For many businesses, personalisaton is a key part of marketing campaigns. Providing highly relevant, if not completely tailored marketing content, helps businesses build rewarding relationships with customers. Personalisation needs a lot of customer data to be gathered and analysed. Even when there is no personalisation, effective e-mail and social marketing campaigns depend on the availability of personal data.

Personal data is gathered in many ways and at different points - from followers on social media, delegates attending events and even visitors to a website. The General Data Protection Regulations will have significant impacts on the collection and use of personal data. That is why it is extremely important for marketers to understand how GDPR impacts them and what they can do to prepare for GDPR compliance. However, GDPR need not make the marketing function harder. In practical terms, this becomes an opportunity for marketers to understand how and when customers want to be engaged. Marketers can use GDPR compliance as a mechanism to demonstrate respect for the rights of their customers and earn trust.

The primary impact of GDPR is that businesses will need to improve privacy settings in using personal data and offer customers enough information and choice in situations where personal data in being gathered. One of the founding data protection principles is that personal data ‘must be processed in a fair, transparent and lawful manner’. The processing of personal data must be fair to the data subjects. The intention behind GDPR is that there will be more transparency between businesses that collect and control the data as data controllers and the individuals whose personal data is being gathered. This may mean that a business which directs customers to a website form to collect customer data must communicate clearly to those customers what data is being gathered, where it will be stored and what the data is going to be used for.

Businesses can develop Fair Processing Notices (FPNs) or Privacy Notices that contain information that data subjects need about the processing of personal data so that they are aware of how they can exercise their rights under the GDPR. The format of the FPNs and precisely what they contain will depend on whether the information is being processed on a basis of legitimate interests, or consent or gathered from third parties. The FPNs will also need to contain specific clauses if there is automated profiling or decision making involved. The FPN must be written in language that is easy to understand and should avoid the use of technical terms, jargon or overly legalistic terminology. It must be easily accessible and presented legibly. In all cases, the FPN must contain information relating to the identity of the data controller, details of third parties with whom the data is being shared, details of data transfers to outside the EU, specific reference to the purpose and legal basis for processing and safeguards taken to protect the data. If the organisation employs a Data Protection officer, the details of the DPO must be included in the FPN. In addition, the FPN needs to indicate the retention period and the data subject’s rights including the right to complain to the ICO.

Whether the processing of personal data is lawful or not depends on meeting the criteria laid out in Article 6 of the Regulation. There are six lawful processing reasons prescribed in the GDPR. Consent is one of them. Only if businesses cannot claim contractual reasons or legitimate interests to process personal data, do they need to rely on consent. The GDPR has a much stricter definition of consent. Under the existing regulations, consent could be inferred from action or even inaction in circumstances where the action or inaction clearly signified consent. This paved the way for an “opt-out” consent mechanism. The GDPR requires businesses to obtain the data subject’s agreement by “a statement or clear affirmative action. Consent must be “opt-in” and not “opt-out”. While seeking to obtain consent, the business must provide sufficient information on what purpose consent is being sought for. Moreover, consent must be obtained through clear affirmative action initiated by the customer. This means pre-ticked boxes will no longer be possible.

Fairness in processing includes data minimisation i.e. collecting data that is relevant and limited to the purpose of processing. Therefore, marketers need to address the changes while bearing in mind that many of the GDPR’s main principles are similar to the provisions in the current Data Protection Act or Privacy and Electronic Communications Regulations. If a business is complying with the current law, its GDPR compliance approach can be built upon its existing programme. Ultimately, successful GDPR implementation is about ensuring data protection, trust and proven value through fair processing and transparency. If customers understand why they’re opting in to receive messages and marketing from your business, and can see the value in those messages, that would be an important relationship to have.


Our Chamber Train team is running a number of courses on GDPR for Marketers over the next few weeks, facilitated by Subrahmaniam Krishnan-Harihara. In addition to his work at the Chamber, Subrah is an Associate Lecturer at the University of Salford, where he has taught on the MSc Information Security and MSc Information Systems Management on modules such as Information Security Standards, Information Security Policy & Risk Management, Computer Networking and Database Management.

Click here for more information about our courses and to book on: GDPR