The impact of General Data Protection Regulations (GDPR) on your customer marketing


New regulation enforces changes in Marketing

On the 25th May 2018, new European Data Protection Legislation will become law and this will impact on the way you can communicate with your customers and prospects.

The General Data Protection Regulations is European law that puts the emphasis on organisations to protect the data of their data subjects, i.e. your employees and any prospect or customer you hold personal data on.

Within Article 29 of the regulation, you have to consider the following seven areas for any living persons that you hold written or electronic personal data:



The approach is still to be finalised but in general you need consent for all the personal data you hold. Importantly this is retrospective, so historic data you hold is in scope.



You need to make it clear what data you are holding and how you are going to use it.



You need to have consent to profile the person’s data


High Risk Processing

Processing of data can be both manual or automated, high risk data has new rules for storage and when in transit.



Not now required as everybody is opted in, furthermore your processes and procedures are up for scrutiny.


Administrative fines

Much larger fines than before 20,000,000 EUROs or 4% of total worldwide annual turnover, if greater.


Breach Notification

You must advise all data subjects if data has been lost.

You must report all breaches to the ICO.

As a data controller and / or a data processor you will have much stricter responsibilities.

The UK  Government's Digital Office defines;
A data controller as any organisation that collects, processes or stores data.
A data processor as any organisation that collects, processes and stores data on behalf of the data controller.

Appointing a Data Protection Officer (DPO)

Most companies will need to appoint a DPO, either internally or as an external appointment. This can be an existing employee or an outsourced party, as long as they are residing in the European Union. The employee should also not have any conflicts with any other role they undertake, i.e. their role must not involve handling or storing data. Examples of such roles could be IT Manager, CRM Manager or Operations Director.

The appointing of a DPO is optional for companies with less than 250 employees, but the recommendation is that all companies should do this.

Does Brexit change anything?

At first, a lot about the new regulation makes sense. The Data Protection Act of 1998 is outdated and with over 90% of the world’s data being created in the last two years, you can understand why new legislation is required. Europe wide legislation gives this impetus, though other global regions have differing approaches.


Source : Simon Kemp - We are social Jan 2016

Regardless of whether the UK finally leave the EU or not, the UK will inherit most existing EU laws so we can expect this legislation to remain statute for the foreseeable future. Either way, the GDPR becomes law from May 2018, 10 months before the Brexit deadline.

Getting Ready

  • As a data controller the immediate action is to understand where and what data you hold by carrying out an audit

  • Ensure your processes and handling of data are secure

  • Consider writing a new privacy policy or updating your existing policy

  • Ensure you have the appropriate consent from your customers and prospects

  • Consider working towards removing data or anonymising it where you do not have consent

  • Look at appointing a Data Protection Officer

  • Understand how you will market to those data subjects for which you have consent

  • Work as a team to get ready and catch up regularly to monitor your progress towards compliance

Data Processors and the General Data Protection Regulation (GDPR)

Many companies have data processors (people processing data), some are internal but many companies outsource data processing within the European Union and some outside, e.g. foreign call centres, external BI consultants, overseas hosting providers, etc.

The first and most important thing is to understand the processing they are doing and make sure this complies with the GDPR. Within this it is important to ascertain whether the data processor is outsourcing to a sub-processor.  This is far more frequent that most people think.

Offshore and Outsourcing outside Europe

This element is now simpler and the requirement is that any outside Europe data processing must ensure that EU regulation is followed and there is a UK (or EU) based Data Protection Officer.

Any exceptions to the General Data Protection Regulation (GDPR)?

Well simply no, not really, only that it does not apply to Member states processing personal data for common foreign and security policy of the Member Union.

What next?

Delete Agency want to give our clients the confidence that we, as Data Processors, are looking after their data and providing robust recommendations.

We will work with you to:

  • Support any Personal Information Audits you need to conduct

  • Change any data capture forms you may have

  • Add or update your Privacy Policy

  • Improve the security of your data inline with your approach to compliance with the new legislation:

  • Consider best approach to removal of data subject(s):

Finally we are here to support you with advice and guidance to how best to approach this new legislation and will work to achieve the best way for you to comply.