Marketing and the GDPR

The General Data Protection Regulation (GDPR) is European legislation which comes into force in May 2018. It supersedes the Data Protection Act (DPA) and is applicable to every organisation that processes the personal data of EU residents.

If you’re using personal data to deliver targeted marketing campaigns it is essential that you comply with the regulations.

Organisations which breach the GDPR could receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or €20m, whichever is the greater. The current penalty is a maximum of £500,000 for serious breaches of the DPA.

Here is a summary of the changes which will apply when the GDPR comes into force*:

Data Protection Principles

The DPA data protection principles have been condensed. Personal data must be:

1. Processed fairly, lawfully and in a transparent manner in relation to the data subject.

2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.

4. Accurate and, where necessary, kept up to date.

5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Data controllers must have a legitimate reason for processing personal data. Silence, pre-ticked boxes or inactivity will no longer constitute consent.


Where the personal data of a child under 16 is being processed to provide ‘information society services’ (e.g. online businesses, social networking sites etc.) consent must be obtained from the holder of parental responsibility for the child. Member states are allowed to lower this threshold but not below the age of 13.

Data Subjects’ Rights

The list of rights that a data subject can exercise has been widened and a ‘right to be forgotten’ has been introduced. This means data subjects will be able to request that their personal data is erased by the data controller and no longer processed.

Data Protection by Design

Data controllers will be expected to include data protection controls at the design stage of new projects involving the processing of personal data.


Data controllers will be required to keep an internal record in relation to all personal data they process.

Security Breaches

Breach notification will become mandatory where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’. This must be done within 72 hours of first having become aware of the breach.

Data Protection Officer

Organisations handling personal data, both data controllers and data processors, will require a Data Protection Officer. This person will have a key role in ensuring compliance with the GDPR.

GDPR and B2B marketing

The rules are slightly less onerous for B2B marketers than they are for companies marketing to private individuals. If you’re emailing or texting employees of corporates (limited companies, LLPs, partnerships in Scotland and government departments) you do not need prior consent/opt-in from the individual as you do in the case of B2C marketing. You can, therefore send them a marketing email/text as long as you provide an easy way to opt out of future communications from you.

For more detailed guidance on GDPR please visit the Information Commissioner’s Office (ICO) website.

Act now so you have plenty of time to put any necessary measures in place before the May enforcement date

*We’re not legal specialists, these notes are a summary or our findings on the Internet. For advice for your business, we advise you consult a legal expert.