Designed to harmonize customer rights across Europe, the GDPR is one of the most significant developments in customer data use and management is recent years and it’s going to shake a few things up when it arrives in May 2018, specifically in terms of data collection and storage.

For you to collect customer data, users must clearly give permission for you to contact them and should be informed as to why and how their data will be processed, and all consent should be verifiable and the records accessible upon request.

The type of data you can collect should not be superfluous to needs and you will have to be able to legally justify the processing of it as being of “legitimate interests” to both you and the user. Data kept will have to be up to date or removed.

But in addition to the regulations around how data is collected and used, companies have to brace themselves for the right a customer will have to revoke consent entirely. Known as their right to be forgotten (or right to erasure). Should a user request to have some or all of their data deleted, you have to be able to provably do so securely and completely from every part of your organization (including backups and any scans, photographs, or copies) unless there is a very specific and compelling reason why you need to keep the information (e.g. loan providers).

Then the data controller must delete and remove said data “without undue delay”, within a month of the request, and be able to prove it. It is also their responsibility to take “all reasonable steps” to inform third parties to whom the information was made available (encrypted, of course) of the erasure request and require them to follow suit (as they are jointly responsible). Customers also have the right to request to have their data sent to them in a commonly-used, machine-readable format.

For many, GDPR is the death of data and the murder of marketing as we have come to love it.

In recent years, personal customer data has become the lifeblood of effective marketing—content personalization, targeted advertising, drip marketing campaigns, to name a few—and has led to the holistic enhancement of the customer experience; proven to have a dramatically positive impact on sales.

But just as it is often restrictions in life that ignite our creativity, the new regulation might prove to be a boon for data-addicted marketers, and forward-thinking businesses can embrace the values of permission-based marketing that the GDPR is heralding, showing the rest of the pack what leaner, cleaner data-driven marketing can do.

And it can do—no major paradigm shift required. It just means tightening our focus on nurturing the customer relationships of those who actually want it. Kind of like the best practice marketing techniques that have been talked about for a decade.

As you know, opt-in data outperforms non- in open rates, engagement, and conversions. So, once we get over the initial shock of a loss in data quantity, we can appreciate our improved data quality and focus our efforts on our most coveted prize: customer loyalty. You know, the stuff that makes our mouths water—repeat custom, word-of-mouth referrals, social sharing, increased sales, and boosted revenue.

And while getting more of what we want, the customer gets ethical use of their private data and transparency in how we use it—all the things they love.

How’s that for win-win?

So where do we start?

Get on board: Resistance is futile (and eye-wateringly expensive), so the quicker you get on board with why the GDPR exists and can be good for business, the sooner you can leverage its value to you. Take a long, detailed look at all your current processes and systems. You may be surprised to find that becoming compliant actually leads to better clarity and more efficient working processes.

Get ready: Start now to get data up to date, with no duplicates or inaccuracies, and make sure it’s compliant by getting re-permissions from your current customers ahead of the inevitable blizzard of pre-enforcement requests. You may well receive a lot of erasure requests, but a spotless contact management system means sparkling marketing campaigns that work with greater efficiency and efficacy.

Get savvy: If you can demonstrate lawful “legitimate interests”, you might be able to continue to process current data. Some documents are not classed as personal data and therefore not subject to the right to erasure. There are also exceptions to a user’s right to be forgotten. So dive deep into the specifics of GDPR and what it really requires of your business. It’s certainly not time to panic. But it IS time to think about getting a legal advisor and maybe creating a Data Protection Officer post.

Get supported: Some ahead-of-the-curve content management systems offer sophisticated tools to help you get and stay GDPR compliant. Things like mapped data flows, multiple consent management, consented-only personalization and activity tracking, consent forms customizable to your specific needs, as well as easy data downloads in XML formats to respond to customer requests and easy-to-use data deletion features to respond quickly to right-to-be-forgotten invocations.

So no, data-driven marketing is not dead. It’s just growing up. Leaving the wasteful, and even intrusive behind, it now has its focus on longer-lasting and more meaningful relationships in which both parties get what they want. And forward-thinking businesses that look beyond the dark cloud of data despair to see the GDPR silver lining will be first in line to reap the rewards of win-win marketing.

Duncan Hendy

Duncan Hendy


Duncan Hendy, Content Strategy Manager at Kentico Software.