GDPR: consequences for marketing


The General Data Privacy Regulation, also called GDPR is around the corner If you are not careful your marketing department might not be allowed to send e-mails or use marketing automation when this law comes into effect in May 2018.

The purpose of this new European legislation is to improve protection of the privacy of EU citizens. Soon everybody will have greater access to, and control over, their personal data, even after permission has been granted for archiving and use of that data.

No more email marketing or marketing automation

Once the new law is implemented, and if your organization does not comply with the requirements of the law, you risk being unable to work with the data in your possession. Requirements include: all email addresses must be confirmed opt-in, data can only be used for the purposes explicitly listed when permission is requested, people are always assigned the privacy settings that most respect their privacy (in other words, no analytics, tracking, etc.), data breaches must be reported, people can request full deletion of all data relating to them, and much more. All of these matters must be verifiable in order to avoid fines.

Surely things are not as bad as they seem?

Don't bet on it. For instance, fines for not obtaining permission for archiving and use of personal data could be as high as 20 million euro, or 4% of global revenue. I imagine your CFO would rather not risk that... It would be too bad if you had to start rebuilding your database from scratch, especially since you still have time to make sure your organization is compliant. 2017 is considered the year of calm before the storm.

Everybody who archives or processes European personal data must comply with the law. In this context, IP addresses are considered personal information, and saving data belonging to employees, as well as contacts for customers or providers, are also subject to the new legislation. In other words, the law will apply to almost everybody, and those who do not comply risk being fined.

Keep IT informed

Recent research indicates that 78% of IT decision-makers are not aware of the consequences of GDPR. Of the 22% who are aware, more than three-quarters are not yet compliant. This means a total of 96.6% is not, or is insufficiently, prepared for the arrival of GDPR, which means a significant risk for the marketing departments facing GDPR.


Take action by making sure you are in charge of the situation. Are you unaware of how your company is approaching GDPR? Check to make sure Management and IT are working on it. Is a plan already in place? Make sure the focus is not only on technology, because GDPR is not technology-based, but rather on a process-based approach to the problem. GDPR should not be the sole responsibility of IT. As one of the stakeholders, it is in your best interest to make sure this subject is approached with diligence.

What if nobody is preparing for GDPR?

Make sure Management is aware of the new law, and that people understand the potential implications. Raise the issue and stress that this is not a matter for Marketing or IT alone, but that it concerns the entire organization. Sales and HR, for example, also have access to personal data and will want to update the personal information in their possession.

Now is the time to start making sure everything is in order for when GDPR is implemented. For Marketing, for IT, and for the entire organization!