GDPR and digital marketing in 2019

GDPR and digital marketing 2019

GDPR and digital marketing one year on …

It’s almost a year since the General Data Protection Regulation (GDPR) was introduced on 25 May 2018. GDPR replaced the previous Data Protection Act and was designed to offer consumers better protection and more control over how their personal details are collected, stored, processed and used.

The consequences for non-compliance with GDPR can be severe, with a penalty scale in place that culminates in fines of up to €20 million or 4% of your global turnover in the event of a data breach. Despite this, many smaller businesses still aren’t complying with GDPR. And according to a survey by insurance firm, Hiscox, 39% of SME owners still don’t know who the regulation affects and 90% don’t understand the new rights it gives to consumers1.

In this article, I’ll take a look at some of the key compliance areas you need to be aware of in relation to GDPR and your online marketing activities.

Consent to be contacted

In digital marketing terms, there are two main scenarios where it’s acceptable to contact consumers under GDPR: cases of legitimate interest and where consent has been clearly given. Legitimate interest is something of a grey area, but it’s usually OK to send marketing communications to existing clients or people you’ve worked with recently. Ask yourself if the person would expect to receive emails from you. If not, it’s best not to contact them.

GDPR email collection

If someone has emailed you and asked to be kept informed about your business, you can add them to your contact list, provided you save the original message as proof of consent. Contacts made through social media, such as LinkedIn messages, are a bit more problematic. You could send the individual a message asking them to email you directly so you can reply with a link to a sign-up form on your website or email marketing platform.

In short, implied consent isn’t an option under GDPR. Best practice is to collect data using a digital sign-up form that has double opt-in functionality. In other words, once the form has been competed, your contact will receive an email asking them to click on a link to confirm their consent to be added to your mailing list. Once they’ve signed up, you’ll need to include an option to unsubscribe or change their contact preferences with every email.

At Imagine Digital Marketing, I take GDPR very seriously. All the websites and MailChimp email marketing lists I manage are fully compliant. As well as the best practice data collection process shown above, I also include a link to the client’s Privacy Policy at the time of sign-up, so contacts can find out more about how their data will be used. In addition, contacts are asked to confirm which types of emails they’d like to receive, for example, info about products and services, details of special offers and so on.

‘The right to be forgotten’

A key right under GDPR is that consumers can ask for their contact details to be deleted. At the same time, business owners are obliged to actively identify and delete contact details that aren’t held in line with the rules. Typical scenarios include where it’s no longer necessary for the data to be stored or processed (e.g. the individual is no longer a client); the data has been unlawfully collected or processed in the first place; there’s no legitimate interest; or the consumer withdraws their consent to be contacted.

If your contact list includes people who gave consent under the old Data Protection Act rules, you’ll need to revisit their records to ascertain whether their consent stands under GDPR. Unless a compliant audit trail for consent is in place, you’ll either need to delete these contacts or get in touch asking them to give you explicit consent as outlined above. Note that if they don’t reply or give consent, you’re not allowed to contact them again.

Privacy Notices, Cookie Policies and Website Terms & Conditions

These documents should all be available on your website, often as links in the footer. The language used needs to reference specific GDPR terminology as well as being concise, clear and easy to understand. Your Privacy Policy is especially important as it sets out how you will collect, store, process and use consumers’ personal information. It will also explain how consumers can object to how their data is being used and ask for it to be erased.

GDPR compliant contact forms

As noted above, it’s a good idea to include a link to your Privacy Notice at the point of sign-up, so consumers have the opportunity to read and understand their rights before choosing whether they want to be contacted. If you’re not sure what to include in your Privacy Notice, Cookie Policy or website T&Cs, I can help.

GDPR compliant contact form

SSL certificates

Having an SSL certificate means your URL will start with https:// instead of http://. Your website will have inbuilt security features that offer added protection when people enter their personal or financial details into the site. The only websites that don’t need an SSL certificate under GDPR are those that don’t collect any consumer data – but how many sites don’t have a contact form these days? Probably not many!

Having a secure website is also important in terms of trust. Research shows that 75% of consumers will abandon an online transaction if they don’t feel the site is trustworthy2, just as most people will leave a site that’s badly designed or unwelcoming. What’s more, Google uses SSL certification as a ranking factor, so having one in place will help with your SEO rankings as well as boosting conversions and decreasing your bounce rate.

The positives of GDPR

Yes, there are some benefits to the new legislation! After all, GDPR isn’t designed to stop you communicating with bona fide customers and contacts. It’s simply there to help keep consumer data safer and protect people from receiving communications they don’t want. GDPR is a great opportunity for you to cleanse your data and increase the quality of your contact lists. In turn, this will help improve your online engagement and conversion rates and reduce your website bounce rate.

In addition, asking people about their preferences means you can gain a deeper insight into your target audience and segment your messaging accordingly. By targeting your communications rather taking the traditional ‘one size fits all’ approach, you’ll have a better chance of turning prospects into paying customers.

In conclusion…

GDPR might sound complex, but the core principles are quite simple:

  • Don’t contact people who aren’t expecting to hear from you
  • Don’t just assume people want to hear from you
  • Buying random databases and making cold contacts isn’t a good idea
  • Research your audience’s preferences and respect them by restricting your communications to what’s interesting and relevant
  • If you’re not sure whether someone wants to hear from you – just ask!

By following these rules and implementing the best practices outlined in this article, you’ll be well-equipped to create compliant mailing lists that benefit your contacts as well as your business.

Need help making your website GDPR-compliant?

I can help. Contact me today to discuss your digital marketing compliance requirements and find out how I can help. Just call 01636 922 747 or complete my online enquiry form.


  1. Hiscox
  2. Symantec via Ascio


Leave a Reply

Your email address will not be published.