all member countries and countries that carry EU data meaning that the UK could introduce mirror legislation with some variations. One difference is that in the UK children aged 13 and over are allowed to consent to their data being processed where as in Germany, Hungary and Poland, the age that a child can consent to data processing is 16.
Simply put, the Data Protection Act 2018 is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR).
Does GDPR still apply after Brexit?
If your business is processing EU data then you are required to comply with the EU’s GDPR but as we have just learned, the UK incorporated the same protections for its own citizens so for most marketers, the laws and their applications are, for the most part, the same.
For the purpose of this blog, we will continue to refer to the Data Protection Act 2018 as the better-known GDPR.
How does GDPR work?
Businesses are required to take data protection seriously which means that data must:
- Be processed lawfully, fairly and transparently
- Be collected for specified, explicit and legitimate purposes
- Be adequate, relevant and limited to what is necessary
- Be accurate and up-to-date
- Permit the identification of data subjects for no longer than necessary
- Be processed with appropriate security measures
To make it easier to digest, there are three main areas of consideration for marketers when it comes to GDPR:
- Operational – relating to security and how data is shared for legitimate business purposes
- Strategic – relating to the decisions regarding how data is used, controlled or processed
- Communications – you need to tell people how you are using, holding and processing their data and respond when requests for information are made.
Marketers are always making decisions about who they are marketing to so it is important to understand some key terminology in GDPR legislation.
Personal data is information that relates to any living identified or identifiable individual. Of course, it’s more complex than this but in its most simple form, this could be a name, an IP address or an identification number.
The data controller determines how personal data will be processed. Your business is likely to be both a data controller and a data processor.
Data processing refers to almost any handling of personal data. A data processor carries out the processing.
Any business that holds data will need to document what personal data it holds, where it came from and who it is/has been shared with. The main way to do this is through your business’ privacy policy. In this, you must state everything you’re doing and how you’re using this data.
This means you need to let subjects (people!) know:
- The lawful bases upon which the data is being processed
- Your data retention periods
- The person’s right to complain to the ICO if they feel their information is misused
Keep reading to learn how this benefits both consumers and marketers.
What are the penalties for not abiding by the regulations?
If your business fails to comply with EU data, GDPR could result in your business being fined up to €20 million or 4% of your business’ global annual revenue, whichever is greater. In the UK, the maximum fine is £17.5m.
Compliance with GDPR is enforced by each country’s own Data Protection Authority. This is the Information Commissioner’s Office (ICO) in the UK.
- In Germany, the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit – “BfDI”) enforces the regulations.
- The Agencia Española de Protección de Datos (abbreviated “AEPD”) is the national Data Protection Authority for Spain.
- The Dutch DPA (Autoriteit Persoonsgegevens) is the independent regulator in the Netherlands.
Do businesses actually receive penalties for GDPR breaches?
Yes, businesses, governments and organisations have all received penalties for GDPR breaches. Look through the ICO website’s ‘Enforcement’ section and you’ll see that often, data breaches are a result of a genuine mistake, where someone hasn’t had data compliance in mind when they were organising their data or using it.
By educating your team, you can help to improve data protection in your business across all areas, it’s not just Marketing and Legal who need to pay attention.
How GDPR benefits consumers
GDPR benefits consumers by providing businesses with clear guidelines for data protection. This helps protect consumers from fraud and cybercrime, which is something we can all support and celebrate. GDPR puts people first and gives people a set of rights that aren’t centred on how technology works, it’s ‘technology neutral’ meaning personal data should be protected no matter what technology is used.
What are consumers’ rights within GDPR?
- The right to access: People have the right to request what data is held about them and how it is used.
- The right to be informed: Consumers should explicitly consent to be contacted – organisations need to explain in plain English so that people understand what they are agreeing to.
- The right to be forgotten: Anyone can ask for personal data to be removed or deleted in certain circumstances.
- The right to object: The UK GDPR allows people to object to their personal data being processed in certain circumstances. Consumers being able to stop their data being used for direct marketing is covered under this right.
- The right to change data (rectification): As consumers we can demand that organisations change or update inaccurate details.
- The right to move your data (portability): Consumers have the right to receive the data held about them in a structured and commonly used machine readable format. They can also request that the data controller at an organisation transmits this data securely to another controller e.g. asking one organisation to send data to another organisation for a legitimate purpose.
- Consumers have rights relating to automated decision making: GDPR restricts organisations from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals and there is guidance for organisations in place to protect consumers.
How is GDPR great for marketers?
It’s been a long road to truly entrenching GDPR into business operations and marketing strategies. Instead of thinking about GDPR as only beneficial to customers or as an inconvenience, GDPR brings benefits to marketers too.
GDPR means we have better-quality data
Ever heard the phrase ‘throw some jelly at the wall and see what sticks’? That was the old world before GDPR. We might have fewer emails in our database or a smaller number of people to reach but thanks to all of the work that’s been done to move towards first-party data, we’re now working with cleaner data and are likely to be marketing to people who are in the market to buy soon.
GDPR means potential customers are more likely to want to hear from us
As marketers, we need to push the boundaries with our campaigns and get creative with the messaging and how we get in front of the right audience. Whilst GDPR can be seen as restrictive, it really provides marketers with a valuable framework for ethical and responsible practices. Setting a high standard for data privacy and consent, campaigns can become far more meaningful and effective because we’re talking to people who are more likely to want to hear from us.
GDPR compliance builds trust between businesses and their customers
As consumers, we’ve been giving our data away for years with many of us being unaware of its significance or value but there has been a change. With cybercrimes, fraud and well-publicised data breaches having implications for the average person, it is understandable that 64% of consumers say that their trust is enhanced in companies that provide clear information about their privacy policies.
The control that GDPR has put back into the hands of everyday users will only continue to help keep businesses working within their integrity and consumers empowered to exercise their rights to safeguard their personal data.
What you need to include in your website’s privacy policy
Cookie and privacy policies are sometimes intertwined, though the real requirement under the GDPR legislation is your privacy policy. Your privacy policy is one of the most important public facing documents you will need to achieve GDPR compliance as this is the most accessible document that details to your customers and users what data you store, how long you use it for and for what purpose. It should also include information about how they may perform a data access request.
Helpful resources from the Information Commissioner’s Office (ICO)
Privacy policies may take a number of forms and be based on a number of templates, but the ICO has helpfully created a number of resources to help sole traders, small businesses, nonprofits and other organisations stay operational and compliant.
- Privacy policy generator for small businesses
- A resource bank with definitions, checklists and examples that are perfect for smaller entities who need support
- GDPR advice for the public about their rights
- Information about action the ICO has taken against organisations that have breached GDPR.
As with most legal documents, it becomes more complex as your organisation grows so it is wise to seek legal advice as your business grows.
What to do if you experience a data breach
As part of your internal processes, you should have prepared on file two things which will ease the pressure on the communications side of things:
- A draft ICO data breach report containing your risk assessment
- A draft data subject breach notification
As soon as you become aware of a data breach and it meets the threshold for reporting, the timer starts and you have 72 hours (without undue delay) to report the incident to the ICO.
You will then need to find out what has happened and then try to contain the breach and minimise the impact on customers and the people whose data you hold.
Storing data on your website or CRM
If personal data is to be stored, then you need to consider what the average customer might expect you to do with it.
As part of the GDPR regulations, you can’t store this information indefinitely so you need to decide upon an expiry date. If it is to be stored, then this should also be clearly explained in your privacy policy, along with instructions on how a person (a data subject) may perform a data access request and/or request its permanent deletion.
If at present you are not storing information in a secure CRM (customer relationship management) system, then this should be a priority to address going forward, even if GDPR weren’t a consideration, a CRM system has so many benefits and is affordable for even the smallest of businesses such as:
- Centralised lead storage,
- Controlled lead access,
- Availability and simplicity of website integrations,
- Ease of appending marketing source/medium information,
- Overall improved data quality, and
- Easier GDPR compliance and it’s easy to service subject access requests.
What if I do business through email?
If you receive website leads via email only, it’s best practice to permanently delete these once you have dealt with them or moved them to a more secure service, like a CRM system. If you cannot change this process, detail it in your privacy policy under a legitimate interest or gain consent at the point of data creation – and keep a record of this consent date. It still may be worth considering an entry-level CRM system for the other benefits mentioned above.
Cookies and GDPR
Since the launch of the GDPR, technology has surged further ahead and as marketers we’ve had to contemplate the idea of working without third-party cookies. Back in 2020, Google announced that they would phase third-party cookies out within two years and replace them with the Privacy Sandbox. Their deadline came and went and Google suggested that this would roll out by the end of 2024. In July 2024, Google announced that the Privacy Sandbox would be optional and third-party cookies would not be phased out by the end of 2024.
What does all of this mean when we look at some of the most important platforms we use?
GDPR and Google Analytics
As we mentioned previously, whilst you might think ‘personal data’ only relates to anything personally identifiable, such as a name or email address, unfortunately, this is incorrect.
Cookies and tracking codes fall into the scope of GDPR. The vast majority of websites use some form of cookies.
Necessary cookies are essential for a good user experience and make it possible to display content in a way that gives them what they want such as showing the correct currency based on their location. Another example of strictly necessary cookies is for holding items in your basket as you shop on an e-commerce website. As far as GDPR is concerned, these cookies don’t require permission or consent from users but this should still be explained in your privacy policy.
There are other cookies that are used for marketing purposes. For example, Google Analytics uses cookies to track user information that informs marketing strategies, such as demographics, device information, and information on which pages are being visited and where conversions are being made. Google Ads uses cookies to track the effects of campaigns. Google’s data can be used to create adverts such as those known as ‘remarketing’ which ‘follow’ you around the web.
Users can change their settings to not allow this tracking, by turning on ‘do not track’ on various devices and there are countless guides across the web on how to do this.
Do not track on Apple devices
Apple users have been able to switch off tracking since iOS 14.5 was released in April 2021. After a month, it was revealed only 5% of US users had agreed to third-party website & app tracking.
Do not track on Chrome
This feature has been present in Chrome since 2011 but it has been previously described as more of a signal than a directive.
As a marketer, you aren’t responsible for the way Google manages its data but you do need to clearly explain what you are doing.
Example in the wild: Paypal’s cookie policy page doesn’t contain any jargon and keeps it simple. Note how they’d explicitly stated all the ways they intend to use cookies and tracking, and also the natural (not legal jargon) language they use – this is all essential within the new regulations.
GDPR and remarketing ads
Remarketing ads are those ads that follow you around the web and encourage you to convert. They work really well, and many of our clients use them very successfully. Whilst some people don’t love them, others find them a helpful reminder of where they originally saw ‘that thing’ before they got distracted by something else.
You’ll need to let your users know you may use their cookie data for this purpose, within your privacy policy.
GDPR and Facebook
Meta (Facebook) has made it clear that it acts as a data processor and that businesses are responsible for ensuring that the data they share with Facebook complies with GDPR.
For example, if you’re using email addresses for the purposes of creating Facebook lookalike audiences, or to target people whose details you have, under GDPR you need to tell users about this too – asking them to opt in, and giving them the option to opt-out.
If you do upload an email address to Facebook to create new audiences, and you’ve got the consent of your users to do this, the onus is then on Facebook to protect that information once they have it.
GDPR and TikTok
TikTok has faced fines and criticisms for multiple GDPR breaches, mostly around not protecting underaged users. Similar to the other social networks, TikTok requires a tracking pixel be added to websites that want to target users with ads. Again, just like the other social networks, businesses that use TikTok Pixel need to make sure they’re following GDPR regulations and give people the option and the opportunity to easily opt-out.
GDPR and email marketing
If you have an email subscribe box on your website, you should make the user aware of the way their information will be used if they do sign up. It’s particularly helpful to give them descriptions of the types of content that you send and give them the chance to decide what they want to receive. For example, if I like crafting and I sign up for emails, I might decide I only want to hear about offers for wool and yarn but I’m not interested in embroidery or papercrafts.
Small steps like these help to build a relationship with users, they are people and they are your customers who want to have an easy buying experience and to find the products that they need.
What to do if you’re not sure about GDPR
If you’re not sure about how your activities relate to GDPR and whether or not you’re compliant, it’s more important than ever that you do find out.
While we’re more than happy to talk to you about your digital marketing, it’s better if you can find a legal partner to advise more specifically on how you should comply with GDPR.