10 Must-know facts about the new EU data law

10 Must-know facts about the new EU data law

The new General Data Protection Regulation (GDPR) will be passed in May 2016 and enforceable May 2018. It legislates how you manage, protect and administer marketing data. Here are some answers to key questions…

(On Friday 24 June 2016 the UK voted to leave the EU. See my post on the DMA website for more information, 3 reasons I’m still implementing my GDPR plan)

1. Does the GDPR apply to my company?

Almost certainly Yes. The size of your organisation is irrelevant, you must comply with the new law no matter how many people you employ. It also affects organisations outside of the EU. If your data includes EU citizens then the GDPR applies to you.

2. Does the law apply after Brexit?

Yes. The government have incorporated the GDPR into UK law.

3. What’s the difference between the GDPR and ePrivacy law?

GDPR covers the storage (and processing) of customer or prospect data. The new ePrivacy law (which replace the Privacy & Electronic Communication Regulation) will determine whether you can contact customers or prospects by email, telephone, text or other electronic marketing channels.

4. Does this affect my customers and prospects?

The new rules regarding the security of data affect both existing customers and prospects. If you use automated decision-making (e.g. an algorithm to rank customers) then you need explicit consent from both customers and prospects for that process.

However, the need for consent (opt-in) to process data applies broadly to prospects only – but if a customer has purchased a product from one division of your company, do not assume you have consent to process their data on behalf of another division of your firm (soft opt-in).

You can use ‘legitimate interest’ to process prospect data, but more on that later.

5. What happens if I don’t comply with the new law?

In the UK you will be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of global turnover.

It’s a fact the ICO are increasing their staff numbers in preparation for the GDPR, so don’t assume they will not have the resources. During 2015/16, they issued £2.5m worth of fines.

Advice Direct Ltd, 01 April 2016, fined £20,000
FEP Heatcare Ltd, 17 March 2016, fined £180,000
David Lammy MP, 10 March 2016, fined £5,000
Prodial Ltd, 29 February 2016, fined £350,000
Direct Security Marketing Ltd, 17 February 2016, fined £70,000
MyIML, 17 February 2016, fined £80,000
Telegraph Media Group, 21 December 2015, fined £30,000
Telecom Protection Service Ltd, 25 November 2015, fined £80,000
Nuisance Call Blocker Ltd, 25 November 2015, fined £90,000
UKMS Money Solutions Ltd, 23 November 2015, fined £80,000
Oxygen Ltd, 10 November 2015, fined £120,000
The Crown Prosecution Service, 04 November 2015, fined £200,000
Help Direct UK Ltd, 27 October 2015, fined £200,000
Pharmacy2U Ltd, 20 October 2015, fined £130,000
Home Energy & Lifestyle Management Ltd (HELM), 30 September 2015, fined £200,000
Cold Call Elimination Ltd, 16 September 2015, fined £75,000
The Money Shop, 06 August 2015, fined £180,000
South Wales Police, 18 May 2015, fined £160,000
Direct Assist Ltd, 01 April 2015, fined £80,000

6. Does the GDPR apply to B2B marketing?

You bet. The GDPR makes no distinction between B2C personal data and B2B personal data. It’s all personal. However, GDPR is linked to another new law called the ePrivacy Regulation (ePR).

ePR will define whether a work email address, work direct dial number, and other work-related electronic communication requires consent.

At the time of writing the ePR has not been finalised.

7. OK, so how do I ensure my marketing is legal?

The GDPR changes marketing permission from a broadly opt-out system to a broadly opt-in rule.

Opt-in consent needs to be unambiguous for most data, and explicit for sensitive data*. Basically, your prospects need to be clear that you will store and process their data and why you are doing it.

Consent cannot be implied by inaction but must be the result of positive action by individuals. Soft opt-in may apply in some circumstances. You can use soft opt-in if all the following apply…

  • they are an existing customer
  • the messages are marketing similar products or services to the ones they have already bought; and
  • they were given a simple opportunity to refuse marketing (unsubscribe) when their details were collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

As outlined in Question 4 above, do not assume consent. John Lewis Plc assumed they had soft opt-in from a customer for marketing messages sent by their sister company Waitrose. They were wrong. The details of the County Court Judgement are at John Lewis Plc vs Mansfield.

8. I’ve heard about the ‘Right to be Forgotten’, what is it?

The Right to be Forgotten (or Right to Erasure) enables individuals to request the erasure of their data from your CRM in certain circumstances. This right already exists in relation to search engines and there are many cases that involve Google (just search ‘Google Right to be Forgotten’).

Under the GDPR you do not have to erase the personal information if you need it for accounting, tax or other regulatory purposes.

You also need to consider whether data should be erased entirely or if some data should be added to your in-house suppression file. If you delete it entirely you run the risk of inadvertently adding the individual back into your database; the very thing they were seeking to prevent.

9. What is ‘profiling’ and what do I need to do about it?

The GDPR defines profiling as “automated processing on personal data” – I prefer to call it automated decision-making. It’s the use of an algorithm for analysing customer or prospect data and taking action as a result.

For example, profiling could assess the likelihood for an individual to purchase a certain product, behave in a certain way, or be at a certain location.

The GDPR states you must have explicit consent from prospects to perform automated decision-making. However, they cannot opt-out if profiling is necessary for a contract between them and your organisation.

The Regulation clearly identifies online credit scoring and e-recruitment assessments without human intervention as having a legal effect or significantly affecting individuals – so tread carefully if you are in the finance or recruitment sectors.

10. What is legitimate interest?

If you are unable to get consent from a prospective customer you may be able to use ‘legitimate interest’. Legitimate interest means you can store and process a prospect’s data without them ticking a box or giving permission verbally. But tread carefully.

Before you store prospect data you must perform a Legitimate Interest Assessment. This is a test which balances your desire to process their data with their desire for privacy. You should keep a copy of the results of your Assessment as evidence you have made a balanced decision.

But should the ICO decide you have not proved your Legitimate Interest you could lose contact with all those prospects. Getting unambiguous consent is my preferred route. Permission marketing rules!

* Sensitive data is racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.



This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat



Get my latest blog posts, reports and videos delivered straight to your Inbox, just 8 times a year. It’s free but not cheap. Complete the form below to receive the Marketing Graham Bulletin; you can unsubscribe at any time.

Marketing Graham Bulletin
You can unsubscribe at any time and I will never sell your data to third-parties. For information on how I care for your data, check the Privacy Notice.

4 thoughts on “10 Must-know facts about the new EU data law

  1. I’d be interested if you could cite where the opt-in/opt-out requirements for each channel came from. I’ve seen no other reference to them.

    1. Hi Walter, I created the opt-in/opt-out requirements myself, based on what I’ve learned as a member of the Direct Marketing Association. Hope that answers your question 🙂

  2. Hi Graham

    Your articles have been some of the most informative and easy to understand out of everything I’ve read about the GDPR Compliance so far!

    However I just wondered if you could qualify a couple of points for. You suggest that current/existing customers don’t have to double opt-in and then you do suggest that. What is the best action to take?

    Also I just wondered in addition to sending out e-marketing such as e-shots, e-newsletters and any other content by email, what other forms of marketing will customers need to double opt-in too – i.e. will they need to double opt in to following a company on social media or receiving marketing literature in the post?

    Look forward to hearing your comments on this. Emily

    1. Hi Emily

      You can contact your current/existing customers using ‘legitimate interest’. I recommend you perform a Legitimate Interest Assessment just to prove you have given it proper consideration. So ‘unambiguous’ or ‘explicit’ consent is unlikely to be necessary.

      In some circumstances, you can use legitimate interest to contact prospective customers. But this could be tricky, because if some customers complain you could lose the ability to contact an entire group. So for prospects, it is better to get unambiguous or explicit consent.

      However, you also have to consider the PECR regulations as well as GDPR. The existing PECR regulations (soon to be replaced by the ePrivacy Regs) state the need for current and prospective customers to be given the ability to opt-out of electronic marketing (email, text, telephone etc). So make sure you include unsubscribe links and processes.

      The act of following your company on social media means they have opted-in for you to contact them on those platforms. What they may not have done is given you permission to store their Facebook page or Twitter URL in your CRM. Be careful.

      I believe that direct mail (letters in the post) will become more popular. It is expensive, but as long as you check your mailing list against MPS, you can contact almost anyone – plus there is less competition on the doormat these days.

Comments are closed.