3 tips: Steal my GDPR action plan

3 tips: Steal my GDPR action plan

As a Council member at the Direct Marketing Association (DMA), I’ve been monitoring this new marketing law since 2012 and been surprised at the lack of practical advice on how to prepare for it.

So I’ve decided to share with you the 3-point plan I’m constructing – it may not be perfect, and will almost certainly change/develop, but here’s your chance to steal it.

A. Get consent

Sounds easy. It’s not. Marketing consent now has to be ‘unambiguous’. That means it must be freely given, specific and informed – shown either by a statement or a clear affirmative action. You cannot bury the details of consent in your Terms & Conditions.

You only need marketing consent from prospects. The GDPR assumes you have a relationship with existing customers and can, therefore, send them marketing messages – until they tell you to stop. But if you plan to use profiling or automated decision-making you may need additional consent.

So I have reviewed the wording on our marketing consent forms (i.e. the tick box attached to all forms on our website). I have also ensured our sales team have a ‘script’ to use when they ask for consent over the phone – and that all calls will be recorded so we have proof of consent.

It may not be necessary to get total consent on first engagement. Getting consent for automated profiling may be difficult, so consider first getting consent for marketing contact and perhaps ask for profiling consent later.

Also, think about the channels you use. Consent via a tick box or email blast may be convenient, but it is not necessarily the most effective. I have found that consent via telemarketing gets much better results, typically 15% compared to 1-3% using digital methods. It’s because telemarketing is great for objection handling.

Plus consider the type of consent. You have a choice between opt-in and legitimate interest. I have chosen opt-in. Your target audience has to tick a box or give permission over the phone, and in that act, they are agreeing that your messages are of value. Therefore, they are more likely to read them and less likely to unsubscribe, unfollow or ignore your phone calls.

B. Get secure

The GDPR was originally conceived as a response to concerns across the EU about data loss and hacking – the clue is in the title, it’s the ‘Data Protection’ regulation, not ‘Marketing’ regulation. So security was the real issue, marketing just got swept in with the tide.

So review the personal information you store and examine its sensitivity. Do you hold credit card details, National Insurance numbers, passwords? Now list all the staff who have access to that data and ask whether they need it to perform their job.

Now consider the security of your website. Beyond employing professional hackers to find holes in your site’s security, there are simple measures you can take. Like ensuring all website forms are on a secure server page so messages are encrypted.

C. Get informed

It’s important that all members of your marketing team understand the detail of the GDPR and your plan for marketing consent as well as your privacy policy. Please check my article on 10 must-know facts about the GDPR at http://www.marketinggraham.com/general-data-protection-regulation/

But the responsibility for consumer data does not rest solely with the marketing department. Ensure you have a training plan for all members of staff within your organisation. Security, privacy and consent touch many departments, and it’s not something that should be explained at the staff induction and then forgotten. Regular, annual sessions to refresh staff on its importance are certainly part of my plan.

A quick round-up? The GDPR is still relevant. Don’t ignore it. Use it as a guide to improve your relationship with prospects and customers. I suggest you get consent, get secure and get informed.


This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat


Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.