November 15th 2017


by Rich Milner

General Data Protection Regulation

It’s high time we started discussing it, because, it’s going to have a pretty big impact on us marketers.

So, what is it? Let’s start from the top - it stands for ‘General Data Protection Regulation’ and it’s designed to protect the personal data of all individuals within the European Union.

Before getting stuck into the regulation, lets take a whistle-stop tour of the history of data collection.

Data has been collected by marketers since the beginning of time. Well, maybe not. But if Fred Flintstone owned the local bowling alley, I'd like to think he was asking for people's cave numbers so he could let them know about the Monday night 2-4-1 Brontosaurus Burger offer. Fast forward a few thousand years to the 1960s and Fred’s marketing techniques have continued:

  • In the '60s we see the start of direct mail into households. With the introduction of postcodes, direct mail can be more targeted and the term “direct marketing” is coined. 
  • During the '70s we became a bit more savvy with a little help from the computers. With the newfound digital databases, we develop segmentation techniques to target consumers through direct mail and telemarketing. 
  • In the late 1980s, “Database marketing" was defined as an interactive approach to marketing; using various channels to keep an electronic database of consumers, improving future marketing strategies.
  • The 1990s gave birth to the internet. Opening up subscribers with email - and of course opportunities for direct marketing and email marketing. 
  • Big leaps in technology then took place in the naughties. Digital information storage became more cost-effective than paper. 'Do Not Call' (DNC) was introduced, giving consumers more control over the volume of telemarketing they were subjected to. Opt-out compliance was introduced; giving consumers the chance to opt-out of email marketing. The first iPhone was released, sparking the birth of the smartphone era.
  • In the last 7 years of this decade, we’ve seen the rise of social media. Billions of users have taken to platforms like Facebook and Twitter, with hundreds of thousands of status updates every second. We're able to target these people within with the vast amount of data. Cookies are heavily used throughout internet sessions to track and re-target to users. And we're introduced to free apps on a daily basis - assuming we're happy to accept the Ts & Cs - many of which have far-reaching ramifciations with regards to the data we allow the providers access to...

Every Google search, every online form and every purchase you've made online is stored in a database somewhere. For the last half a century, marketers have been finding, collecting, buying and storing this data. They’ve developed techniques to analyse and use it to best target consumers, which has become the most powerful tool in their box (so to speak). All of this is what’s going to come under threat when GDPR is launched. It will change the way we collect it, change what we can do with it - and give the consumer full control over it. No more running conferences then adding all the attendee email addresses to your database. No more running a competition, asking people for their email addresses, then storing their information until you run your next campaign. 

WTF is it?

It’s Europe's new framework for digital privacy of our personal data. It replaces the previous 1995 data protection directive, which is what the current UK laws are based upon. Pretty old eh? I’ve grown about 4 feet and achieved 7 Dolphin Swimming Badges in that time. The new framework will standardise a range of privacy legislations across the EU that will protect users. "What about Brexit" I hear you say? Post-Brexit, we'll be introducing our own data protection bill, which will mirror the GDPR with some slight changes. So we don’t get off the hook that easily. 

The new framework will give consumers more control over the personal information companies have on them. It will come into play on 25th May 2018; two years after it was announced in the EU journal. Plenty of time for us to get ready, right? Well, wrong actually. It seems that 72% of marketers surveyed in May 2017 did not know the conditions of GDPR.  

Article 5 of the legislation defines six principles for how data is to be managed:

  1. Ensure that data is “processed lawfully, fairly and in a transparent manner”.
  2. It’s collected for a specific purpose and is not processed further outside of that use.
  3. The data you’re collecting is "adequate, relevant and limited to what is necessary”. No more asking someone's sexual orientation or their religious beliefs.
  4. It’s accurate and kept up to date. 
  5. If it’s no longer required for the purpose it was gathered - delete it.
  6. Make sure it’s safe & secure. No accidental loss of data please.

Throughout, the legislation refers to personal data, so let’s clarify what this is: Personal data is any information that can be used to identify a person. This can be a name, identification number, location information, an online avatar, even an IP address. 

Who will it impact?

In general, almost all organisations that collect data will be effected by the legislation. From organisations as big as Apple, right through to Terry who runs the local newsagent (those paper boys and girls need addresses to drop thier papers off). In terms of marketers we’ve outlined a few roles that will be effected below:

Email marketing managers

When going through forms on websites you will often see a little box, already ticked, which says something along the lines of “I would like to keep up to date with said organisation's news”. If you don't untick this, you're then added into an email marketing database and expected to opt-out if you don’t like the emails you're receiving. Getting unsuspecting users to subscribe to a newsletter this way has been commonplace for years, but following the introduction of GDPR this will be totally illegal. It doesn’t state that you have to implement a double opt-in for your email gathering, but it does state that an organisation must have proof that a subject they're contacting has given permission to be contacted. Relying on a single opt-in process wouldn’t be sufficient as anyone could put anyone else's email address into a form field, so double opt-in is a great way to get a big tick from GDPR.


If you manage a website using a CRM system which sends out automated marketing emails, then you will need to ensure that these are all going out to users who have actively opted in to receiving that content. Otherwise hefty fines amy well be on their way. We’ll get onto the fines later. 

Data re-sellers

Organisations whose sole purpose is buying and selling data are going to be in a wee bit of trouble. The guidelines in Article 5 of the framework clearly state that data must be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. The data that’s collected for a specific campaign or event cannot be then re-used or shared for other purposes. Seems as those these chaps may well be out of a job. 

Slapped wrists

The consequences for not abiding by the new legislation are far from insignificant. For small offences companies will be fined 2% their global turnover. For more serious offences it will go up to 4%.  

Access to your data

Another big part of the legislation is subjects being able to access their own personal data. This is something that’s not been freely available, but soon we’ll all have the right to contact organisations and request the data they have on us. This goes as far as our medical records. We’ll be able to find out why that data was gathered, how long it’s been stored and who has had access to it. 

Thoughts of Fury

This isn’t a negative thing. Over the past two decades, marketers have become reliant on data and tracking to pester and pursue consumers, with - let’s face it - shitter and shitter advertising and subsequently lower convesions. So this might be the end of buying massive databases of emails and sending half-arsed and interruptive “buy my product” messages. With that in mind, great campaign creative will hopwfully return to the fore. I.e. what consumers are more likely to give a fuck about (assuming there's a reason to care about the offer itself). This is going to be the only way to get consumers to subscribe to your newsletter, or give you consent to use their data. If they don’t, they just won’t pay you any attention. So let's get out of the data trenches and into a new creative landscape - where design, copywriting and GAINING FUCKING PERMISSION are once again the most important aspects of campaign marketing.

Opting in will be harder. If someone wants to receive emails or any other marketing material, they’re gonna have to really want it. This means quality is going to shine through. For us this is exciting. When someone lands on your website you're going to have to make a really good impression, otherwise they just won’t come back.

Brand advocacy is going to be at the forefront of marketers' minds. Giving great content away and expecting nothing in return - this is how we will advertise to consumers. Not buying massive databases, then asking them if they want to buy one of shnny sparkly things.

There will be an education piece for the European public to get up-to-date and understand what rights they have. But once it’s common knowledge, data will be stripped from companies. Massive organisations will receive fines for misdemeanours - causing them to lean less heavily on the use of their databases. The database will become a place of brand advocates who like, use and interact with your brand - not just another name for the sales team to target.

So bring on GDPR! Let's quit shouting at customers and start having conversations instead.


If you liked this, feel free to sign up to our newsletter! Apologies in advance for the double opt-in rigmorole though. Fuckin GDPR...