How to apply GDPR to digital marketing

By this time it is almost impossible not to have heard of the GDPR – General Data Protection Regulation.
The new regulation comes into force on May 25th, 2018 and replaces the current personal data protection directive and law.

The new rules apply to all companies that process personal data of residents in the European Union (regardless of the location of the company) and apply, with a “heavy hand”, with respect to penalties fines that can go up to 4% of the annual global turnover of the company or up to 20 million euros. Of these two, the highest applies.

NOTE: This article aims to support companies (more specifically, SMEs) and help plan their digital marketing actions within the framework that the GDPR offers. It does not dispense the analysis and opinion of a lawyer or person responsible for personal data, so that your company is in compliance with the GDPR.

What is the GDPR?

The GDPR is a regulation that specifies the functions, processes and technologies that organisations must adopt to ensure that the personal data of EU residents is safe and accessible, and is used properly and only with their express consent.

The GDPR aims to protect all EU citizens from data privacy breaches. The GDPR has a territorial scope throughout the EU, even if the company in question is based outside the EU, that is, if the data in question is from a citizen residing in the EU, the GDPR applies.

Users’ rights under the GDPR become:

  • Consent: data can only be stored and used with express consent for the purposes and purposes in question;
  • Information: be informed of what data is recorded and how it is used;
  • Changes: they can, in a simple and clear way, change any information or consent;
  • Forgetfulness: being able to erase all data in a simple and clear way;
  • Portability: request delivery of personal data to other entities;
  • Security: in case of breach of security, it must be communicated to the data subjects and competent authorities within a maximum period of 72 hours.

Implications for digital marketing actions

The idea initially circulated that the GDPR was only intended for companies of a certain size, which is completely wrong. Regardless of the size of the business, if it collects or processes personal data identifying customers or individuals, the Regulation is applicable. Thus, it is important to frame the challenges of SMEs in the context of marketing actions, more specifically digital marketing, where personal data and their mobility are an integral part.

The GDPR thus requires an analysis of its current digital marketing strategy. If you do not have a defined digital marketing strategy then this is a good time to implement it, as the Regulation requires you to implement good practices to store and process the personal data you may have from your customers, users or subscribers, as well as to obtain the explicit consent for the various marketing actions.

Express and explicit consent

When previously it was assumed that an email address was included in a list (for example, coming from a previous contact for another purpose, the holder can leave the list whenever he / she wanted) now, before sending any communication, express consent is required.

How to ask for consent is a strategic option, as long as the request is clear and distinguishable from other matters.

The channels through which the communication is made must also be approved. For example, the consent given to receive commercial emails does not include authorisation for future telephone contacts, sending SMS’s or personalising online advertising.

Consent cannot also be given by default, that is, a check box cannot be presented to the pre-selected user, but must be expressly selected by the same.

GDPR and Cloud Systems

In order to increase efficiency and profitability, currently digital marketing is largely done by using automation processes and systems, and these systems normally reside in the cloud (Internet), on servers that are not owned by companies that subscribe to the services. In this case, the consent given must be expressed to third parties.

So if your company uses an Email Marketing service (such as Mailchimp or E-goi) the user should be aware that their data is stored outside of your company, in this case on the servers of the companies that provide these services.

Another common example is the creation of a Custom Audience on Facebook to create campaigns. Since the creation of a Custom Audience implies the import of a file of users with their email addresses, for this it is necessary that each user gives prior consent.

GDPR and my website

Since your website is one of the main points of contact with users, it is essential to validate how all personal data entered from forms are archived and processed, such as sending applications, registering for events, registering users, etc.

If you want to use the information entered by users in a different scope than what is defined in the place of the form, you must request their consent in a clear and explicit manner.

For example, if your company has an online store and a customer enters their contact details (mobile phone, email or address) this does not automatically give you the right to add it to your distribution list for commercial newsletters or sending SMS’s. You will need to obtain this person’s express consent for each purpose.

You should also check with your supplier or content management platform, what actions should be taken to comply with the new Regulation. For example, in the case of the WordPress platform, Automattic has defined some guidelines and good practices.

Increase my list of subscribers

Although there is still no information to prove it, as the Regulation has not yet come into force, the new rules will benefit those who offer useful content and services to their users and subscribers.

It is expected that, with the reduction in the sending of unsolicited emails and the consequent decrease in advertising noise, people will have a greater appetite to remain loyal in a more restricted and selective selection of the current offer, thus ending up making a natural selection of topics and sources that may interest the most.

Reinforce your efforts in the inbound channels, through useful and interesting articles that strengthen your SEO or create infographics that are easily shared and become viral.

With the GDPR we should see an increase in cost per click in outbound channels, such as online advertising. Most likely we will see a decrease in communication actions, but these will be more targeted, with better conversion rates and, in the end, with better results.


The GDPR requires an analysis and planning of your company’s digital marketing processes and systems. And it can even be a good thing: create new ways to distinguish yourself from the competition, planning your actions in more beneficial and useful ways for users, so that they respond positively.

Start by requesting the minimum necessary personal data, document in which systems these data are stored and in which processes they are used, and then add more personal data, if it becomes necessary.

Do not forget to also update the internal rules of your privacy policy so that they are clear and already covered by the new Regulation.

Take advantage of the opportunities that the GDPR creates. By protecting people from unsolicited communications, the GDPR leaves more space so that there can be a more organic selection of new offers and themes by users.