A simple guide to GDPR compliance and marketing


Date: 11 March 2020

An office worker processes a spreadsheet of customer details - data protection concept.

Since the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, it’s become vital for businesses to document how they use consumers’ personal data, seek consent for marketing messages, and improve transparency around data breaches.

Failing to comply with the GDPR can result in hefty fines, so it’s important that businesses and marketers understand how the rules affect them.

Below are the six most important aspects of the GDPR that companies must comply with in their marketing and other business operations.

1. Access

Part of the GDPR stipulates that individuals have the right to have their personal data removed from your database as they wish. Whether it’s old information from one-time customers or the email addresses of repeat buyers, ensure that you provide users with the legal right to opt-out.

Offer clear and easily accessible ways for your consumers to remove consent for their data use. For email marketing lists, a simple link to unsubscribe is all you need.

In some cases, businesses may need to hold onto a person's data, for instance, for auditing procedures. In such cases, a company should create a data retention policy, and inform the individual which data they need to hold onto and for how long.

2. Justification 

The GDPR requires businesses to have justification for the data which it collects. What this means is that you must be able to explain why each piece of data has been collected. With this in mind, think carefully about the questions you are asking your consumers.

If you can’t justify why you need a piece of information, the GDPR states that you are not permitted to ask for it. Whether it's social media info, interests or marital status, companies must specify their reasoning.

3. Purpose 

The data that you collect can only be used for the legitimate purpose that you have stated. Businesses cannot use data for a different purpose, which was not previously disclosed. When seeking to share any data with a third party, companies must have obtained consent from the individual in question.

If an individual does not want third parties to access their data, you cannot share it under any circumstances.

4. Permission 

Whether it’s a partner, customer, or lead, every individual you contact must have given you permission to do so.

Businesses should not contact an individual purely because they have obtained their email address. There should be a clear option to ask the user if they give permission to be contacted about news, promotions or offers.

Of course, you’ll want to grow your email marketing list and get your newsletter out there. However, you can only reach out to those who have explicitly granted you permission to do so.

When designing the customer contact forms and pop-ups on your site, remember to bear this in mind.

5. Records

It’s not only essential to comply with the GDPR, but it’s also vital to keep records to prove this compliance. Keep records of consent, and also record evidence of your justification for collecting this data.

Create clear policies which implement the use of your data, and be sure that these policies are followed at all times. To help businesses comply with the law, there are a number of GDPR compliance tools to support the process.

6. Security

The GDPR states that organisations must take appropriate measures so that the data which they collect remains secure. Data must be kept safe from access, loss, or theft. Data encryption is advisable to make sure that the personal data of your consumers does not become compromised.

Businesses should invest in cloud security software and provide multi-factor authentication systems. Even simple things like remembering to clear browser history can help you to keep the data you protect secure.

Your browser history saves information on cookies, and this kind of data has been used in the past to hack into accounts - for instance, in the Yahoo user data breach of 2013. To keep data safe and sound, it’s best to be vigilant.

Copyright 2020. Article was made possible by site supporter Jeremy Bowler

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.