“Be careful what you do, because the rules have changed…” – Martyn Hope, GDPR Institut

The General Data Protection Regulation (GDPR) is the European Union’s brand-new digital privacy directive (law) being introduced on May 25, 2018.

This far-reaching set of rules is designed to give EU citizens more control over their personal data and how that data is used and protected.

The CMO Club recently sat down with two experts on the upcoming EU data regulations (Ian West and Martyn Hope of the Switzerland-based GDPR Institut), as well as Julie Cary, CMO of LaQuinta, on what the new rules will mean for you and your marketing team.

According to Ian, an expert on the upcoming regulations, “GDPR is the biggest change to management that has ever hit any organization.”

Simply put, the legislation states that:

  • Companies doing business with citizens of any member state of the EU will now be required to build in strict privacy settings into their digital products and websites – and have them switched on by default.
  • Companies will be required to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the way they use personal data, and improve the way they communicate all data breaches. This includes any data purchased from third parties.
  • Consent to data now expires and citizens can expect companies to remove their data at any time when requested. Once removed, a citizen marketed to again by that company has the right to sue and will be backed by the regulators in those cases. And, because this is a regulation, or law, and not a directive, it is legally binding – meaning it cannot be opted out of or ignored. Enforcement will be centralized and fines can reach up to 4% of global turnover for each offense. Repeated infractions can lead to the withdrawal of your license to trade, assets being frozen, and even possible jail time for directors.

How does GDPR impact marketing?

“The new normal is that companies that have my data, have it in agreement with me. That total control of data is now with me, the citizen. I say whether you can market to me or not, and, if you ignore it, you incur the wrath of the penalties. It doesn’t matter where you’re based in the world. Massive implications for marketers.” – Ian West, GDPR Institut

There are three key areas that marketers need to be concerned with: data permission, data access, and data focus.

1. Data permission
Data permission is about how you manage email opt-ins – people who request to receive promotional material from you.

You can’t assume that people want to be contacted. In the future, they need to express consent in a “freely given, specific, informed, and unambiguous” way, which is reinforced by a “clear, affirmative action.”

Wait, what does that mean?

In practice, this means that leads, customers, partners, etc. need to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted.

Therefore, a pre-ticked box that automatically opts them “in” won’t cut it anymore – opt-ins need to be a deliberate choice.

2. Data access
The “right to be forgotten” has become one of the most talked about rulings in EU Justice Court history. It gives consumers the right to have outdated or inaccurate personal data removed.

If requested by a customer, your business will need to remove all data you hold on that specific individual, across the whole organization.

If you keep data in different places for different purposes, then this can cause issues. As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.

According to Ian, “Consent now expires, and the consumer will now have the right to agree or disagree with each specific and explicit use of their data each and every time.”

3. Data focus
As marketers, we can all be guilty of collecting a little more data from a person than we actually need. Ask yourself, do I really need to know someone’s favorite movie before they can subscribe to our newsletter? 

Probably not.

With this in mind, GDPR requires you to legally justify the processing of the personal data you collect. What this means is that you need to focus on the data you need, and stop asking for the “nice-to-haves.” Avoid collecting any unnecessary data and stick with the basics.

Julie Cary, CMO of La Quinta, had this to say about the upcoming impact: “It’s putting up a greater bar of responsibility for marketers.”

Who is most affected by GDPR in marketing?

If you have customers, then everyone inside your company will be affected by GDPR.

But, in the marketing department, there are four roles that will see the biggest change in their everyday work:

1. Email marketing managers
For B2B marketers, email addresses are the lifeblood of lead generation.

Often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an “opt-in.”

This is in stark contrast to firms that buy email lists or scrape (or copy) them from a website.

Under the new GDPR regulation, buying lists (or scraping them) will be strictly forbidden.

2. Marketing automation specialists
If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties from regulators if an email is sent automatically to someone who has opted out.

You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them.

And, if someone opts out of an automated email sequence, you must ensure two systems are updated to ensure that no further emails are sent.

3. Public relations execs
Pitching new product releases or company information to journalists is no different than marketing to an employee of a business. Journalists will have to give consent to be contacted by you instead of the traditional email outreach program.

This has always been the case, but now it will be required by all companies and subject to fines.

4. Data brokers
The problem marketers have is that they’re going to buy data on behalf of their brand, and use it in their marketing.

“As an ex-CMO, the fundamental issue is the acquisition of data. It’s not just what you do with it, but where you get it, and what level of consent you get. There is a big question mark about data brokers. Brokers harvest data and give a generic response of what it will be used for. If they were explicit and told consumers that they were going to sell it to as many companies as possible, then market to you as many different and diverse products as possible, consumers would never agree.” – Martyn Hope, GDPR Institut

The GDPR is now informing citizens of their new rights. They will police organizations using EU consumer complaints. It comes down to the level of consent. Where is your data? Where did you get it? On what basis did you get it? How long are you holding it? The level of consent will probably be measured in weeks and months.

According to Ian, “If a citizen requests their name be removed from a company’s data and a marketer in that company now buys a contact list of names from an outside broker and again markets to that customer, that is a direct breach of regulation. That consumer now has the right to take out a private prosecution, supported by the regulators, against your organization. And you will lose. In that situation, there will be no sharing of fines. Each user or supplier of that data will receive that 4% fine, and both can lose their license as a consequence.

“CMOs will be much choosier who their partners are going forward,” he adds. “They will soon realize they are jointly and federally liable.”


GDPR is the most far-reaching change to data protection in a generation, a dramatic shift in the way the EU wants personal data to be managed. The EU’s approach to online privacy puts individuals first, believing they should be protected and empowered.

The new approach is the EU’s way of keeping companies, big and small, more accountable for their actions. EU regulators believe that companies have been exploiting personal data for their own gain and aren’t being transparent about how they are using it. The aim of the GDPR is to put the power back into the hands of the consumer.

“Think about the mess that Facebook finds itself in with Cambridge Analytica,” says Ian. “This is catastrophically damaging to a marketing brand, the mistrust that has been generated. Think about Y2K and multiply that by several thousand. This is the magnitude of GDPR. It is a very, very big deal and it’s here.”

“We are still trying to understand it,” says Julie. “I think it has the potential to be a big deal, especially with what’s happening with Facebook. To me, this is the beginning of much more to come. We need, as marketers, to have a firm understanding of these new regulations going forward.”

Tips for marketers

“My number one advice is to start right now.” – Ian West, GDPR Institut

Here are a few ways to get started:

  • Consult an expert firm or lawyer with GDPR experience
  • Understand where your exposures are
  • Start auditing your mailing list now
  • Review the way you’re currently collecting personal data
  • Invest in a content marketing strategy
  • Educate your sales team
  • Start centralizing your personal data collection
  • Understand the data you’re collecting in more detail
  • Update your privacy statement

“I think everybody is waiting and seeing how this is going to unfold, which can be smart, but, you have to start somewhere.” – Julie Cary, CMO, LaQuinta

3 simple rules

The GDPR will be a challenge for businesses across Europe and beyond. It is a big change to the way companies operating in EU countries will handle personal data, complete with significant fines if you fail to comply. That’s why it’s important for you to seek advice from a lawyer as to what is or is not a legal requirement for your business.

Remember, GDPR isn’t designed to stop businesses from communicating with their customers. GDPR will lead to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture in that it’s an opportunity to delve deeper into the needs of their prospects and customers, rather than using the traditional “one-size-fits-all” approach to marketing.

That being said, the rules for GDPR compliance are quite simple.

  1. Don’t contact someone unless they specifically ask to be.
  2. Don’t assume they want to hear from you.
  3. Don’t cold contact them, and don’t send them irrelevant information that they didn’t request.

If you can do all that, then you’re taking a huge step towards being GDPR compliant.


“GDPR is a golden opportunity for marketers. It’s all a matter of trust. The really smart companies are waking up to the fact that the GDPR is a massive opportunity to define their markets and how they treat their customers. Organizations that do that moving forward will see their reputations enhanced, their revenues increased, and the customers they have will trust them and empower them to do more.” – Ian West, GDPR Institut

At this stage, you’re probably thinking that the way you do business will never be the same again.

But, there’s no real need to worry.

Sure, GDPR does sound intimidating and the fines are enough to make you rethink your entire marketing strategy, but, in reality, this new legislation isn’t a setback. In fact, it’s a great opportunity for you to do what marketers do best – that is create targeted marketing campaigns with people that are engaged with your brand.

Here’s why:

1. Gaining consent
With GDPR, you need explicit consent to use an individual’s data. Your customers can also ask you exactly what information you have on them, who it is shared with and the purpose it has been used for.

The opportunity here lies in the fact that instead of a simple yes or no option, you can now provide them with a range of options so that they can find out what they’re interested in. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.

This not only helps to be compliant with GDPR, but it also helps you further focus your communication based on specific interests, rather than sending a “one-size-fits-all” email campaign.

2. Right to be forgotten
Under GDPR, every individual has what’s called the “right to be forgotten.”

If requested by a customer, your business will need to remove all data you hold on that specific individual, across the whole organization. If you keep data in different places for different purposes, then this can cause issues.

The solution to this is to have a single platform that hosts the consent record of every single user. Having a single platform, like a CRM system will help you keep track of all your permissions data and ensure you’re GDPR-compliant.

The advantage of having a single platform is that it gives your customers the opportunity to switch consent on and off, for different purposes. This, in turn, gives you the opportunity to learn more about your customers and target them with more specific or relevant campaigns.

3. Transparency
People do business with other people (or organizations) that they know, like, and trust. Building trust comes through projecting transparency. You have to be upfront and honest about who you are and what you’re doing.

You need to demonstrate that an individual’s data is being treated with respect and held securely. If you can do that and show that you have your customer’s best interest at heart, then you will strengthen both trust and engagement with your customers.

Mike Albans is Content and Photography Editor for The CMO Club.