GDPR and marketing: What you need to know & why you need to know it

Since the introduction of GDPR back in May 2018, digital marketing has had to undergo some significant changes in the way it handles personal data and businesses and organisations have had to navigate the balance between GDPR and marketing activities.

Contact us

What is GDPR?

The General Data Protection Regulation (GDPR) is one of the strictest privacy and security laws in the world. These regulations helped to rewrite the rules on privacy and personal data, forcing the hand of companies to update their marketing activities and operations. Despite these regulations being drafted and passed by the European Union, it still means that organisations anywhere in the world can still have these laws imposed on them. The purpose of GDPR is to protect individuals’ fundamental rights and freedoms relating to the protection of their personal data.

The Core Principles of GDPR Regulations

Purpose Limitation

One of GDPR’s principles ensures that boundaries are set around using personal data for only very limited purposes. The purpose of this principle is for data to be “collected for specified, explicit, and legitimate purposes”, as stated within the GDPR regulations.

Fairness, Lawfulness & Transparency

If you are processing any personal data, there needs to be a well-founded justification for why you are doing so, which is why GDPR labels this specific principle as, Lawfulness.  Some reasons for processing personal data can include the following:

  • The user has given you consent to do so.
  • You must do it to make good on a contract.
  • It’s necessary to fulfil a legal obligation.
  • For the protection of vital interests of a natural person.
  • It’s a public task done in the public interest.
  • You can prove you have a legitimate interest, and it’s not overridden by the data subject’s rights and interests.

Data Minimisation

The principle of data minimisation, states that data which is collected and processed should not be held or further used for other purposes unless it’s absolutely

The below has been taken from the GDPR legislation covering this principle:

“1. Personal data shall be:

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 1

Let’s break down the element of data minimization contained in the sentence above.  There are three elements covered in the legislation that serve as the checklist for compliance. They are:



Limited to what is necessary in relation to the purpose for which the data is processed”

When you come to practise data minimisation, it’s important to remember to ask yourself the following questions for each point of data that you plan to collect:

  • Does the individual know I am collecting the data?
  • How am I planning to use this data?
  • Does the individual know why I am collecting the data?
  • Is there a way of achieving this purpose without having to collect the data?
  • How long will I need the data to achieve the purpose?

Storage Limitation

In accordance with the set regulations, organisations are required that you need to justify the length of time that you are storing each piece of personal data you collect. Therefore, implementing a data retention period is a great way to ensure that you meet this principle of storage limitation.


The accuracy principle applies to all personal data and does require you to take all necessary and reasonable steps to erase and resolve any inaccuracies in the data without any delays. This principle of GDPR informs that any data controllers must make reasonable efforts to ensure that any and all data of a personal nature is accurate.

To follow a high level of compliance means doing the following:

  • Ensure that all data you maintain is accurate and isn’t misleading in any way that could be suggested as harmful to the main subject of the data.
  • Ensure efforts are made to keep all personal data updated where it is applicable
  • Make timely efforts to correct or erase personal data when any inaccuracies are identified
  • Ensure that all challenges to the accuracy of personal data and corrected or erased where necessary.

Confidentiality and Integrity

The regulations require you to maintain the confidentiality and integrity of the personal data that you are collecting. It is vital that you protect this data from any internal or external threats which could result in unauthorised or unlawful processing of this data, which means that a lot of planning and diligence is needed.


As the name of the principle suggests, accountability means taking full responsibility for the processing of personal data.

It’s also important that organisations document the process that they are fulfilling these requirements of GDPR.

What Does GDPR Mean For Your Marketing Activity?

Challenges to Marketing Teams

As a result of GDPR regulations, the new requirements in place are to allow for more transparency and accountability during the collection and processing of personal data which had many digital marketers concerned when the regulation was first introduced.

Some of the most common concerns of GDPR for marketers include:

  • Consent may not have been requested transparently.
  • Data subjects may not have been informed about the purposes of processing.
  • Data may be processed for purposes other than those initially explained when obtaining consent.
  • Previous consent methods may have been “opt-out,” whereas GDPR mandates “opt-in.”

What Can Marketing Teams Action?

It’s important that all digital marketing team ensure that are compliant with GDPR legislation, but some steps they can follow include the following:

Obtain Explicit Consent

  • Ensure that consent for data collection is obtained in a clear and transparent manner.
  • Use opt-in mechanisms rather than opt-out.

Inform Data Subjects

  • Clearly communicate the purposes of data processing to users at the time of data collection.
  • Provide detailed information on how their data will be used.

Maintain Data Accuracy

  • Regularly update and verify the accuracy of the data collected.
  • Implement processes to allow users to correct their data.

Implement Data Protection Measures

  • Use encryption and other security measures to protect personal data.
  • Conduct regular audits and assessments of data protection practices.

Create Data Access and Deletion Procedures

  • Develop processes for users to access their data and request its deletion (right to be forgotten).
  • Ensure these requests are handled promptly and effectively.

Appoint a Data Protection Officer (DPO)

  • If necessary, appoint a DPO to oversee data protection strategies and compliance.
  • Ensure the DPO is accessible to both the organisation and data subjects.

Document Data Processing Activities

  • Maintain detailed records of data processing activities, including purposes, data types, and retention periods.
  • Ensure these records are readily available for inspection by regulatory authorities.

Update Privacy Policies

  • Revise privacy policies to reflect GDPR requirements, ensuring they are easily accessible and understandable.

In any digital marketing department, it’s important that all team members are familiar with both the roles and responsibilities of the data controller and data processor.

What is a Data Controller?

A person or body who determines the purposes and means of processing personal data.

What is a Data Processor?

A person or body who is separate from the data controller and processes personal data on behalf of the controller. So essentially, the controller gives the processor a specific job to do.

Don’t underestimate GDPR

GDPR is one of the biggest changes to happen to data protection in years. Our teams here at Embryo have a strong knowledge of this legislation in order for them to create marketing campaigns that abide by rules and work to convert audiences into customers. For more on how we do this, contact us today.

Contact us


Latest News & Blogs