GDPR for marketing: What every successful marketer should know

GDPR for Marketing - Blog Image

When browsing online, consumers are more prone to giving away their personal information for companies to process. 

Seeing that personalization is a key ingredient in marketing strategies, it would make sense to ask for a user’s personal information like their name and email address. The customer probably wouldn’t think twice about how their data is processed or where it’s stored because they want to use that company’s services right away. 

Though the consumers should ask where their personal info is going to be used!


6410L__40389.1539348203Source: Andertoons

There was a time when this was the breaking news: Facebook will soon let users control the data flow. What should marketers do?

And then came GDPR!

The General Data Protection Regulation is a relatively new law that was passed in 2018. The law strives to protect the data of EU citizens by placing strict requirements on how marketers gather and process a consumer’s information. 

What are the implications of GDPR for marketers?

Know more in the video below:

Source: GrowthTribe

Does GDPR apply to every business? 

Not necessarily. The GDPR protects the data of EU citizens only. However, any company that targets EU citizens will be responsible for complying with the GDPR for marketing; regardless of where the company is established. 

Prior to the GDPR, were there any data protection laws in place for EU citizens? 

Not exactly. Prior to the GDPR, there was the 1995 Data Protection Directive. The main differences being: 

EU-directives_vs_EU_regsSource: fintechfutures

What are the data protection policies that fall under the GDPR? 


The GDPR preaches transparency between the company and the consumer. The company must explain in clear terms what personal data they need from the consumer, the purpose of collecting said data, the amount of time the data will be held on to, and why the company will hold on to said data for that set period of time. 

For example, Jodi is researching ways to create a content calendar for her business. She stumbles upon an article that outlines the steps to creating a content calendar.

As Jodi scrolls down the page, she sees a Call to Action button prompting her to download a free content calendar template. When she clicks on the button she is redirected to a landing page that prompts her to fill in requested information like her email address, name, company name, and size. 

In this instance, it would be the company’s responsibility to clearly state why they are collecting her personal information. 


The GDPR has tightened its leashes on personal data collection. Any identifiable information is considered personal data and a company should have informed and freely given consent by the consumer in order to collect and process it. 

Prior to the GDPR, the 1995 directive’s definition of personal information only included phone numbers, email addresses, social security information, and banking information. Thanks to technological innovation, the GDPR now includes IP addresses and even biometric information into their definition of personal data

Going back to the above scenario. Jodi now has the option to share her personal information with the company or decline. There are multiple statements right below her email address that tell her the purpose of sharing her email is so she can receive the template.

There’s a question right below the statement that asks her if she would like to opt into the weekly newsletters. If Jodi clicks the checkmark next to the template but declines the weekly newsletters then the company cannot legally use her email address to send her weekly newsletters. 

Privacy by design 

Privacy by Design is a strategy of building a compliance program that accounts for every stage of your business model, ensuring data is stored and processed safely. 

According to Data Privacy Manager, it’s good practice to assign a Data Protection Officer that can successfully work alongside the company’s CMO & CEO to create a compliance program.  

This way the DPO has an idea of how the company operates and can recommend appropriate measures for data protection. This includes executing assessments that measure any privacy risks that could arise from future projects etc. 

Data Deletion

Consumers can ask for their personal data to be deleted whenever they wish. The company must comply and delete all of the customer’s data from their databases as well as any third company databases. As a good practice, they should also confirm with the consumer when the deletion has been made. 

Data Retention

In their privacy policy, a company must state how long and for what purpose they will be retaining said consumer’s information even after the consumer decides to cut ties.  

Liability for all parties

If a data breach were to occur or if a company is found to be non-compliant with the GDPR, both the data processor and the data controller would be held liable. Consider hiring a DPO to guide you in the right direction when it comes to handling customer privacy. It’s good practice to conduct regular audits and keep detailed reports of all tasks relating to personal data to safeguard against any mishaps. 

Source: MoEngage

What are the penalties for non-compliance? 

According to Hubspot, the penalties for non-compliance could be up to a 20 million dollar fine or up to 4 percent of a company’s global annual revenue. 

How should marketers adapt to the GDPR for marketing activities? 

Source: Neil Patel

With the GDPR in full effect, marketers should rethink targeted ads. Companies might target ads to a consumer based on their location without affirmative consent. If a consumer were to use a store’s wifi, for example, that store could potentially use that consumer’s location data to later target them with promotional ads through email or SMS. This could be a sketchy practice for businesses to partake in.   

Companies might consider using contextual ads instead. Rather than using a consumer’s behavioral data without their consent, contextual ads are placed on relevant web pages. For example, if a consumer is researching how to play chess, and they stumble upon a video showing them how to play chess, an ad for a chessboard could be placed before the start of the video.  

Even though the GDPR for marketing has strict regulations governing consumer privacy, having transparent policies will make your brand trustworthy. Building trust with your consumer is a key tool to growing your business. No one is likely to do business with a company that partakes in sketchy practices. 

Start growing with fractional CMO today!