Peter Gough
Managing Partner & Founder

On 25th May 2018 a new law will regulate how data is collected, handled and used within Europe. Put simply, it will move us from an opt-out to an opt-in world. The new legislation will have a massive impact on how marketing teams operate and the way we do business. Here we’ve outlined how:


1. GDPR is an update of the 20-year old data protection regulation. It’s designed to harmonise data regulations across the region and create consistency about how those regulations are interpreted.


2. GDPR is about protecting people’s human rights and protecting customer data from corporates who may mishandle it.


3. In a post-GDPR world, consumers will have to opt-in and say ‘I want to hear from you’.


4. From May 25th you will have to explain why consumers should sign up for an email, or communication of any kind.


5. How you market to people will change. You can offer an existing customer, who has recently bought something from you, a soft opt-in option (i.e. you don’t have to ask them to opt-in, but they must be given the option to opt-out at any time).


6. For prospects on your list, i.e. anyone who has not bought something from you, you’ll have to ask them for their permission to communicate with them (this is called re-permissioning).


7. You can’t keep data you hold on people forever. The ICO guidance says you can only hold data for up to two years, unless your business cycles are longer.


8. You will no longer be able to use and handle third-party data without consent.


9. You will not be able to profile customers’ habits and make a decision that may negatively impact their life i.e. not offer them a mortgage.


10. You can still use anonymised data or aggregated data against, say postcodes, to understand your patterns of sales, this is permissible as a “legitimate interest”.


11. You will need to be transparent about when you are collecting data, why you are collecting it, what you’re going to use it for, and say where you’re going to keep it.


12. You should keep all of your customer data in a single database.


13. You need to keep an audit trail of all of the interactions you have with your customers – including dates, what’s been sent, how they responded, what they bought.


14. Customers will have the right to ask to see all the information you have on them at any point.  


15. Preference centres are not legally required, but they enable the consumer to see a list of all the communications they’ve signed up for which they can change at any time.


16. The DMA’s ‘Customer Attitudes to Data’ research shows that consumers really want control, and they want to know what’s in it for them. Why should they share their data with you, what’s the incentive?


17. A number of software companies are producing plugins for businesses’ databases to help them manage all customer preferences.


18. Data protection officers should be responsible for looking after your customer’s information, providing security and data protection.


19. IT departments must encrypt laptops, ensure emails have a two-step authentication login process, ensure servers are secure, and conduct penetration testing to ensure there isn’t a data breach.


20. A data breach will attract huge fines and cause massive embarrassment to your company as the ICO will name and shame.


21. The marketing team should talk to the CRM data team to ensure their clients are data compliant.


22. Large organisations, that deal with sensitive data, need a person at board-level, such as the finance director, to be responsible for the data, or a Data Protection Officer who can report into the board neutrally.


23. It’s not all bad news! When the Royal National Lifeboat Institution re-consented its entire database, and its list went from 900,000 to 300,000, its next marketing campaign had a much higher response rate – it actually tripled the average donation value it received.


Come and talk to us about how you become GDPR ready. ORM builds GDPR compliant website and application products, portals and tools for our clients and their customers.


This blog is not an exhaustive list of how to achieve GDPR compliance. For more information and advice on the GDPR visit the UK's Information Commissioner's Office website or consult a specialist GDPR legal team.