GDPR explained: A guide for global marketing teams

25 May 2018 was a wake-up call for the marketing world.

Since that day, when GDPR (General Data Protection Regulation) was introduced, every organization has had to rethink how it collects, uses, and protects data from people in the EU. It doesn’t matter where you’re based – if you have customers in the EU, GDPR applies to you. And if you break the rules, the penalties can be eye-watering.

Marketing teams have felt the impact of GDPR more than most. Whether building a prospect database for email campaigns or creating personalized customer portals, they are often the ones responsible for capturing and managing personal data. And yet most marketers are not compliance experts. How can they be sure they’re getting GDPR right?

This guide is here to help, providing insight into why GDPR matters, what it means for your marketing activity, and how you can make compliance second nature.

If you would like GDPR explained, read on.

Why GDPR matters in marketing

Personal data is the currency of modern marketing and digital content creation. It fuels:

• Personalised, relevant customer experiences
• Smarter, data-driven campaigns
• Sharper targeting and higher ROI

But with great value comes great responsibility. Fail to follow GDPR, and you’re not just risking your company’s reputation and eroding brand trust. You also risk fines of up to €20 million or 4% of global turnover (whichever is greater).

And these fines are no idle threat. British Airways was forced to pay over €26 million for a 2018 data breach affecting more than 400,000 customers while H&M was fined €35.3 million for illegal surveillance of employees.

The international reach of GDPR

Just because GDPR is an EU regulation does not mean it only companies within the EU. If you collect data from EU citizens, then GDPR applies to you, no matter where your organization is based.

This was underlined by a 2021 EU Court of Justice ruling, which found that big tech companies with European headquarters in Dublin can be taken to court by any national data protection authority if there are cross-border data processing activities.

Marketers targeting UK citizens aren’t off the hook either. Despite quitting the EU, the country has retained GDPR regulations in domestic law – so the same rules still apply.

In short: if your campaigns interact with customers from the EU or UK then your company is impacted by GDPR.

What is personal data and when can you use it?

GDPR defines personal data as anything that can identify someone directly or indirectly. This includes everything from names, phone numbers, emails, and home addresses to IP addresses, ID numbers, and online pseudonyms.

Under GDPR, there are six lawful bases for collecting and processing personal data. These are:

• Consent (you have the individual’s consent to process the data for a specific purpose)
• Contract
• Legal obligation
• Vital interests (to protect someone’s life)
• Public task (because it’s in the public interest)
• Legitimate interests

Consent is the most common basis for marketing teams – and, crucially, consent must always be given freely and never assumed. In other words, it has to be the consumer’s choice to share their personal data with you – or not.

This means:

• No pre-ticked boxes or default opt-ins
• No confusing privacy policies
• No bundling multiple permissions into one tick box

You must also make it just as easy to withdraw consent as it is to give it, for example by including an unsubscribe button in email newsletters.

5 tips for marketers to secure GDPR compliance

1. Be transparent about data collection

You need to make it crystal clear what data you collect from people and why. Consider:

• Is your website’s privacy policy up accurate and up to date?
• Do contact or download forms contain links to your privacy policy?
• Do you make it clear you use cookies to collect personal data and give people control over what they share?

2. Establish clear opt-out systems

The right to be forgotten is a key principle of GDPR. Make sure customers can easily manage what they receive from you. Every email you send should have a visible unsubscribe link.

3. Audit databases regularly

Check marketing or website databases once a year or even once a quarter to verify you are maintaining best practice. This is an opportunity to remove outdated or unconsented data, and to identify any holes in your approach before they escalate into costly breaches.

4. Report data breaches immediately

With GDPR, honesty is the best policy. Report any data losses, theft or accidental transfers as soon as possible. Any attempt to cover up breaches will likely lead to maximum financial penalties and heavy damage to your brand reputation. 

5. Focus on employees as well as customers

Just like customers, employees have rights over the personal information. If using employee-generated images or videos in your marketing or employer branding, you must ensure you have each employee’s consent.

The easy way to ensure GDPR Compliance for global marketing teams

Papirfly’s Digital Asset Management (DAM) solution helps global marketing teams safeguard every aspect of privacy and consent by automating compliance when managing digital assets. Our DAM software includes a GDPR consent manager tool to ensure:

• Images with identifiable people are only used with permission
• Content is automatically withdrawn the moment permissions expire
• People have the ability to review and revoke their content anytime

Bottom line: GDPR isn’t going anywhere. And neither is the need to earn and keep customer trust. The sooner GDPR compliance becomes second nature in your processes, the stronger your brand reputation will be.

FAQs