US Marketers: What You Should Know About GDPR

Matthew Langie
US Marketers: What You Should Know About GDPR

Come May 25th 2018, there’s a new sheriff in town (well, in the EU) known as the General Data Protection Regulation (GDPR), replacing all existing national EU data protection laws. Every global company targeting or profiling EU citizens must comply with GDPR, whose purpose is to instill complete transparency of data processing and full documentation of all data processing operations and all compliance and security measures taken to protect data.

While there are already laws that aim to protect the privacy of EU citizens, within the GDPR’s 99 articles are stricter stipulations for acquiring and processing individuals’ personal data and sensitive personal data. It also introduces moral damages, mandatory data-breach notification (within 72 hours of a breach, companies must notify the ICO) and class actions. What has everyone talking though, are the fines; each offense could cost a company up to 4% of global annual revenue or €20 million, whichever is greater.

So what are the main principles of the law that marketers should understand and prepare for?

  • Transparency – Upon data collection, consumers must be informed in a clear and accessible way of their rights (such as the ability to withdraw consent) and the period for which their data will be stored.
  • Consent – Consent should be separate from other terms which will lead to actively ticking a box, in clear and plain language.
  • Right to be forgotten – A data subject has the right to request the deletion or removal of personal data from the data controller without undue delay.
  • Purpose limitation – Organizations can only collect data for a particular purpose, which is also to be disclosed to the data subject.
  • Data minimization – Collect the minimal amount of data necessary, or only as much as you plan to use instead of collecting data for data’s sake.
  • Privacy by default – When a system or service includes choices for the individual on how much personal data they want to share with others, the default settings should always be the most privacy friendly ones.
  • Privacy by design – Consider privacy during the initial design stages and throughout the complete development process of new products, processes and services that involve processing of personal data.
  • Privacy impact assessment – Every company processing data will have to prove what they do with the data and if they are aware if their process for data processing is a complicated or risky one or not.
  • Data Security – On a technical level, keep your data protected, and when recording and processing data, keep all records of processing activities.

Do these points leave your head spinning? While others may see this as a major challenge to overcome, at Mapp Digital we see GDPR as an opportunity!

Read our thoughts on the future of marketing post GDPR here.

We are ready for GDPR, are you?

For further resources, visit

Recent Articles