How does GDPR affect digital marketing?

The demanding nature of the General Data Protection Regulation (GDPR) has forced businesses to re-think the way they conduct their activities when using personal data. Marketing is certainly not an exception, especially in the digital environment. Whether your organisation conducts data analysis concerning its customers’ online activity or whether it simply uses a mailing list to send electronic marketing, such activities need to be framed within the context of the stricter obligations imposed under the GDPR.

In addition, as if the GDPR was not enough, the processing of personal data involving electronic communications, should also consider specific rules contained under the e-Privacy regime. This is currently being remodelled in a stricter regulation which will bring the existing framework into balance with the rules applied under the GDPR.

To learn more about the impact of GDPR on different industries, read the article How will GDPR impact different industries?

Two main digital marketing activities impacted by GDPR

To put things in simple terms, digital marketing involving personal data would normally consist of two main activities:

Data gathering and profiling – Collecting information relating to customer interaction, with the objective of analysing the market and creating unique customer profiles. Additional processing to keep track of the customer choices with a view of improving the product offer based on the specific needs.

Targeting – Reaching out to the individuals by communicating the product offer. This can take the form of one-to-one electronic communications (e.g. email, SMS, other push notification or instant messaging) or even targeting based on specific profile groups or segments.

Naturally, the more personal data is used in conducting marketing activities, the more challenging it becomes for organisations to ensure compliance.

To learn more about the impact of GDPR on marketing activities, read the article How does GDPR impact marketing activities?


GDPR & digital marketing: How regulation affects the industry

Legal parameters

While legitimate interest may constitute a legal basis for processing operations concerning direct marketing (as provided for under Recital 47 of the GDPR), consent would still be needed in principle, due to the more specific provisions in the e-Privacy framework.

To learn more about consent read the article Four main questions for obtaining and managing data subjects’ consent under GDPR.

Below, you can see ways GDPR will transform and affect the digital marketing industry as well as key things to pay attention to.

How does GDPR affect digital marketing? - Advisera

Golden rules to follow

1) Right to object – The data subject has the right to object to data processing for the purposes of direct marketing. This also includes profiling which is carried out for such purpose. An individual may object at any time and free of charge. In case of an objection, the personal data shall no longer be processed for such purposes.

2) More transparency – The GDPR requires controllers to be more transparent about their processing activities, including when these are conducted for marketing purposes. In such cases, the individuals should be clearly informed about the nature of processing involved, and the extent of marketing activities that will be conducted using personal data concerning the individual. Furthermore, information about the right to object to the processing of personal data for direct marketing, including profiling, should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

To learn more about privacy notices, register for this Free webinar – Privacy Notices under the EU GDPR.

3) Active consent – Where the processing is based on consent, this shall comply with the requirements imposed by Article 7 of the GDPR. Apart from the requirements to ensure a freely given, specific, unambiguous and informed consent, the law also requires that this consent is given by means of a statement or a clear affirmative action. Therefore, a consent should be active and not passive. It means that tacit consents, or pre-ticked boxes are not acceptable. Such consent should also be documented and therefore evidence should be kept by the organisations to demonstrate that this has been obtained.

Complying with the requisites of valid consent is vital to legitimise processing of personal data for direct marketing. This is highly relevant for marketing in an online environment, especially for the processing of personal data gathered through cookies and used for online behavioural target advertising and also electronic marketing communications based on an opt-in consent.

4) Granular options – Organisations should also provide the individual with clear and granular options when it comes to the marketing preferences. Consent for electronic marketing, should clearly be distinguished from other processing operations also based on consent. Likewise, where an organisation intends to use the personal data to market products or services for other third-parties (e.g. strategic business partners), additional options should be given to the individual for such purposes. The individual should be in a position to have a choice and indicate his or her marketing preferences accordingly.

5) Opt-in and Soft Opt-in approach – Apart from the general application of the GDPR, the sending of direct marketing by electronic means (e.g. email, SMS, fax, or automated calling) is subject to more specific rules under the e-Privacy Directive 2002/58 as transposed by Member States. These rules are still applicable until they will be superseded by the much-awaited e-Privacy Regulation.

Under the e-Privacy regime, the general rule is to obtain an opt-in consent prior to sending marketing communications. There is however an exemption in those cases where the contact details are obtained from customers in the context of a sale and provided that they are used by the same company to market similar products or services. In such cases an opt-out – also known as Soft Opt-in must be clearly offered at the time when the contact details are first gathered and with each message.

Reconsider your marketing process

Organisations should reconsider their marketing process when this involves the use of personal data. More specifically, they need to ensure and demonstrate that:

  • Their marketing practices are transparent and clearly laid out in the data protection policy and related notices which are made available to data subjects;
  • The consent practices comply with Article 7 of the GDPR and provide for an active and genuine choice by the individual;
  • Individuals featuring on the mailing lists are there legitimately, having been subject to the opt-in or soft opt-in process, as required by law.

Personal data will remain an essential tool for businesses to conduct marketing activities, especially in the digital environment. The GDPR has strengthened the data protection rights, making digital marketing more demanding for organisations. You need to re-engineer your marketing processes to ensure compliance and continue with your digital marketing activities.

To learn more about GDPR digital marketing register for the webinar How GDPR Affects Marketing Practices.

Advisera David Cauchi

David Cauchi

David Cauchi is a seasoned data protection expert, having worked in the field for more than 15 years with the Maltese Information and Data Protection Commissioner. Throughout his experience, David has developed a high level of expertise in data protection matters, particularly in handling complaints, inspections, and audits. He also has experience dealing with cross-border issues including international data transfers, providing guidance, and raising awareness on data protection to various sectors, including banking and financial services, online gaming, employment, and the public at large. He also actively participates in various Data Protection fora and meetings organized by EU Institutions. David is often invited as an expert speaker in conferences and seminars both locally and abroad on GDPR.
Read more articles by David Cauchi