GDPR: Implications, Compliance & Opportunities for Marketing

On 28th September 2017, the techUK Marketing & Sales Group heard from three speakers about how GDPR will impact various aspects of marketing. Marketing Consultant, Ben Wheeler, was in the audience and summarises what he learnt below.

Readers of Insights will know that techUK regularly cover GDPR issues. Earlier in September, we looked at what employers need to know as well as what GDPR means for big data, analytics, the cloud and AI. This event ended a busy month by shining the spotlight on marketing.

The Lawyer’s Perspective - Gabriel Voisin, Bird and Bird

Gabriel started his session by addressing the financial and reputational costs behind a data breach, citing the example of Sony, and the fines that can be placed on organisations that break the data rules when sending marketing emails. The clear message was GDPR compliance will make sound financial sense.

Gabriel then explored what constitutes personal data. GDPR will require organisations to be aware of additional categories of data that apply - such as personal data now including location data, online identifiers such as device IDs, cookie IDs and IP addresses. Sensitive personal data will now include genetic and biometric data.

One of the main aspects of GDPR is that the rules surrounding consent to data being held will be stricter - and that organisations need to be aware of this. What’s more, organisations will bear the burden of proof - so they must keep good records that demonstrate who consented, when and what they were told at the time. Gabriel suggested that, where organisations could not be satisfied that existing consent was given in line with GDPR requirements and properly documented, then consent should be renewed. He suggested incentivising people to renew their consent.

Much consent-gathering currently takes place through email sign-up boxes. Gabriel used a visual to demonstrate that many of the typical broad brush ‘consent to everything’ approaches won’t work with GDPR.

See Bird & Bird's guide to the General Data Protection Regulation

The Compliance Perspective - Dave James, Ascentor

Making the point that cyber security and data protection go hand in hand, Dave started his session by quoting Elizabeth Denham, the UK Information Commissioner at the ICO. Speaking at the CBI Cyber Security Conference on 13th September 2017, she said: “Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorised third parties...”

Ascentor specialises in cyber security, so the key points made about GDPR compliance were based on good information risk management (IRM). Even before the advent of GDPR compliance, good information security should never have been an afterthought, but embedded at the outset of a project. Describing a Cyber Security 101, Dave explained how organisations should identify their information, locate it and protect it: “GDPR is for life not just for Christmas - you need good governance.”

Dave went on the describe Ascentor’s practical steps to achieve GDPR compliance, starting with identifying and locating data through a pragmatic data audit, with good practice examples from the ICO and the Direct Marketing Association (DMA). He also suggested a risk-based approach with a privacy impact assessment.

The next step is to protect data and mitigate risk - with the Cyber Essentials Scheme a good starting place. Organisations should write meaningful and understandable policies (on topics such as Bring Your Own Device (BYOD)) and get buy-in. Finally, he suggested using information security frameworks such as IASME/ISO27001 and following them explicitly.

See Ascentor’s Ten Steps to GDPR - a Compliance Checklist

The Marketer’s Perspective - Dan Holt, BOSS Digital

Dan’s talk moved away from the legal and compliance areas and speculated on the potential shape of GDPR from a marketing perspective, and the opportunities it may create. Building trust between the public and organisations holding data was a major part of Dan’s talk.

He cited recent research from The Harris Poll showing that, after dishonesty or intentional wrongdoing, the next most damaging factors on consumer trust are data breaches or misuse of personal information - something that GDPR is designed to prevent. Dan said that GDPR matters because lost trust has profound implications for a company’s customer referral, conversion and retention rates - it affects the bottom line.

He drew the distinction between B2B and B2C marketing, explaining that the marketing implications of GDPR will be most profound for consumer marketing - to the individual. That’s because all users must have opted in for email and SMS before receiving any direct marketing. With B2B marketing, with some exceptions, cold email/SMS will generally be permitted without consent. Dan reinforced a point that sole traders must be regarded as consumers – an interesting curved ball for anyone thinking otherwise.

Dan felt GDPR would be a good opportunity for businesses to get their data in order - citing the examples of old databases and email lists stored on Mailchimp. He made the point that a cleaner database means higher levels of engagement and less wastage on ineffective advertising.

GDPR also offers an opportunity for differentiation. By taking the initiative with these strategies - or at the very least making it clear that you are embracing GDPR and operating legally and transparently - you are making an important statement to your customer, whether consumer or business.

See Boss Digital blog: GDPR: The potential marketing opportunities


Slides could be downloaded from the links below.


This content has download attachments that are only available to techUK member users. Login with your techUK account to view and download attachments.

If you would like to know more about membership please visit Become a member page to contact our membership team.


Join us on 20 March as we welcome @Marthalanefox to techUK for the launch of new @OpenUniversity research on bridgi…
An Urgent and Emergency Care Forum is being created by @NHSDigital and @techUK - Suppliers interested in becoming f…
See how the UK compared to other countries in the @CTATech #innovationscorecard
What functions will our future energy system need to realise our #smartenergy ambitions? What does this mean for te…
.@techUK's @G_Derrington discusses the current concerns from industry when it comes to skills policy and Brexit in…
. @sagegroupplc & @Atos joined us today in supporting a new UK France digital conference announced today by @DCMS.…
Ruth Milligan, Head of Financial Services & Payments @techUK, debunks so pervasive myths around #OpenBanking and hi…