10 things you need to know about GDPR.

A summary of the key elements of GDPR you should ensure you and your business managers understand.

1. Know the basics about personal data.

Understanding whether you are processing personal data is critical to understanding whether GDPR applies to your activities. Personal data is information that relates to an identifiable individual. The identifier could be as simple as a name or number and could include an IP address or cookie identifier. You need to consider the content of the information, the purpose for which you are processing it and the impact of processing the data on the individual.

The legislation covers indirect identification of personal data, as well as direct. This means marketers also need to think about separate pieces of personal information which, when combined, could lead to someone being identified, such as a postcode used with a surname.

2. Understand the detail.

As tedious as it may seem it’s important to know the intricacies of the regulations. This doesn’t mean you need to become a legal eagle but you do need to understand not only what is meant by personal data, but how it can be obtained, stored and secured, in compliance with GDPR rules.



You must have a lawful basis to process personal data. The ICO (Information Commissioner’s Office) have stated six lawful bases for processing;

  • Consent: the individual has given clear consent for processing their data.
  • Contract: the processing is necessary for a contract you have with the individual.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary to perform a task in the public interest or the task/function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or that of a third party, unless there is a good reason to protect the individual’s personal data which overrides.


You must not keep personal data for longer than you need it – think about whether the time you are storing the data for is justifiable. Where possible you need to set out in your policy a standard retention period. Stored data should be periodically reviewed and erased when you no longer need it.



Ensure customer and prospect data remains safe and secure. You have an obligation to put in place the appropriate security measures to protect the personal data you hold. This is the ‘security principle’ of GDPR. This requires you to consider risk analysis, organisational policies, physical and technical measures. Deciding upon which measures to take will depend on what is appropriate and the risk processing of that particular data poses.

3. Be clear on consent.

Consent can no longer be assumed when it comes to communicating with contacts. You must now explain clearly how you intend to use an individual’s data, and that person’s permission must be obtained at point of data collection.

You must give individuals control over their data – allowing them the choice whether to share their data with you or not. This means no more confusing opt in/out boxes – as this would be considered a GDPR breach. Instead you need a clear and informed opt in tick box, you can’t use pre-ticked boxes or any other method of default consent.

Ensure you keep evidence of consent – who, when, how and what you told people.

4. Know how and why you are profiling data.

In order to target certain groups with a specific marketing message you may wish to profile the data. If this is something you are planning as part of your marketing activity it is important that you are clear how you intend to do this in your privacy notice and give people an opportunity to opt out.

5. Ensure you are recording the legal grounds.

The principle accountability under GDPR is that you should be able to demonstrate that you are compliant. This means recording the legal grounds for processing an individual’s personal data. As detailed in point 2 there are six lawful bases for processing an individual’s data – it is important you keep a record of what the grounds were for data processing.

6. Know the geographical limitations.

Data protection rules have long been bound by recommendations to store and access information within the EU only. However this requirement has come into the spotlight as a result of the GDPR hype. Many think they have already ticked this box, especially if they have UK servers or domestic only operations. But many have overlooked the fact that partners and suppliers often transmit / have access to data. If a vendor – or their contact centre is based in the USA, the data is pinging back and forth beyond the boundaries of the EU, and this is not permitted!

7. Devise multi-level permissions.

The whole purpose of GDPR is to better protect individuals’ information, so it goes without saying that access to this data should be regulated too.

This means creating multi-level user permissions – not only for the comms channel but also according to the topic and subject matter of each channel too. Sounds like administrative hell but it only needs to be a couple of clicks.

8. Check Third party data.

You must make sure you do your due diligence when buying third party data. You are accountable under GDPR rules for ensuring the data you use for marketing is compliant. You need to know how the list was compiled, whether the consent was recently obtained or updated. Has data been screened against the Telephone Preference Service and the Mailing Preference Service?

9. Managing legacy data.

If you have a database that you wish to continue to send marketing communications to you must ensure that this data is also GDPR compliant. As long as you can show the data is GDPR compliant then the ICO will allow the continued use of this data.

To ensure your legacy data is GDPR compliant;

  • Demonstrate to individuals why you have collected their data.
  • Use clear and concise language, appropriate to your audience to communicate why you have collected their data.
  • Give individuals the opportunity to object to the use of their data.
  • Record your legal grounds for processing their data.
  • Be ready to demonstrate you have clearly informed the individual how you are processing their data and why.
  • You can reconnect with people on your database using direct mail. This is your legitimate interest and does not require consent.
  • Renew consent at least every two years once you’ve reconnected.

10. Remember the right to be forgotten.

The new rules provide the individuals with the right to request that their information is erased completely. And this request is not optional. In order to comply with genuine consent you need to put the individuals in charge, and this means making it easy for them to withdraw their consent at any time.

Given the ways data is now inputted, stored and archived, erasure is not necessarily straight forward.

Tim Stopher
Tim StopherChief Technical Officer

Get in touch with Tim:

Tim Stopher
Tim StopherChief Technical Officer

Get in touch with Tim:

Our latest insights.

Sign up to our newsletter.

To get our latest insights, essential news and helpful guides straight to your inbox.

Memberships and Accreditations

The Drum