GDPR: A marketer’s guide to protecting your customers and your company


GDPR has been in place since 2018, and yet violations still happen. This article is for marketers to understand what they need to know about the GDPR and how they can ensure compliance, while still creating the most relevant, personalised communication possible.

If you’re based in Europe and work in marketing (or use the internet at all) then you’ve been affected by the EU’s General Data Protection Regulation (GDPR). 

The GDPR has been enforced since 2018, and yet there have already been over €2.34 billion in fines. And it seems like the fines are increasing in frequency. The total number of GDPR violations has increased by 50% since last year, with the fine surging by 168%.

Let’s be honest. No one wants to be a part of those statistics. 

So, how can you, as a marketer, do your part to ensure that your company is GDPR compliant while also doing your job and sending personalised communications that boost conversions?

This article is a collection of the best practices for compliance paired with information on how to enact these practices within the Agillic platform. 

Please note: this article is not a substitute for legal advice. Read the full GDPR here, and seek legal guidance to ensure compliance.

How does the GDPR affect marketers?

To comply with the GDPR, you need to first know how it will impact your work.

Under the GDPR, you can only process data when doing so is legal, fair and when it is transparent how and why the data is being used. 

Legally speaking, you may only collect the minimum amount of data necessary to accomplish your business goals. That data must be accurate, confidential, and securely stored, and data collectors must be able to demonstrate GDPR compliance at any time.

As a marketer, your work is most impacted by the GDPR as it pertains to consent, data access and data scope.

Consent: As a marketer, there are only two circumstances in which you are allowed to process data under the GDPR: 

  1. If you have clear, recorded consent to process the data.
  2. Or if you have a “legitimate interest” to process someone’s personal data (like being able to invoice a customer).

To collect data and send communications to an individual, you must have “freely given, specific, informed and unambiguous” consent. 

When gathering consent, you must request clear language and separate it from other information. Keep the permission documented, and know that it can be removed at any time.

The only relevant exception for marketers is the case of “legitimate interest”. 

What constitutes a legitimate interest is ambiguous and it can include marketing materials, such as transactional emails or even upselling messages such as abandoned basket emails. Caution is advised when collecting data or sending communication under legitimate interest. 

For a comprehensive exploration of what “legitimate interest” means,  read this article.

Data Access: Data subjects have the right to be informed on the usage of their data and to access, correct, restrict processing of or remove their data from its usage. They also have the right to data portability, the right to object to its usage and rights related to automated decision-making and profiling. They can exercise these rights at any time, and you have to be ready to demonstrate what data you have on them, where you are storing it, how you are using it and why.

Data Scope: You are legally only allowed to collect the minimum required data necessary to achieve the outlined goal. 

If there is another, less intrusive way to reach your goal, then data collection is not warranted and therefore not legal. 

You must be able to demonstrate and justify what data is being collected and held, and why. 

This means that you will need to gain consent to collect different data for different uses. For example, you would need separate consent to communicate via email, SMS and to track a user on your website. 

You would also need separate consent to send product-related content and to send company-related content. Personal data can only be employed for the specific purpose for which it was collected; consent will need to be obtained before it is used for any other purpose.

Legally speaking, you may only store data for the shortest possible time, given the reasons why your organisation needs to process the data. You should establish a timeframe in which to review or delete the data stored and ascertain that it is up-to-date and accurate.

Best practices for GDPR

Despite the restrictions it puts on your ability to collect and use data, the GDPR essentially pushes marketers to do better work. 

The law only allows marketers to contact people who want to be contacted, for the topics they are interested in. 

Ultimately, it forces you to send out more relevant communications to a more receptive audience. Read on below to learn how you can market effectively while complying with the GDPR.

Keep your recipient database clean and organised

Ensure that you have obtained opt-in permissions for ALL of your contacts. 

Should contacts choose to revoke this consent and opt out, be sure they are removed across all of your systems. 

Segmentation is key since you have to collect permission to contact subscribers for different channels and communication types, make sure that your contacts are separated into the categories for which you have permission to contact them.  

Agillic will automatically block communications to recipients that do not have valid contact information; read here to learn how valid recipients are measured. 

Read our Knowledge Base articles to learn how to edit and delete recipient data in Agillic.

Align with third parties

If you have third parties that have access to the data you collect, minimise the number of people with access. Ensure that those with access are GDPR compliant and that they are securely storing your data.

Update your privacy policy

Your privacy policy must be written in line with the GDPR. 

The language must be clear and simple, and the policy must outline how you will use personal data, any third parties who will have access, how long you intend to retain the data, and the contact information of the individual primarily responsible for data management at your organisation. 

You must also provide an overview of individuals’ rights under the GDPR, and detail how they can access the personal data you have collected or remove consent. 

Make sure your privacy policy is easily available on your website. The best practice is to embed it alongside consent forms or pop-ups, as well as in all email marketing communications.

Align across departments

Make sure your sales team knows who they can and cannot contact and how they are permitted to reach out to leads. 

Align with your IT team to ensure that all personal data is encrypted and safely stored. Make sure that everyone who handles personal data uses protective methods such as two-factor authentication and is aware of your privacy policy, and that access to personal data is only granted to those who need it.

Run opt-in campaigns

Utilise other channels, such as social media, website, app etc., to prompt potential customers to subscribe to your contact lists. Offer them a discount, freebie or piece of content in exchange for their permission, and tell them what they will gain from your communications. 

The best practice is to run a double opt-in campaign, which ensures that their information is correct and that consent has been freely given; this is how you set up a double opt-in campaign in Agillic.

Once you have a recipient’s consent on one channel, or for one purpose, use it to leverage consent for other channels or categories by running campaigns and illustrating the benefits of receiving these other communications from your organisation. Read about how to manage permissions in Agillic here.

Create strong processes

Make sure you’re ready to demonstrate your compliance with the GDPR. 

Create a page on your website where customers can request their data information. Designate a team member to check for data information requests, and ensure that the member knows where to retrieve the required information. 

Read our guide on how to make a GDPR export in Agillic. All requests must be addressed within one month to be GDPR compliant. Make sure that you are prepared with communication materials so you can respond quickly if a data breach does occur. 

Take a look at our Knowledge Base articles to understand security settings in Agillic and see our recommended best practice for data sensitivity management

Fundamentally, the GDPR is there to protect customers’ privacy and mitigate the risk of harm due to misuse of their personal data. 

While it does present some challenges, the GDPR makes your marketing stronger by making sure you are sending targeted and personalised messages, only to the people who want to receive them.