On the surface, GDPR might seem extreme, especially for smaller businesses or solo-practitioners.

Realistically though, there are only 3 key areas that marketers need to worry about – data permissiondata access and data focus.

Let’s take a look at each of these individually.

1. Data Permission

Data permission is about how you manage email opt-ins –people who request to receive promotional material from you. You can’t assume that they want to be contacted. In the future, they need to express consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.

Hang on, what does that mean?

Well, in practice, it means that leads, customers and partners, need to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted. Therefore, a pre-ticked box that automatically opts them in won’t cut it anymore – opt-ins need to be a deliberate choice.

For example, instead of assuming that visitors who fill out a web form want to receive marketing emails from SuperOffice (left), we now ask visitors to specifically opt-in to newsletters by ticking the sign up box (right).

The only caveat here is when it comes to refer a friend programs.

In most cases, refer a friend programs work when a prospect or customer enters a friends email address in order to claim an offer (i.e. a discount, sale, bonus, etc). Once they have entered a friend’s email address, an email is automatically sent from the company to the “friend” without gaining explicit consent to contact them. These emails are typically “notifications”, rather than promotional.

Providing this data is neither stored or processed, then it is considered GDPR compliant.

However, if the data is stored and used for marketing communications, then you are in violation.

To be clear: No marketing communication is to be sent out to the referee’s email address.

2. Data Access

The right to be forgotten has become one of the most talked about rulings in EU Justice Court history. It gives people the right to have outdated or inaccurate personal data to be removed and has, in some instances, already been implemented by companies like Google, who were forced to remove pages from its search engine results in order to comply.

The introduction of GDPR offers individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten.

As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.

Practically speaking, this can be as straightforward as including an unsubscribe link within your email marketing template and linking to a user profile that allows users to manage their email preferences (as shown in the example below).

Of course, it sounds easy enough.

Yet, in our own B2B email marketing benchmark report (a study of 4,500 email campaigns) we found that 8% of all emails do not include an unsubscribe link!

3. Data Focus

As marketers, we can all be guilty of collecting a little more data from a person than we actually need. Ask yourself, do I really need to know someone’s favorite movie before they subscribe to our newsletter?

Probably not.

With this in mind, GDPR requires you to legally justify the processing of the personal data you collect.

Don’t worry; this is not as scary as it sounds.

What this means is that you need to focus on the data you need, and stop asking for the “nice to haves”. If you really need to know a visitors shoe size and inside leg measurement, and can prove why you need it, then you can continue asking for it. Otherwise, try to avoid collecting any unnecessary data and stick with the basics.

The cost of failing to comply

The deadline for GDPR has now passed and many businesses are already in “panic mode” to make sure they’re compliant.

The trouble with this is that this leads to mistakes…

…and these mistakes can be costly.

Especially as the Information Commissioner’s Office (ICO) has started to clamp down even harder on the misuse of personal data.

In fact, the ICO has already reported several incidents that involve household brand names who tried to use well-known email activation strategies to reach out to their database. The following 3 campaigns, which were sent out by Flybe, Honda and Morrisons, asked customers if they wanted to be contacted by email and to update their preferences.

How did they contact their customers, you might ask?

Well, they contacted them by email – even those customers that had previously opted out.

And this is a serious breach of compliance.

1. Flybe fined £70,000

In August 2016, Flybe sent an email to 3.3 million people in their database with the subject line “Are your details correct?”

In theory, this sounds like a smart strategy, but unfortunately, these 3.3 million people had previously opted out (unsubscribed) to marketing emails and thereby gave no consent to be contacted.

The result? A fine of £70,000.

Key take away: If your customers have opted-out of marketing emails, don’t email them – it’s as simple as that. You are breaking the law if you do.


2. Honda Motor Europe fined £13,000

In a separate incident, Honda Motor Europe sent an email to 289,790 subscribers between May and August 2016 asking their database if they “would you like to hear from Honda?”.

This email was sent in order to clarify how many of the 289,000 subscribers would like to receive marketing emails going forward. But, once again, this email was sent to individuals who had specifically opted out.

This mistake earned Honda a £13,000 fine as a result.

Key take away: If you do not have explicit consent to email your customers, then don’t email them! Even asking for consent is classed as marketing and is in breach of the GDPR regulations.

3. Morrisons fined £10,500

In late 2016, UK supermarket chain Morrisons re-launched their “Match & More” loyalty program.

In a bid to get more members to take advantage of their offers, they sent out an email to all 230,000 members from their database, asking subscribers to update their account preferences. Unfortunately, this included 131,000 subscribers who had previously opted out and unsubscribed.

This slip up led to a fine of £10,500.

Key take away: In this case, it was a customer that reported Morrisons to the ICO. So, you have to be 100% sure that the subscribers you send an email to have opted-in. Now that customers are taking action into their own hands, you have to be even more careful.

These three examples should act as a clear warning sign to businesses – both big and small – to make sure you’re doing things right in a post-GDPR world.

Who is affected most by GDPR in marketing?

If you have customers, then everyone inside your company is affected by GDPR.

But, in the marketing department, there are three roles that have seen the biggest change in their everyday work.

Let’s take a closer look at who this has affected and how.

1. Email marketing managers

For B2B marketers, email addresses are the lifeblood of lead generation programs.

Often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an “opt in”.

This is in stark contrast to firms that buy email lists or scrape (or copy) them from a website. Under the new GDPR regulation, buying lists (or scraping them) is strictly forbidden.

Ensuring users opt-in to your B2B email marketing campaigns and give consent to be contacted is now a GDPR requirement for email marketing and you can no longer automatically add them to your email list and then wait for them to opt out.

2. Marketing automation specialists

Marketing automation can be extremely powerful tool.

But, it can also land you in trouble with GDPR if not set up correctly.

If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties from the ICO if an email is sent automatically to someone who has opted out.

You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent. And no, having the next email already scheduled is not a valid excuse.

3. Public relations execs

Pitching new product releases or company information to journalists is no different than marketing to an employee of a business. While it’s possible that the liability for this consent will lie with media databases such as PRweb and MyNewsDesk, journalists will still have to give consent to be contacted by you instead of the traditional email outreach program.

This consent could be given through platforms like HARO, where journalists are asking you to contact them, or through requests made on social media platforms. So if you’re not on those platforms yet, now is the time to sign up!

Of course, if a journalist reaches out to you directly, they’ve expressed interest in talking to you.

GDPR is a golden opportunity for marketers

At this stage, you might be thinking that GDPR has a negative impact on the the way you do business today.

But, there’s no real need to worry.

Sure, GDPR does sound intimidating and the fines issued by the ICO are enough to make you rethink your entire marketing strategy. But, in reality, this new EU legislation isn’t a set-back. In fact, it’s a great opportunity for you to do what marketers do best – that is create targeted marketing campaigns with people that are engaged with your brand.

Here’s why:

1. Gaining Consent

With GDPR, you need explicit consent to use an individual’s data. Your customers can also ask you exactly what kind of information you have on them, who it is shared with and the purpose it has been used for.

The opportunity here lies in the fact that instead of a simple yes or no option when asking customers about data, you can now provide them with a range of options so that they can find out what they’re interested in. Through consent, you can gain insight into each individual’s interests to provide them with information that they want to receive.

This not only helps to be compliant with GDPR, but it also helps you further segment your customers and focus your communication based on specific interests, rather than sending a “one size fits all” email campaign.

2. Right to be Forgotten

Under GDPR, every individual has what’s called the “right to be forgotten”.

If requested by a customer, your business will need to remove all data you hold on that specific individual, across the whole organization. If you keep data in different places for different purposes, then this can cause issues.

The solution to this is to have a single platform that hosts the consent record of every single user. Having a single platform, like a CRM system, will help you keep track of all your permissions data and ensure you are GDPR compliant.

The advantage of having a single platform is that it gives your customers the opportunity to switch consent on and off, for different purposes. This, in turn, gives you the opportunity to learn more about your customers and target them with more specific or relevant campaigns.

3. Transparency

People do business with other people (or organizations) that they know, like, and trust – and building trust comes through projecting transparency. You have to be upfront and honest about who you are and what you’re doing.

A study by Harris Interactive found that 93% of online shoppers cite the security of their personal data as a concern. You can overcome these concerns by being transparent with data. You need to demonstrate that an individual’s data is being treated with respect and held securely. If you can do that and show that you have your customer’s best interests at heart, then you will strengthen both trust and engagement with your customers.

9 practical tips on GDPR for marketing

Research by Osterman Research, Inc found that 73% of businesses were not ready to satisfy the compliance obligations of the GDPR. While a study by Symantec found that 23% of businesses felt they will only be partly compliant by the May 2018 deadline.

The good news is that if you’re still not sure if your business are GDPR compliant, we’ve created a short checklist that includes 9 practical tips to help you get closer to meeting those requirements.

  • Audit your mailing list. According to a study by W8 data, up to 75% of marketing databases have become obsolete from GDPR and only 25% of existing customer data meets GDPR requirements. Therefore, remove anyone where you do not have a record of their opt-in. For new subscribers, make sure that the potential subscriber confirms that he or she wants to join your mailing list by sending an automated email to confirm the subscription.
  • Review the way you’re collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list. In the UK, pub chain JD Whetherspoon took the unprecedented step of deleting their entire email marketing database (more than 650,000 email addresses). In a letter from their CEO (shown below),  John Hutson informed customers that all customer emails will be securely deleted. While that might be a terrifying prospect for some, it’s something to consider as you will then be guaranteed with a list of engaged and interested readers.

  • Do you create content that is tailored to your potential customers? Invest in a content marketing strategy by creating white papers, guides and eBooks that visitors can access and download in exchange for them sharing their contact information.
  • Invite visitors to add themselves to your mailing list by launching a pop up on your website. You can keep your mailing list neatly segmented by creating specific pop ups for product news, blog posts and general company news. Just remember to link to your privacy policy though, to ensure compliance – like we did with our GDPR website pop up before the deadline.

  • Educate your sales team about social selling techniques. Essentially, sales reps should connect with prospects on social media and share relevant content – rather than trying to reach new prospects by email.
  • The time for using Google docs or Excel spreadsheets to store customer data is over. Start centralizing your personal data collection into a CRM system. And make sure your users can access their data, review its proposed usage, and make any changes as necessary.
  • Understand the data you’re collecting in more detail. Is it all necessary, or are there elements that you can do without? When it comes to sign up forms, only ask for what you need, and what you will use. For B2B marketers, full name, email address and company name is usually more than enough.
  • Try using push notifications. A push notification is a pop up message that appears on a desktop or mobile device. Marketers can use push notifications to send a message to subscribers at any time. However, unlike email marketing campaigns, push notifications do not process personal data (IP addresses are anonymized) and users are required to give explicit consent in order to opt-in and receive notifications.
  • Update your privacy statement.  Review your current privacy statement and amend the statement accordingly to comply with GDPR requirements. Is the content in your privacy statement difficult to read? Or are you purposefully using terminology so that potential customers do not know what they are signing up to? If so, rewrite it and make it easy to read – like we have done here.


GDPR has changed to the way that companies operating in EU countries handle personal data, with fines of up to €20 million if you fail to comply. That’s why it’s important for you to seek advice from a lawyer as to what is or is not a legal requirement for your business.

Remember, GDPR hasn’t been designed to stop businesses from communicating with their customers. Quite the opposite, in fact. It’s led to an increase in data quality, which is why the best and most resourceful marketers are seeing the bigger picture in that it’s an opportunity to delve deeper into the needs of their prospects and customers, rather than using the traditional “one-size-fits-all” approach to marketing.

That being said, the rules for GDPR compliance are quite simple – don’t contact someone unless they specifically ask to be. Don’t assume they want to hear from you. Don’t cold contact them, and don’t send them irrelevant information that they didn’t request.

If you can do all that, then you’ve done your job in being GDPR compliant.

Is your marketing team ready for GDPR?

Read Enitre Article at
Steven MacDonald


Bryan Tuck