GDPR: The Basics that Every Digital Marketer Needs to Know

By Kristin Carpenter-Ogden

This post will provide a general – not comprehensive – overview of the General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018. You will come away with a basic understanding of how this sweeping European Union legislation affects your business, regardless of where it is based, and changes you’ll need to make to your digital marketing efforts. The goals are to raise awareness of GDPR, suggest some solutions, and help shape informed questions to explore with your digital marketing, IT, data management, and legal teams.

Speaking of legal teams:

A quick disclaimer that even though we’re discussing a law, nothing in this document can – or should – be construed as legal advice. Further, GDPR is a new law, so most interpretations haven’t yet been tested. This document aims to capture the middle ground of where lawyers, technical experts and digital marketing experts agree around proposed best practices. Please confirm your proposed strategies and policies with your own technical and legal teams.

ENTER THE GDPR: What is it and who needs to comply?

GDPR stands for General Data Protection Regulation. It is a law passed by the European Union in April 2016. Following a two-year transition period, it goes into effect on May 25, 2018. While it looks to be setting the trend for global best practices, it is only enforceable for EU citizens (and global companies that interact with EU citizens).

The primary intent of GDPR is to provide common sense privacy practices. Effectively, it gives consumers more control over how their data can be collected and used. An additional intent is to offer consumers some protection from the commercialization of their online, personal data. The law has been celebrated as a “win” for private citizens.

GDPR applies to consumer data points, such as: email addresses, payment information, physical addresses, names, health and genetic data, racial/ethnic data, political opinions, personal data such as sexual orientation, IP addresses, device IDs, location data, cookie identifiers, radio frequency ID tags, and more.

In broad stroke terms for marketers, GDPR covers:

  • Consent
  • Data access and security
  • Data processing

Who needs to comply?

  • Any organization operating (for profit or not) in the EU must comply.
  • Outside of the EU, GDPR applies to any organization interacting with and collecting data from EU citizens.
  • In other words, regardless of where your business is based, if you use any means to collect data (digital or otherwise) on an EU citizen or an EU citizen is on your email list, you must meet compliance in your interactions with those customers.
  • NOTE: The law only protects EU citizens. So theoretically, if you never interact with any EU citizens, you could technically ignore GDPR. However, it seems to be a precursor to global best practices and the new standard for consumer privacy expectations everywhere.
  • If you participate in any form of digital marketing, including (but not limited to): emailing, list-building, social media, online ad buys, surveys, lead scoring, lead magnets, automated tracking, retargeting/remarketing, commerce of products or services, behavioral analysis, or other direct and indirect online interactions with your customers, you need to be aware of the GDPR. If, in any of those efforts, you interact with an EU citizen, you must comply.
  • In legalese, organizations with fewer than 250 employees may be eligible for limited exclusions. But in practice, very few will qualify. It’s best to assume you need to comply. Definitely consult with a lawyer if you seek exclusionary status.

Be aware that the GDPR has teeth!

Penalties for non-compliance can go up to $23.8 million (20 million Euros) or 4% of annual revenue (called turnover in the EU), whichever is greater.



GDPR FOR MARKETERS: Consent (opting in and opting out) data access, data security and data processing 

Since the main gist of the law is providing consumers more control over what data they share and how they allow organizations to use that data, consent is a central tenet. It covers beyond direct “opt-ins” for emails, and covers use of cookies, IP identification, and all the points of entry through which a marketer may identify and gather data.


CONSENT: Opting In

The issue of consent is arguably the most immediate and wide reaching, and the standards for marketers will be higher under GDPR than they are currently. The majority of the changes revolve around providing more clarity for customers in the process requesting consent and opting out.


Three guiding principles of consent under the law are transparent, specific and granular. (Note: Additional consent terms are part of GDPR. In our analysis, they mostly distill into these three.)

  • Brands must provide transparent and unambiguous descriptions of the consent they are requesting.
  • Brands must be specific and concise around consent. Brands cannot bundle consent with other offers or other data points.
  • Brands must allow for granular – or separate – consent, meaning consumers have the option to engage with the organization in some ways and not engage in other ways.

Opt-in Consent: Bottom line and best practices

The bottom line is that customers have more clarity around opt-ins. This is an important aspect to the law because it gives consumers choice around what type of information they want to receive and what data they’re willing to share and when.

A few best practices:

  • Consent must be deliberate by the consumer, also called a “positive opt-in.” This means pre-checked opt-in boxes are no longer allowed.
  • Blanket consent (to receive other types of information or track other types of data) is no longer allowed.
  • Relevant and updated privacy policies should be clearly written and posted on your site.
  • UK-based communications powerhouse, Edelman, recommends the following consent practices:
    • Consent must be separate from terms and conditions (i.e. it can’t be buried in the fine print)
      • Even though Google, FB and other large engines may find loopholes to this practice, brand marketers should not try to do the same.
    • Consent shouldn’t be a pre-condition for a service. This one is a little ambiguous, so rely on the terms invoked in the law: ‘specific’ and ‘transparent.’
      • Basically, if a marketer is offering a product, service or sale, the consumer can’t be compelled to opt-in to anything not required to complete that transaction.
    • Prior (or during) opt-in, marketers should transparently note who processes the collected data in-house and name any third parties who may have access.
      • NOTE: Data collectors (the business) or the data processors (a third-party) share equal culpability if one is out of compliance.
    • Notes specific to email marketing
      • The law is a bit ambiguous around this topic. Though best practice opinions aren’t unanimous, most experts recommend the following:
        • Post an updated privacy policy specific to email.
        • Leave an open check box for consumers to acknowledge they were given direct access to it.
        • At the bottom of forms, provide an empty opt-in checkbox asking consent to be added to other marketing lists, if applicable.
      • Consent for data gathering from website usage
        • GDPR requires that websites provide transparency around cookie usage and allow for opt-outs.

CONSENT: Opting out and the “right to be forgotten” mandate

The consumer’s “right to be forgotten” mandate is a key part of the law. This means users can request to have any or all of their data deleted at any time, and organizations must comply in a time sensitive manner. It is expected that marketers will have reliable, user-friendly systems in place, with the same specific and granular rules in effect.

The consumer is now in charge of precisely what data organizations are allowed to access. And the bottom line is that opting out needs to be as easy, quick and user-friendly as opting in.

On, Ambuj Kumar provides a great technical tip for managing consent: Ask your IT team about encrypting data on one key and centrally managing those keys by essentially turning them on or off as requested.

 *A CRITICAL BEST PRACTICE* Keep consent records. Use a centralized log of all users who opted in and opted out.


Consumers have the right to access any of their data you manage. In the spirit of specificity and granular access, they must be allowed to determine, item by item, what they are willing to share with you.

If you use a CRM program, ask how they will manage data access and confirm that the processes for consumers to access their data is streamlined and easy.


Under GDPR, any breaches of security must be reported within 72 hours to everyone affected. Security experts recommend initiating processes for data removal quickly and effectively, and plan to review, secure and purge all data bases/systems regularly. 


Data processing under the GDPR is somewhat ambiguous around what an organization should implement. Basically, marketers are only allowed to process the data they need. Collecting beyond what is “needed” may compel the marketer to provide legal justification for why additional personal data is being collected and processed.

The ambiguity is in the definition of “needed.” Admittedly, workarounds that are counter to the spirit of the law are already popping up. We don’t recommend them.

If you want to follow the law without crossing the line: only ask consumers for what you need to get the job done. Steven MacDonald advises: stop asking for the “nice to haves.” If data collected leads toward a specific end, you should be fine.

NEXT STEPS: What to do now

Update all of your lists THAT INCLUDE EU CITIZENS to gain specific consent before MAY 25, 2018. This is mandatory. If you have a list pre-dating May 25, you must revisit that list and ask all EU members to opt-in again. Technically, if EU citizens don’t opt-in with the GDPR consent best practices (above), you must delete them from your list.

NOTE: Most email management software will indicate if a consumer is from the EU or not. If not, most experts are veering toward the conservative side of including “unknown origin” emails into the revised consent opt-in process.

1. Should you update all of your lists – including non-EU consumers? Technically, you don’t need to request this consent from non-EU citizens to keep them on your list. Though some organizations are applying the same standards to all consumers.

Pros: It’s an opportunity to:

  • Clean and refine your lists to represent engaged consumers,
  • Build trust and transparency with all subscribers by acknowledging that you value their privacy,
  • get in front of your audience
  • Those who re-opt-in are true brand loyalists – high quality leads


  • You will lose a significant number of subscribers. It’s just the way it goes.
  • There is always more effort in gaining a new subscriber than keeping an existing.

2. Establish new consent and data practices to go into effect no later than May 25 

3. To do the above, establish a data management team and GDPR compliance rules

  • Many EU-based and global firms are hiring data protection officers
  • Regardless, coordinate your security, privacy, IT, legal, business operations and infrastructure operations teams

4. Review a more comprehensive checklist for GDPR compliance for U.S. firms. For one option from TBG Security, click here.






6 Principles of GDPR (

Credit: Amy Porterfield’s interview with Bobby Klinck (paraphrased and quoted below)

  1. Data should be processed “lawfully, fairly, and in a transparent manner.”
  2. Data shall be collected for specified, explicit and legitimate purposes. It cannot be held for some vague, future use.
  3. Data processing shall be limited to what is necessary for the purposes.
    1. You can’t collect every piece of info
    2. Once you have the data, you have to use it for predetermined purpose.
  4. Data shall be accurate, kept up to date and collected.
  5. Data shall be kept in a way that it identifies the actual person no longer than is necessary.
    1. We need to delete identifying factors AFTER we’ve used the data for it’s predetermined purpose.
  6. Data shall be processed in a manner that ensures appropriate security.
    1. Hopefully you’re already doing this through SSL certificates and the like.


GDPR Compliance Checklist for U.S. Firms, by TBG Security – 5d6639207f38 – 6d89c2133b98






Posted in KCOrner, Social Influence, Verde Business | Tagged: data, data control, digital marketing, gdpr, opt in


Kristin Carpenter-Ogden

Founder, CEO