GDPR compliance – Let’s get personal

Two months into my new role at The Crocodile and I was given the not-so-simple task of presenting a knowledge sharing session to the team about the General Data Protection Regulation (GDPR). The GDPR is one of the biggest topics affecting the marketing world right now, and with so much information out there, the challenge was to find out what the essential bits we all need to know are. So, here is my bite-sized overview of what the GDPR is, and what it means for you.

The GDPR is the new legislation from the EU, and affects anyone who collects or processes personal data on EU residents. In the UK, the GDPR will replace the Data Protection Act.

It will come into effect on 25 May 2018, and there is no transition period. From this date onwards, any breaches of data will be hit with tough penalties, with the maximum fine being a staggering £17 million, or 4% of your annual turnover, whichever is greatest. This is a far cry from the current maximum fine in the UK of £500,000.

Why is it happening?

  • To create a framework that simplifies and harmonises the international regulatory environment for business.
  • Provide more consistent protection for personal data.
  • Improve trust among consumers.
  • Give businesses more accountability.
  • Create more protection around B2B data.
  • Stay up-to-date with the digital age (the Data Protection Act was created in 1998).

The 6 key principles that underpin the GDPR

Personal data should be:

  1. Processed lawfully, fairly, and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes and not processed beyond those.
  3. Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a manner that ensures appropriate security of the personal data.

Key impacts it will have on you as a marketing professional

Opt-ins, opt-outs and consent:

  • Consent must be informed and clearly given via a positive opt-in action.
  • Requests should be given in clear, plain language stating how the data will be used.
  • There should be a genuine choice about consenting – service provision cannot be conditional.
  • Children under 16 years old cannot give consent – parental consent is required.
  • Different consent categories must be separated.
  • Special categories of data such as race or health requires more explicit consent.
  • Withdrawing consent must be clearly explained and as easy to do as giving consent in the first place.
  • Pre-ticked opt-in is no longer allowed.

The right to be forgotten:

  • Giving someone the means of accessing and removing their data.
  • Being able to prove that the data has been deleted from your database.
  • Ensuring removal from any third party you may have supplied the data to.

Changes to legal basis for processing data:

  • More rules around processing data means better housekeeping on the part of marketers.
  • There must be a clear reason for data collection ­– no collecting data for unnecessary reasons.

Some aspects of how the new regulation will look in practice haven’t yet been explicitly stated, so there are still grey areas within how it will impact social media, automation, and targeted online marketing. Here at The Crocodile we see it as an opportunity for businesses. By engaging with your customer on their terms however, and wherever suits them, and by being innovative in your marketing techniques, you will remain both compliant, and ahead of the competition.

To find out more about how we can help you on the way to becoming GDPR compliant, get in touch at

By Georgie Pickard