How the GDPR Affects Digital Marketers

The General Data Protection Regulation (GDPR) is a European Union regulation enacted in 2018 to regulate the processing of personal data and enhance data protection rights for individuals. This Regulation applies to all organisations operating in the EU or processing the personal data of EU citizens and sets out strict requirements for obtaining, using, and protecting personal data. In this article, we look at how GDPR affects digital marketers. 

Covered in this article:

The Purpose of the GDPR 
The Impact of the GDPR on Digital Marketing
Implications of Non-compliance 
Benefits of GDPR Compliance 

The Purpose of the GDPR 

The General Data Protection Regulation (GDPR) provides for the protection of natural persons in respect of the safeguarding, processing and transfer of their personal data. Article 8(1) of the Charter of Fundamental Rights of the European Union regards data protection of natural persons as a fundamental right. The Regulation is intended to contribute to:  

• The accomplishment of freedom, security, justice and economic union
• Economic and social progress
• Building and promoting convergence of economies within the internal market of the EU; and
• The well-being of natural persons. 

The Regulation encompasses two broad categories of compliance – firstly, data protection; and secondly, data privacy.

Data protection deals with the safeguarding of data from unauthorised access; it is the process of protecting sensitive information from damage, loss and/or corruption. Data protection covers three broad categories, including:

• Traditional methods of data protection, for example, backup / restore and data retention
• Data security, such as encryption, authentication, and access controls as well as loss prevention; and
• Data privacy, for example, legislative requirements, data governance, policies and procedures.

Data privacy within the GDPR framework deals with giving people the ability to make their own decisions around who can process their data and for what purposes; it involves the control processes around sharing of data with third parties, how and where the data is stored, and the specific regulations applicable to these processes. 

The Impact of the GDPR on Digital Marketing 

With the GDPR being regarded as the toughest global privacy and security law, businesses have been forced to reconsider how they deal with personal data. Digital marketers in particular have had to carefully consider their activities within the confines of the framework established by GDPR. The Regulation requires compliance from organisations worldwide – regardless of whether they are based in the European Union. As long as your business targets or collects data related to persons in the EU, you have the obligation to comply with the GDPR requirements.

There is no doubt that the GDPR places a significant obligation on digital marketers to commit to open and honest data practices. As a core marketing activity, data collection is key to helping you and your client understand more about their target audience, consumer behaviours and preferences. Three critical GDPR issues impact the digital marketer's data gathering and collection practices: 

• Legal bases for processing
• Getting consent / opting in; and
• Opting out / withdrawing consent. 

Legal bases for processing 

In terms of Regulation, there are six legal bases for the processing of personal data. These are consent, contract, legal obligation, vital interests, public task, and legitimate interests. Digital marketers usually rely on consent as a legal basis for processing personal data. Because digital marketing is optional, you need permission to contact a person. If you do not get permission from the data subject for all the data you collect and intend to use for marketing purposes, you will be participating in unsolicited communication and you will have collected data without a legal basis. This will count as two violations of the GDPR.  It is a good idea to disclose not only the use of consent as a legal basis in your Privacy Policy but to also provide additional context – the John Lewis website has a good example of this type of disclosure. 

Getting consent / opting-in

Consent is no longer implied. As a digital marketer, you specifically need to gather the consent of the customer. Once you have that consent, it also does not mean you automatically retain such consent forever. Consent must be active - it must be freely given, be specific, unambiguous, and informed, and be reflected by a clear affirmative action (opt-in) from the customer. Where the processing of personal data is based on consent, both controllers and processors must be GDPR compliant and be able to demonstrate that the data subject has consented to the processing of their personal data. 

Opting out / withdrawing consent 

A data subject has the right to withdraw their consent at any time and the Regulation requires that you make it easy for them to opt-out – for example, by including an "unsubscribe" function on emails and texts and allowing the customer to set their communication preferences on their account. 

Implications of Non-Compliance

As with many laws and regulations, non-compliance can be costly, not only in terms of monetary costs but also in terms of the impact on your business reputation. This is definitely a risk that should be included on your entity's strategic risk register and monitored continuously. When it comes to the GDPR, the monetary liability in the event of non-compliance is even more significant.

The Regulation regards some violations as more severe than others, but even a lesser infringement could result in a fine of up to €10 million, or 2% of the entity's worldwide annual revenue from the preceding year, whichever amount is higher. Transgressions falling into this category pertain to, amongst others: 

• Controllers and processors not adhering to rules governing data protection and the lawful basis for the processing of data
• Certifications and certification bodies not executing their evaluations and assessments in a transparent and unbiased manner; and 
• Monitoring bodies accredited to monitor compliance with codes of conduct, not demonstrating independence and not following proper procedures in dealing with complaints. 

More serious violations, such as failing to have evidence as proof of a person's consent to allow the organisation to process their data, or denying the data subject's rights, can attract fines of up to €20 million, or 4% of the entity's worldwide annual revenue from the preceding year, whichever amount is higher.

The above fines are merely administrative in nature. Article 82 of the Regulation also allows data subjects to seek compensation from entities that cause them material or non-material damage due to GDPR non-compliance. 

Benefits of GDPR Compliance 

As much as the penalties for non-compliance with the GDPR may be cause for concern, there are also benefits to adopting, implementing, and monitoring the Regulation. Compliance can help to improve the efficiency, security, and competitiveness of your organisation. Key benefits include: 

• Enhanced cybersecurity – the cost of data breaches and organisational downtime resulting from theft or loss of critical data can have an enormous impact on businesses. Following the GDPR can help you strengthen cybersecurity within your entity. You can improve the overall health of your data protection workflows and streamline security monitoring activities. This can help to reduce the risk of cyber-attacks through ransomware, phishing, malware, and more. Suppose one considers that in the first half of 2022, there was a 42% global increase in weekly cyber attacks from prior years, with an additional 15 million data records exposed by quarter 3 of 2022, due to data breaches. In that case, the benefits of enhanced cybersecurity for your business are likely to outweigh the costs. 
• Improvement in data management – knowing what sensitive information you do have, how you have collected it, and how you are storing it, will help you to refine your data management processes. A data cleanup exercise can help you to reduce storage and processing costs while erasing sensitive redundant, obsolete, and trivial (ROT) files - files that are unlikely to provide you with any tangible business value but expose you to the risk of non-compliance with the GDPR and other data privacy regulations. In addition, you will be able to more easily handle data subjects' requests - your data will be globally searchable and indexed. 
• Improved Marketing Return on Investment (ROI) – implementing an opt-in policy and maintaining evidence of the data subject's consent to process their personal data can help you streamline your database of leads, prospects, and clients who actually want to engage with you. You can tailor your marketing efforts to result in a much higher click-through and conversion rate since you will be speaking to a more clearly defined audience. 
• Promoting trust and loyalty – people do business with organisations that they trust. To ensure that you are GDPR compliant, you will need to clearly state what, why, and how you will be using people's personal information. By following the rules, your business can demonstrate transparency, responsibility, and accountability, which can improve trust and loyalty with your target audience. Ultimately, this can go a long way to enhancing your brand reputation. 

When it comes to GDPR and digital marketing, the key takeaway is transparency – you cannot market to people if they don't know you are marketing to them, and you cannot market to them without their consent, which must remain valid throughout the customer journey. You also need to let customers know exactly what they are consenting to and make it easy for them to withdraw their consent at any time. Understanding the requirements of the GDPR and ensuring that you work with your clients to help them achieve GDPR compliance is only one way in which digital marketers can add value to the customer journey.