How marketers can ensure GDPR compliance

The EU General Data Protection Regulation (GDPR) has had big implications for all sectors, but marketers have arguably been the most affected. Personal data is at the core of what they do, so they need to be certain that they’re getting it fairly and using it responsibly.

The biggest change for marketers that use EU residents’ personal data will be the way they obtain personal data. Before the GDPR came into effect, consent was by far the most common method. However, it is also the least reliable, and the Regulation has acknowledged this by tightening the rules around it. Marketers should instead use legitimate interests wherever possible.

That seems straightforward enough, but how does this apply in the real world? Take a look at this guide to help you achieve and maintain GDPR compliance.

Direct marketing

Organizations can use legitimate interests to market directly to past clients and prospects if the use of personal data:

  • Is proportionate
  • Has a minimal privacy impact
  • Won’t surprise data subjects or cause them to object


The GDPR defines personal data as any information that can identify a natural person. This includes identifiers in a professional capacity, such as someone’s work email address. As such, any business-to-business marketing concerning EU residents’ personal data falls within the GDPR’s scope.

Organizations can contact corporate bodies, but it’s a good idea to keep a ‘do not contact’ list for those who object to the process, and screen any future marketing lists against it.

Marketing based on consent

For consent to be considered valid, it must be freely given and provided with a clear affirmative action. This includes:

  • Signing a consent statement on a paper form
  • Clicking an opt-in button or link online
  • Selecting from equally prominent yes/no options
  • Choosing technical settings
  • Responding to an email requesting consent
  • Answering yes to a clear oral consent request
  • Volunteering optional information for a specific purpose (such as optional fields in a form)
  • Dropping a business card into a box

Organizations should keep a record of when and how consent was given, as they will need this information if an individual submits a data subject access request.

Data minimization

The GDPR states that the collection of personal data should be “adequate, relevant and limited to what is necessary.” The first two points are relatively clear, but many people have questioned the limits of what is necessary.

To determine this, organizations should ask themselves ‘what are we doing with the information?’ and ‘when will we be using it?’ If there isn’t a clear reason for either of these, or if the information won’t be used immediately, then the processing isn’t necessary.

Take the example of an individual downloading a product from an organization’s website. The organization could justifiably ask for the individual’s email address if it needs to provide a link to the product. It might also ask for other information, such as the individual’s job title, but it’s less obvious why this information is needed. That’s not to say the organization can’t collect it, only that it must provide a reason for its collection in its privacy policy.


The GDPR defines profiling as:

any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Profiling falls under the category of automated decision-making, which is regulated under the GDPR. Organizations can only profile EU residents when the processing is:

  • Necessary for the entry into or performance of a contract
  • Authorized by a union or member state law applicable to the controller
  • Based on the individual’s explicit consent

GDPR training

Those who want to learn more about personal data and the GDPR’s lawful grounds for processing should consider attending our Certified EU GDPR Foundation and Practitioner Combination Course.

This five-day course offers a practical understanding of the methods and tools that organizations need to comply with the Regulation.

GDPR training