What NZ Marketers Must Know About GDPR


If you market to the UK and the European Union, or have clients anywhere in Europe, you absolutely must get yourself up to speed with the new GDPR (General Data Protection Regulation), which comes into effect on May 25, 2018.

Steven MacDonald (writing on SuperOffice), gives us a heads-up:

What is GDPR?
The General Data Protection Regulation (GDPR) is a new digital privacy regulation being introduced on the 25th May, 2018. It standardizes a wide range of different privacy legislations across the EU into one central set of regulations that will protect users in all member states.

Put simply, this means companies will now be required to build in privacy settings into their digital products and websites – and have them switched on by default.

Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways they use personal data and improve the way they communicate data breaches.

And, because it’s a regulation and not a directive, it is legally binding – meaning it cannot be opted out of, or ignored. In fact, failing to comply could lead to fines of up to €20 million or 4% of your global turnover!

What data is affected by GDPR?

Kristen James notes:

Personal data is caught up in the GDPR catchment: anything that could be used to identify a person, such as their name, a photo, their email address, social media data, IP addresses, device ID, cookies, medical history, etc.

This essentially covers any data that you might collect through an event, lead generation, social media and other marketing/sales activities.

The major changes for marketers will occur in email marketing, lead generation/nurturing and digital advertising.

It’s no secret that almost everything we do is tracked online and used to provide targeted advertising as we move from site-to-site. With GDPR in place, any ad provider or publisher that tracks a user’s cookies for advertising purposes will need to request permission to do so. This can be done via pop-ups, subscription requirements, etc., but will likely deter traffic and click-throughs for some publishers.

Large ad providers, such as Google and Facebook, are already making changes to how they process data and advertise to consumers because of GDPR. Receiving opt-ins is more straightforward for these platforms and we’re not likely to see a huge dip on these channels.

Changes to Facebook Custom Audiences

One area to be cautious of here is with tools like Facebook’s Custom Audiences where you can upload a customer or prospect list for advertising purposes. In cases like this, you’ll need express permission to advertise to those contacts.

From an email marketing and lead generation standpoint, current databases will need to be scrubbed and landing pages and form fills must follow compliance measures.

Overall, it will be more difficult to drive new audiences to your channels and then more challenging to convert those users once they get to your site.

Will you need to throw away your existing databases?

Your current UK/EU prospecting database may well be useless, especially if it was gathered without acquiring specific permission, as Lisa Loftis points out:

Three areas of the regulation apply in particular to marketers: consent, clarity and transparency, and profiling:

The GDPR mandates consent must be “freely given, specific, informed, unambiguous,” and articulated by a “clear affirmative action.”

This means marketing can no longer rely on soft opt-in processes, lack of opt-out or simple blanket opt-in check box for all communication and analysis activities. At best communications, campaigns, web and mobile applications must ask for and store consent on a more individualized action-oriented basis.

And these consent forms must be captured, stored and auditable, so the company can prove when consent was given and for what.

At worst, companies may need to review all customer databases to understand whether the consent they have obtained meets the GDPR requirements.

Diginomica adds:

Pre-ticked opt-in boxes don’t cut it

GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent, so these will need to be exorcised from your business. You also have to make it easy for people to withdraw consent, and use clear and plain language when explaining consent. If you think your organisation might fall foul of any of these elements, any data you currently have on file must be refreshed – meaning contacting your current database to ask them to opt in again – if you want to keep in touch with them after 25th May.

Clarity and Transparency

Ensuring clear communication to customers on how personal data is collected and used presents challenges, particularly when the use involves big data, artificial intelligence (AI) or machine learning (ML).

Of particular concern is the collection of digital and IoT data with a personal identification component. At minimum, marketers will have to answer certain questions here. Do individuals know when this data is being collected? Do they understand how it is being used, especially when artificial intelligence or machine learning algorithms (where the decision parameters are less transparent) are making decisions based on that data?


Another concern raised by the guidance document involves using personal information to profile or analyze customers.

GDPR defines profiling as: “Any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

Marketing will have to prove that this type of analysis meets certain criteria.

  • Is the resulting decision in the best interest of the customer?
  • Can the customer get a clear explanation of these decisions?
  • Is the company taking measures to prevent discrimination on the basis of ethnic origin, political opinions, religion, etc.?

Privacy must be by design in IT systems

Organisations should review their IT systems and procedures to check they comply with GDPR requirements for privacy by design, ensuring only the minimum amount of personal data necessary is processed. Privacy Impact Assessments (PIAs) should be completed when using new technologies and the data processing is likely to result in a high risk to individuals.

The right to be forgotten

Individuals are given extended powers over the data you retain about them under the new rules. They have an automatic right to be forgotten, so your company must have processes in place to permanently delete all of an individual’s records from their systems.

Individuals can also request a copy of their data, so you need to develop a way to gather and export this data to present to users in a clear, simple format. There will not necessarily be a flurry of requests, but you need to be prepared.

Brexit doesn’t matter (to GDPR)

Even though after Brexit, the UK government would technically be able to implement its own data protection laws, the government has clearly stated that it will maintain GDPR as a national law. So don’t hold off working through the new rules in the hope that Brexit will give you a perfect excuse for non-compliance. It won’t, and you might just end up being the first GDPR breach test case.

Challenges with “refer a friend” programs

As SuperOffice points out, in most cases, refer a friend programs work when a prospect or customer enters a friend’s email address in order to claim an offer (i.e. a discount, sale, bonus, etc). Once they have entered a friend’s email address, an email is automatically sent from the company to the “friend” without gaining explicit consent to contact them. These emails are typically “notifications”, rather than promotional.

Providing this data is neither stored or processed, then it is considered GDPR-compliant.

However, if the data is stored and used for marketing communications, then you are in violation.

To be clear: NO marketing communication is to be sent out to the referee’s email address.

The cost of failing to comply

The deadline for GDPR in May 2018 isn’t that far away and many businesses have already switched into “panic mode” to make sure they’re compliant way ahead of time. The trouble with this is that this leads to mistakes. And these mistakes can be costly, especially as the UK Information Commissioner’s Office (ICO) starts to clamp down even harder on the misuse of personal data.

In fact, the ICO has already reported three incidents that involve household brand names who tried to use well-known email activation strategies to reach out to their database. The campaigns, which were sent out by Flybe, Honda and Morrisons, asked customers if they wanted to be contacted by email and to update their preferences.

How did they contact their customers, you might ask?

Well, they contacted them by email – even those customers that had previously opted out.

And this is a serious breach of compliance.

Key take away: If you do not have explicit consent to email your customers, then don’t email them! Even asking for consent is classed as marketing and is in breach of the upcoming GDPR regulations.

Who is affected most by GDPR?

If you have customers in the UK or Europe, then everyone inside your company will be affected by GDPR. But, in the marketing department, there are two roles that will see the biggest change in their everyday work.

Let’s take a closer look at who this affects and how.

1. Email marketing managers
For B2B marketers, email addresses are the lifeblood of lead generation programs.

Often considered the start of the sales process, a user that willingly gives you his email address in exchange for more information, such as signing up to your mailing list or downloading a piece of content, is known as an “opt in”.

This is in stark contrast to firms that buy email lists or scrape (or copy) them from a website. Under the new GDPR regulation, buying lists (or scraping them) will be strictly forbidden.

Ensuring users opt-in to your B2B email marketing campaigns and give consent to be contacted will be a requirement, rather than automatically adding them to your email list and then waiting for them to opt out. While this is best practice today, it will be an EU law from May 2018.

2. Marketing automation specialists
Marketing automation can be an extremely powerful tool.

But, it can also land you in trouble with GDPR if not set up correctly.

If your marketing automation system sends out emails on behalf of your CRM system, then you could be facing eye-watering penalties if an email is sent automatically to someone who has opted out.

You need to make sure that every UK/European name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent. And no, having the next email already scheduled is not a valid excuse.

Should Kiwi Marketers care?

All these changes are relevant to those marketing to the UK and Europe. Will they matter to the rest of us?

YES, because global players such as Google and Facebook are amending their operations to comply with GDPR (so we’ll need to adjust our own thinking accordingly, because those new rules are likely to apply down our way as well).

YES, because (per Demandbase’s new Chief Privacy Officer, Fatima Khan):

Consent is paramount – Consent rules have changed dramatically under GDPR, so marketers need to look at places where they capture data and consent to collect data and adjust their approach to support the new rules.

The definition of personal information has expanded. Now information like cookie id and IP address are included in the definition, things that marketing haven’t previously considered to be personal information.

YES, because (if you don’t market to the UK or the EU and your marketing is non-compliant, you will need to add instructions to your materials specifically excluding any citizens of the UK or the EU (otherwise you may inadvertently become exposed to the potential penalties).

And YES, because such regulations (in one form or another) are likely to spread to other countries and legislative regimes. It’s better to be ready (with GDPR-compliant best practices) sooner rather than later.

Michael Carney Written by: