GDPR explained: A guide for global marketing teams

25th May 2018. A day that transformed the way that marketing teams across Europe and beyond handle their customers’ data.

Since its inception, GDPR (The General Data Protection Regulation) has compelled companies globally to take tighter precautions over how they request, use and protect people’s personal data. This applies to any organisation that collects data from people in the EU – with the backing of harsh fines for anyone that strays outside its regulations.

Marketers have felt the impact of GDPR more than most. Whether it’s building a database of prospects for an email marketing campaign, or producing personalised portals for customers, these teams are often responsible for capturing and managing a lot of personal data.

Therefore, it was somewhat concerning that prior to the law coming into effect, 41% of marketers admitted to not fully understanding the law or best practice for using personal data.

For anyone still in that situation, this article will reemphasise the importance of GDPR, and outline the ways global marketing teams can secure long-term compliance.

Understanding the importance of GDPR in marketing

In today’s data-driven world, it is no wonder that personal data is considered more valuable than oil. It directs the ways that brands communicate with their audience and set themselves apart from their competition. Personal data informs:

  • Improved customer experiences
  • Clearer marketing strategies and objectives
  • Targeted campaigns
  • Personalised messages

The value of personal data is undisputed in marketing – and this makes achieving GDPR compliance essential as, without it, the benefits that this data offers can be replaced by hefty financial penalties.

The maximum fine that a company can receive for failing to keep records in order or data breaches is 4% of their annual turnover, or €20 million – whichever is greater. This isn’t an idle threat either, as many brands have fallen victim to this over the years:

  • British Airways was forced to pay over €26 million for a 2018 data breach affecting 420,000 customers and employees
  • H&M was fined €35 million for keeping illegal surveillance of several hundred employees
  • Wind received a €17 million fine for several instances of unlawful data processing related to direct marketing

While the scale of these fines can have an immediate crippling impact on organisations, the ramifications on a brand’s reputation following a data breach or GDPR fine can be even more devastating. It takes a long time to build customer loyalty, but incidents such as the above can cause it to crumble in an instant.

57% of consumers don’t trust brands to use their data responsibly (CIM)

So for marketing teams, who often rely heavily on customers’ data to inform strategies and produce more targeted, focused campaigns, failure to comply with GDPR doesn’t just put you at risk of massive fines – it can destroy the trust you have established with your audience.

The international reach of GDPR

Furthermore, as highlighted earlier, GDPR does not simply apply to companies based in Europe. Any organisation that collects personal data from customers in the EU can find themselves subject to the same penalties if they breach GDPR.

This was reemphasised in a Court of Justice of the European Union ruling in June 2021, which ruled that U.S.-based companies Google, Twitter and Apple – who all have their European headquarters in Dublin – can be taken to court by any national data protection authority if there are cross-border data processing activities.

Put simply, this means that just because these brands are based in Dublin, it is not Ireland’s data protection regulators that can investigate and challenge them for breaching GDPR. Any country can do so on behalf of their nation’s customers.

Even if your company sells products online to customers in the EU without having a physical presence in the EU, you must designate a national data protection authority to represent you in the EU to ensure you comply with GDPR.

Moreover, in the UK, although no longer part of the EU after Brexit, the country will maintain an “EU-equivalent level” of personal data protection, as this is necessary to maintain the free, uninhibited flow of data between the UK and EU.

Therefore, regardless of where marketing teams are based, if they have locations in the EU or interact with customers from these countries, maintaining compliance with GDPR is crucial to avoiding any future issues.

What do marketing teams need to know about GDPR?

On the surface, GDPR regulations can appear complex and daunting. So here we’ll cut through the details and concentrate on the information that marketers need to worry about.

First, let’s start with a key question – what is personal data? According to GDPR, personal data encompasses anything that could be used to identify a person, either directly or indirectly. This includes:

  • Names
  • Email addresses
  • Phone numbers
  • Home adress
  • Local information
  • ID numbers
  • IP addresses
  • Usernames and online pseudonyms

In order to lawfully process this personal data under GDPR, companies have to fulfil one of the six legally accepted reasons to do so:

  • Consent
  • Contractual necessity
  • Compliance with legal obligations
  • Vital interests
  • Public interests
  • Legitimate interests

Consent is the most actively employed of these reasons by marketing teams (although legitimate interests may apply to some direct marketing activity). Here, it is crucial that consent is always freely given and never assumed – consumers must be aware of who you are, why you want their data, and how it will be used.

This information has to be clear, and it has to be the consumer’s choice whether they share their personal data with an organisation. This means you cannot:

  • Use automatic opt-in functions
  • Use a pre-ticked opt-in box
  • Use confusing or misleading language in your privacy policy
  • Bundle multiple activities into one consent form – consent must be attained for each separate activity

Furthermore, it must be just as straightforward and clear for customers to withdraw their consent as it is to grant it. Whether this is the inclusion of an unsubscribe button on email newsletters, or direct correspondence asking to have personal data erased from a company’s records, marketing teams must take efforts to uphold a person’s “right to be forgotten.”

5 tips for marketers to secure GDPR compliance

1. Be transparent about data collection

First, as discussed earlier, it is crucial that customers are aware of the data you are collecting from them and what the data will be used for. Consent must be clear, explicit and unambiguous – anything less can land companies in hot water.

To ensure complete transparency over data collection, consider the following:

  • Is your website’s privacy policy up-to-date, accurate and containing all the information that customers need regarding the use of their personal data?
  • Does your website make clear that it uses cookies to collect people’s personal data, and gives them control over what they are willing to share?
  • Do your contact or download forms contain links to this privacy policy, and require the customer to confirm they have acknowledged them?
  • Do any contact forms presume consent, be it via a pre-filled tick box or a lack of a distinct opt-in feature?

2. Establish clear opt-out systems

As every person has “the right to be forgotten” in relation to their personal data, it is critical that marketing teams make it easy for people to opt-out of any communications they receive from a company.

Email marketing is a major example of where this is important. Incorporating an unsubscribe button on every email distributed, or providing a space where users can manage what information they want to receive from brands, is vital to staying compliant when customers’ preferences change.

Even though this feels like common knowledge for many at this point, it is estimated that 8% of all marketing emails do not include an unsubscribe link.

3. Audit databases regularly

It is useful to check your marketing or website databases, either quarterly or annually, to verify that your data collection processes are maintaining best practice, or that anyone who unsubscribed to your correspondence is still listed in your active database.

A regular audit can highlight any holes in your approach – holes that could cost your company significantly if they are not addressed. If a data breach occurs and you are still in possession of personal data that you should no longer have, the financial and reputational repercussions can be substantial.

4. Report data breaches immediately

With GDPR, honesty is the best policy. Attempting to cover up any data breaches will not only encourage maximum fines when they are discovered. This may also cause irreparable damage to your brand’s reputation, making it unlikely that customers will trust you with their data again.

Instead, report any data losses, theft or accidental transfers as soon as possible. This will not only limit the fines that your company will have to pay for this incident, but it can also help you save face with customers. While some will lose trust in a culpable brand for good, for others this quick response and admission can be the first step in restoring people’s faith.

5. Focus on employees as well as customers

Finally, it is important that companies aren’t only protecting the personal data of their customers, but their employees too. As the H&M example earlier illustrates, failure to receive customers’ permission to use their details or imagery can have expensive consequences – as well as have implications for your employer brand.

This is especially important for marketing teams, as employee-generated images and videos are like gold dust when it comes to showcasing your company culture to potential candidates. However, if you don’t have your employees’ consent to use these assets in your marketing, they have every right to complain.

BAM by Papirfly™ can prevent this possibility. Our platform empowers your employees – regardless of design skills or experience – to create their own content in a matter of minutes. Everything produced is completely professional and totally on-brand thanks to BAM’s intelligent, custom templates.

Once assets are created, users can immediately upload this to the in-built DAM system and approve its usage in upcoming campaigns. Our GDPR Consent Manager makes sure that images with identifiable persons are only available to download, send or use in templates if that identified person gives consent.

Plus, if they only want these assets to be used for a limited time, all assets can be set to auto-delete after a certain period. An identifiable person can receive a link to a page containing all photos they’re included in – from here, they can revoke all photos, as well as delete any produced creatives that use these photos.

This prevents content from being published when there is no longer consent, or if the employee leaves the company.

Achieve compliance with BAM

GDPR has had – and will continue to have – a substantial impact on how marketers globally collect, use and store personal data. Compliance is key to both avoiding massive fines that can hinder your company’s future, and irreparably hurting your brand’s reputation.

We hope this article has emphasised the importance of compliance, and given you some food for thought over how you are maintaining this with your customers and employees. GDPR will not disappear anytime soon – if there are still holes in your approach, now is the time to address them.

BAM by Papirfly™ can be a valuable tool to ensure compliance across your employee-led content. If you would like to learn more about this feature, or how BAM enhances the speed, consistency and cost-effectiveness of your marketing production, book your personal demo today.