Newport Thomson

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law that regulates how businesses collect, store, and use personal data. Enforced since May 25, 2018, it applies to any organization—worldwide—that processes the personal data of individuals in the EU or European Economic Area (EEA). For marketers, GDPR fundamentally reshapes how customer data can be collected, used, and shared—making compliance essential to maintain trust and avoid significant penalties.

Why GDPR Matters for Marketers

The GDPR puts consumers in control of their personal data and requires marketers to prioritize transparency, consent, and data protection. It sets minimal standards for organizations who wish to use personal information for marketing or any other purpose. Non-compliance risks a loss of brand trust by your customers and prospects as well as fines of up to €20 million or 4% of global annual turnover.

For marketers, the GDPR isn’t just a legal obligation—it’s an opportunity to build better, more meaningful relationships by respecting customer privacy, ensuring data is handled responsibly and to have your actions speak louder than your word, proving you are worthy of their trust again.

For context, there has been a shift of data ownership due to new laws like the GDPR. From 2000 to 2018 organizations behaved like the data was theirs – the collector of the data. The GDPR returned ownership to the individual. The individual has a right to privacy. Transparency and choice are key elements, forcing all organizations to change their marketing practices.

Key Principles That Impact Marketing

1. Lawful Data Processing: Marketers must have a legal basis to collect and process personal data. Article 6 provides details for the 6 lawful basis listed in the GDPR but typically organizations are choosing explicit consent or legitimate interest. Explicit consent requires new processes and automation so proof can be captured, while Legitimate Interest requires a Legitimate Interest Assessment, documenting your thoughts and considerations for the consumer. The authorities can request these documents at any time.

2. Clear, Informed Consent: Consent must be freely given, specific, and unambiguous—no more pre-checked boxes or vague language. Customers must actively opt-in and they must understand exactly what they are opting in to. With their recent introduction of Law 25, Quebec has set a new bar for what they consider Valid Consent. We have a white paper on this topic that every organization using personal information of Quebec’s residents should read and update their practices. Law 25 is based on many of the principles in the GDPR.

3. Purpose Limitation: Data can only be collected and used for the specific reason communicated at the time of collection (e.g., email newsletters, promotions). If you wish to do anything additional with that data, consent must be requested for that activity. If you plan to share that data you must include organizations name and clearly state what that organization plans to do with the data (provide transparency and choice).

4. Data Minimization: Only collect the data you need—excessive or unnecessary data collection is non-compliant with the GDPR and most other laws. Same for Data Retention – personal identifiable information should only be kept until the purpose is fulfilled. When individuals provide consent the organization should state when it will be deleted.

5. Right to Withdraw Consent: Users must be able to opt-out as easily as they opted in—marketers must provide clear and simple ways for users to change their preferences. In the past “more eyeballs” was the marketer’s war cry. With digital channels that is secondary to “engaged”. So the size of your email list matters far less than your engagement rates. We have seen many organizations with 1,000,000+ email addresses but only 3% ever click on anything. Making it difficult to unsubscribe so you can keep your list numbers up makes no sense in today’s market. If management insists on these vanity metrics being reported, a conversation to understand why is in order.

How GDPR Affects Marketing Practices

Email Marketing & CRM:

• Requires explicit opt-in for marketing communications—soft opt-ins or bundled consents are no longer valid. As all consent is purpose-based, you can no longer simply grab my email address and send me what you want. For example, when you purchase something at The Gap, they ask for your email address so they can send a receipt. They then add that email address to all of their sister brands lists “assuming” consent. The first 2 weeks provides up to 7 messages a day, every day. And you have to unsubscribe from each list! These dark patterns are no longer tolerated.

• Maintain detailed records of when, how, and why a customer gave consent. In the past, we did not have to PROVE consent. The GDPR require organizations to have clear records of the consent they have , including a plain language statement that clearly states who is asking for consent, what the organization intends to do with the data and who you will share that data with.

• Ensure users can easily unsubscribe or manage their preferences at any time. Every communication sent should include a working unsubscribe. It should be as easy to unsubscribe as it was to subscribe. (provide transparency and choice)

Digital Advertising & Retargeting:

• Cookies and tracking require prior consent—implied consent through use (e.g., “By browsing this site…”) is no longer sufficient. There are some cookies required to make the website work properly. These are usually referred to as Strictly Necessary Cookies. According to CookieScript there are 4 categories of cookies used by many websites. Provide your visitor with authentic choices and be 100% transparent. They will trust you more if you are up front with them.

• Update cookie banners to provide clear choices (e.g., “Accept All,” “Reject,” “Customize”). Make it easy for a visitor to tell you what’s acceptable and what’s not.
• Use re-targeting in a very selective manner. It is not a reliable buying signal.

Personalization & Data Usage:

• Ensure data profiling and automated decision-making are transparent—inform customers when this occurs and offer an opt-out. The GDPR requires human involvement  in automated decisions. For example a consumer credit score must now include humans in the process. They can no longer fully automate the process.

• Use only the necessary data to personalize campaigns while respecting privacy limits. It is important to note the GDPR has deemed certain types of data as Sensitive Data. Article 9 of the GDPR states “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” A Data Protection Impact Assessment (DPIA) should be completed if any of this type of data is involved.

Lead Generation & Data Sharing:

• Scrutinize third-party data sources—only use GDPR-compliant data and ensure proper data-sharing agreements are in place. We are now in an era of “build your lists” rather than “buy your lists”. All organizations must re-think their daily practices around data management, including appointing a person responsible for all data used by the organization. Many organizations have no clear ownership of data – no single person who understands what data is held and who uses it for what.

• Be transparent about who will access customer data and how it will be used. All websites should have a plain language Privacy Statement that describes the organization’s policies and procedures regarding the data they collect and use. Be open and honest. We often see Privacy Statements that do not reflect what is actually done with data. The Privacy Statement says x but the organization does y. Be sure your Privacy Statement is aligned with your actual practices.
• Don’t mis-read the tea leaves. When someone checks out your website, that,  in and of itself, is not a buying signal. For example, I have seen lots of people use shopping carts to find out how much shipping will cost. With many eCommerce sites that’s the only way to find out. The vendor then gets all excited and uses re-targeting to try to sell something to a “hot” lead. Consumers are pretty smart. Treat them accordingly.

Practical Steps for GDPR-Compliant Marketing

1. Audit Your Data: Identify what personal data you collect, why, and how you process it. We recommend at least annual audits for our clients, knowing every time they audit, they take actions to improve their Privacy Management Program. These audits also dictate what should be included in your staff training sessions.

2. Update Consent Forms: Ensure all forms capture explicit, opt-in consent with clear language. A detailed assessment of every webform should be conducted annually as part of the audit. All forms should be consistent in their approach and language.

3. Refresh Legacy Data: If consent wasn’t obtained under GDPR standards, re-permission your marketing lists. If you cannot prove specific consent, simply communicate and ask. Your customers and prospects will notice and appreciate your efforts to be transparent and provide choice.

4. Document Everything: Maintain records of consent, data use, and opt-out requests to prove compliance. Our Privacy Management Process consists of 125 policies and procedures with all of the logs, reports and templates required to operationalize your policies and procedures. The GDPR requires we document everything.

5. Train Your Team: Ensure all staff understand their role while following best practices for the organization. Do not train them on the GDPR requirements. That’s for your privacy team members. Your training content should explain what they need to do and why it is important under the GDPR.

The Opportunity for Marketers

While GDPR imposes stricter regulations, it also fosters better customer relationships through transparency and trust. By respecting privacy and offering meaningful choices, marketers can:

• Increase customer loyalty by demonstrating a commitment to protecting personal data.
• Deliver better-targeted campaigns using high-quality, permission-based data.
• Differentiate your brand by positioning privacy and transparency as a competitive advantage.

GDPR isn’t just about compliance—it’s about building better, more ethical marketing practices. Prioritize consumer trust, and you’ll future-proof your marketing efforts while driving long-term growth.