Let’s start at the very beginning – what is the GDPR? The General Data Protection Regulation (GDPR) is European Union legislation that commenced being enforced on May 25, 2018, however its purpose can be summarised very simply:

Its aim is to strengthen the rights of data subjects within the European Union (EU) and European Economic Area (EEA) with regard to how their personal data is used and how it’s protected. (‘Personal data’ means any information that relates to an identified or identifiable natural person).

To that end, the GDPR is structured around six key principles:

  1. Transparency on how data will be used and what it will be used for.
  2. Ensuring that the data collected is used only for the purposes explicitly specified at the time of collection.
  3. Limiting the data collection to what is necessary to serve the purpose for which it is collected.
  4. Ensuring the data is accurate.
  5. Storing the data for only as long as necessary within its intended purpose.
  6. Prevention against unauthorized use or accidental loss of the data through the deployment of appropriate security measures.

In addition, there is a new accountability requirement to be able to demonstrate how compliance with the principles is being managed and tracked. This will mean maintaining records of how and why personal data was collected as well as the documentation of the processes put in place to protect it.

Who does GDPR apply to?

The GDPR applies to any organisation inside or outside the EU who is marketing goods or services to, and/or tracking the behaviours of, data subjects within the EU and EEA. If you do business with Europeans that involves the processing of their personal data, this legislation applies to you.

Penalties for non-compliance are significant, with large fines for those in breach of the regulation: the maximum fine for a single breach is €20 million or 4% of annual worldwide turnover, whichever is greater.

What does this mean for your business?

As businesses, if we create customer experiences that feel personal and human, that are founded on trust and delivered with care, we will win their hearts and minds.

Though the GDPR doesn’t use these terms our goals are the same, namely to respect the rights of our customers and go on to earn their trust. To build and maintain that trust we, as businesses, need to be attuned to the how, when, and why our customers want to be engaged and respect their preferences.

How you address these higher expectations around the collection, use, and security of the personal data that we routinely use in the course of our business is key.

There are two key aspects of the GDPR where businesses need to review past, current, and future practices. The first is consent by the individual to process their personal data and the second is accountability, namely being able to demonstrate how they comply with the principles of the GDPR.


The definition of consent under the GDPR is: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

This dual need for an ‘affirmative action’ that captures consent which also must be ‘specific’ in how the personal data will be used before any processing of the data represents a significant change for most marketers in how they record and respect customer preferences.

Of course, customer preferences change over time and rarely exist in perpetuity and GDPR has something to say about this too—namely that organisations must make it easy for data subjects to make any changes in preference or withdraw consent altogether. Essentially it must now be as easy to withdraw consent as it is to give it.

All businesses need to audit, identify, and review the current points at which they are collecting personal data for processing.

Consider what personal data you need to do business and create relationships, how long you need to hold that data, how safe and secure it is, how you will accept specific consent and how you delete that data once there is no further need for it or a customer withdraws consent.


The most significant addition to current legislation under the GDPR is the accountability principle. The GDPR requires you to show how you comply with the principles—for example, by documenting the decisions you make about a processing activity.