An Overview of EU General Data Protection Regulation (GDPR) for Marketers Outside the EU

In May this year, the EU is introducing new data protection rules for residents, called General Data Protection Regulation, or GDPR. If you collect any marketing data about people who live in Europe, then you’ll need to review how you do it—or risk a hefty fine.

Do you have EU residents on your email list? Do you capture browsing data on website visitors from Europe? Do you ship products to Europe?

If you answered yes to any of those questions, did you implement your GDPR plan in May 2018?

If you did, give yourself a high five and have a celebratory cup of tea.

If you didn’t, and you market to people in Europe, read on. You need to know this.

What is GDPR?

General Data Protection Regulation. A new EU law on how personal data can be stored and used. It is much stricter than previous versions as it attempts to address consumers’ concerns over privacy and how their personal information is used.

Why Should You Care?

The regulation applies to the person, i.e. the EU resident, not the location. This increased territorial scope means it affects any business who holds personal data of EU residents.

So, if you have even one EU resident on your email list, you collect browsing data from EU citizens on your site, or you ship products to people in Europe, this legislation affects your business.

It’s mandatory to comply. Businesses who break the rules risk a €2,000,000 fine. That’s almost US$2.5 million or NZ$3.4 million. It’s a big deal.

When Did it Start?

25 May 2018

Why was it rolled out?

The EU’s current data protection directive is from the 1980s, and was last updated in the 90s. It’s inadequate for digital privacy and long overdue for an update.

The GDPR is being rolled out EU-wide so companies have one way of dealing with data from EU citizens, rather than having to comply with rules from multiple countries.

What Does GDPR Mean for EU Citizens?

If you live in the EU, GDPR improves your data privacy. You will have:

The right to access your personal data and to ask how your data is used.

  • The right to be forgotten. If you’re no longer a customer, or if you withdraw your consent to use your personal data, you have the right to have your data deleted.
  • The right to transfer your data from one service provider to another.
  • The right to be informed that a company is gathering your data. You must be informed before data is gathered, and you must opt in for your data to be gathered. This consent must be freely given rather than implied.
  • The right to have information corrected if it is out of date, incomplete or incorrect.
  • The right to restrict processing. You can request that your data is not used for processing. Your record can remain in place, but not be used.
  • The right to object. You can stop the processing of your data for direct marketing. There are no exemptions to this rule, and processing must stop as soon as your request is received. This right must be made clear to you at the very start of any communication from a business.
  • The right to be notified. If there has been a breach compromising your data, you’ve a right to be informed within 72 hours of first having become aware of the breach.

What do You Need to do Now as a Business?

Review your data collection and store all your data in accordance with the GDPR. You’ll need to get clear consent from people before adding them to your contact lists. And you’ll need to be able to provide people with any information you hold about them if they ask.

This might sound like a hassle, but it’s also an opportunity for you to generate greater trust in your brand and to target your messaging more effectively. Being more mindful of how you collect and store personal data can encourage you to refocus your data collection efforts on quality over quantity—which will bring your business better results.

For multinationals there is lots to do, including appointing a Data Protection Officer in the EU, but for smaller companies it’s less onerous. The terms of the regulation can be likened to best practice guidelines for contacting people.

Areas of your marketing you should review now:

Email marketing

  • Change all your email subscriptions to double opt-in. This one’s a win-win, as you’ll also improve the quality of your email list: you know the addresses are real, and you know the people want to hear from you.
  • Check that your email lists show a source for each contact, and that you can show express (not implied) consent. You now need to maintain records of the consents you have – i.e. what you told your users and how they gave consent for you to contact them.

Customer relationship management (CRM) software or other automation tools

  • Centralize all personal data in one place.
  • Move spreadsheets such as Excel and Google Sheets into a central repository and delete all other sources.

PR strategy

  • You need to be able to show express consent to email EU journalists.

Recommended strategies for obtaining and storing data under GDPR

Data permission: obtaining consent

  • You need explicit consent from people to email, call them, or SMS them. Best practice is to request permission for each communication channel separately.
  • You cannot pre-tick boxes. No opt-outs.
  • You cannot assume permission e.g. if someone purchases an item from you you do not have  permission to contact them about future offers.
  • Do not make marketing permission a condition of creating an account.
  • Do not lump marketing permission in with accepting the T&C of your company.
  • You need consent to store data about people. For example, if you are recording browsing data in a CRM, you must obtain consent for this.
  • You must explain concisely and in full, what you plan to do with the data you store.
  • You must maintain records of consent. Record the information you gave your users, the date they gave consent, and how you obtained consent. If you change up your data-capture tactics regularly, you’ll need to keep a copy of your old sign-up forms when you change, so even in 12-18 months’ time you can say exactly what someone agreed to.
  • You should get parental consent for people under 16.

Data access: keeping data safe, and providing it when requested

  • Consider how you will deal with a request from an individual wanting a copy of the data you hold on them. You must provide a free copy of their personal data in electronic format if requested.
  • Have a process to delete all data on a person when requested.
  • Include unsubscribe links. Unsubscribing must be as easy as subscribing.
  • Have options for people to select which communications they do/do not wish to receive.
  • Have a crisis communications plan in place for if your customers’ data is hacked. You have 72 hours to notify individuals of a data breach.

Data focus: keeping it as simple as possible

  • Only ask for data you really need, not the ‘nice to have’.
  • Communicate clearly what you will use the data for.

Man on the phone walks past Marks Spencer

But I already have a large email database …

So glad you raised this. What do you do if you have an existing email database that includes EU residents? You have two options.

  1. Delete them all. The UK pub chain Wetherspoons did this. That’s certainly one way of handling risk! We wouldn’t recommend this. Your single greatest owned marketing asset is your email list.
  2. Re-qualify your existing EU subscribers. Let’s go with this one!

You need to obtain explicit permission from your EU email database to email them after 25 May. This will make your list MUCH smaller. Only 10-50% of an email list choose to opt in when re-qualified. How high that percentage is for you will depend on how good a job you’re doing as a marketer serving them relevant content.

But this is not all bad. In fact, it’s good, because re-qualifying your list makes it a better list. People who want to receive your emails are more likely to open your emails, and are more likely to buy from you.

Exceptions (but what about Brexit?)

  • If EU citizens are outside the EU the GDPR will not apply. 
  • Yaki Faitelson, CEO of Varonis, believes that generic marketing doesn’t count. In an article for Forbes he wrote: “For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.”
  • If the UK proceeds with its plan to exit the EU, GDPR protections will not apply to UK citizens and residents. The current UK Data Protection Act 1998 protects them. However, if a UK citizen lives in the EU, they will be covered by GDPR, and UK businesses marketing to people in the EU, will also be bound by the new legislation.

Does reading all this make you think you need to refocus your e-mail marketing efforts in 2018? Don’t worry. You’re not alone! We love e-marketing, but it’s not easy. If you want to bounce some direct marketing ideas around, get in touch with Christine.


Reading emails in a cafe

Further Reading

Want to dig deeper?

Related Articles

All Articles

AerialWheelDusk1200 v2
Perserverance HERO 2048x1100

Brand Strategy/ Content Strategy

Experimentation and Failure as Part of Marketing Success

Best practice is helpful, but best practice is simply what worked in the past. It’s not a guarantee. And it doesn’t leave room for innovation.

The millennial

Consumer Marketing/ Brand Strategy/ Content Strategy

Winning the Millennial

Your marketing budget is up … your social media game is legendary … and millennials still don’t care about your brand. Up your millennial marketing game, with our guide to the elusive Generation Y should we care?

All Articles