Jun 20, 2022

Data Privacy for Marketers

Data privacy has become a major concern for companies, especially now that they have access to huge amounts of customer data. Unfortunately, recent data scandals have trained an uncomfortable spotlight on how companies manage their data and respect customers privacy. When companies fail to adequately protect the integrity and privacy of their customer data, it can lead to serious reputational damage, as well as legal and financial sanctions.

Understandably, many companies have been concerned about their GDPR obligations in recent years. However, even if your company operates in markets where GDPR doesn’t apply, you still need to be aware of your obligations to protect customer data. Mining customer data offers great opportunities for marketers to develop highly personalized digital marketing campaigns, but marketers still need to apply best practices for data protection.

Below, we will cover the key principles of data privacy - wherever you are operating in the world, and outline 10 guidelines for marketers to keep in mind as they consider the ongoing state of data privacy.

GDPR and data privacy

European governments were coming under pressure to address data protection vulnerabilities and in 2016 launched the General Data Protection Regulation (GDPR), replacing the previous Data Protection Directive.

This GDPR has important implications for digital marketers, because it outlines how to collect, store, and use any user or customer data that they collect.

Pro tip: Use this handy checklist to help you develop a marketing strategy that’s GDPR-compliant.

Note: GDPR applies to companies operating in the EU. Other jurisdictions have different data protection guidelines, so be sure you understand your obligations if marketing in those areas. For example, if your company retains data on residents of California, you must comply with the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020.

Principles of data protection & privacy

Regardless of where your company markets to and which regulations you must comply with, it’s best practice to always apply these six general data protection principles.

  1. Lawful, fair, and transparent processing
  2. Purpose limitation
  3. Data minimization
  4. Data accuracy
  5. Data retention
  6. Data security, integrity, and confidentiality

Let’s look more closely at each of these.

1. Lawful, fair, and transparent processing

When companies process user data, it must be done in a lawful, fair, and transparent manner. The processing is lawful only if one of the following applies:

  • The data subject has given consent.
  • The processing is part of a contract or legal obligation.
  • The data must be processed to protects someone’s vital interests.
  • Processing the data is in the public interest.

Consent is a very important principle when it comes to data privacy. According to the GDPR, content must be “freely given, specific, informed, and unambiguous”. When collecting data, companies should:

  • Be very clear on when consent is required.
  • Record how they seek, record, and manage consent.
  • Make it easy for people to withdraw their consent.

You cannot assume that informed consent is implied through the customers’ interactions. You must give them the option to opt-in to your data collection processes.

2. Purpose limitation

Even when users consent to their data being used, the data must only be kept for specified, explicit and legitimate purposes. In particular, the data should be used only for the purposes informed to the user. For example, if you tell the user that you’re collecting data for research purposes, you cannot then use that data for marketing purposes.

Remember, just because you have the data doesn’t mean that you can use it for any purpose. You cannot use the data in any way that is incompatible with the informed purpose of the data.

  • If users share data on the understanding that the data is private, you shouldn’t share it with the media.
  • If users share data with you about their experiences with your products, you shouldn’t sell that data to a market research company.
  • If employees share personal health-related data with you, you shouldn’t share that data with other employees or with healthcare companies.

In some cases, you may wish to use the data for more than its original purpose. If you suspect this new purpose is incompatible with the original purpose, you should obtain new consent to use the data for the new purpose.


Suppose a bank collects customer data about their banking preferences and behaviors.

After checking the customer data, the bank realizes that some customers would benefit from better loan or savings offerings from the bank. In this case, the data use is compatible with the original purpose, so no further consent is necessary.

The bank then enters into a partnership with an insurance company. It believes some of its clients would benefit from insurance and want to pass on the customer data to the insurance company. In this case, the data use is incompatible with the original purpose, so further consent is necessary.

3. Data minimization

Remember the key concept that just because you have the data doesn’t mean you can do whatever you like with it.

When processing personal data, your use of the data should be:

  • Adequate
  • Relevant
  • Limited to what is necessary

This applies to both collecting the data and sharing the data. Customers should be informed about what their data will be used for and be assured that the data won’t be used for further purposes (without their additional consent). From the context of the data collection, the customers should be able to come to reasonable expectations about how the data will and won’t be used.

4. Data accuracy

When collecting data, you need to ensure that the data remains accurate and up to date. If you discover that you have inaccurate personal data (or the data is accidentally altered), you must either correct or erase the data. This isn’t just a matter of respecting customers’ privacy. If your customer data is inaccurate or out of date, you cannot make accurate decisions based on that data.

5. Data retention

Personal data may only be kept for as long as necessary to carry out the particular purpose.

Ideally, your company will have a data retention policy and will share this with customers so that they know to what extent their data will be used. The policy should outline:

  • What data you collect
  • Why you collect it
  • How long you retain it for

6. Data security, integrity, and confidentiality

When you collect personal data, you have a duty to protect it. After all, personal data belongs to the data subject, not you! Personal data should be processed in a manner that ensures appropriate security of that data.

In particular, you need to use appropriate technical or organization measures to protect against:

  • Unauthorized or unlawful processing
  • Accidental loss, destruction, or damage

This issue has become even more pressing with the growing trend towards remote working. Companies must ensure that remote workers understand their obligations regarding data protection. Remote workers should follow company policies regarding device use, email, cloud and network access, and creation, storage, and disposal of paper records.

Data privacy in action


It’s not enough for companies to have a good understanding of data privacy principles. They need to be accountable for implementing them.

Companies can demonstrate this accountability in several ways:

  • Have a robust data privacy policy
  • Document your data usage procedures
  • Stay up to date with data privacy regulations
  • Make training available to all relevant employees can make informed decisions.

Lawful basis

Obviously, your use of personal data must be lawful. How can you ensure this?

According to GDPR, the lawful processing of personal data requires at least one (though sometimes several) of the following:

  • Legitimate interest: Is it in the interest of the company to process this data (in order to make informed business decisions, for example)?
  • Public interest: Is the data relevant and of use to public bodies?
  • Vital interest: Is the data processing of vital interest to the data subject (for example, necessary to protect the data subject by collecting health or next-of-kin details)?
  • Consent: Have users given informed consent?
  • Contract: Have you entered into a contract that involves processing data?
  • Legal obligation: Are you legally obliged to collect and process the data (as in an employee–employee context, for example)?

Bear in mind that the more of these bases you rely on, the easier it will be for you to demonstrate that you are complying with data processing best practices.


Complying with all these data privacy regulations and best practices may seem like a huge burden for companies. And it does definitely require careful management and sustained effort.

However, there are also opportunities around data collection and privacy. Many users are willing to share their personal data in exchange for a more personalized customer experience, as seen in this snapshot from McKinsey research:

  • 16% would be happy to share their data.
  • 50% would consider sharing their data.
  • 34% would be unwilling to share their data.

If you demonstrate that you are using customer data in the best interests of customers, you will strengthen the bond of trust with your customers. They will be willing to share more data with you and, in return, you can deliver a richer customer experience that ultimately leads to more sales.

Data privacy – 10 guidelines for marketers

Clearly, data privacy has serious implications for how digital marketers develop and implement their strategies. When using personal data, always be transparent about why you’re collecting it and how you’re using it. The data belongs to the customers, so respect every customer. And behave ethically at all times. The more you can demonstrate that you’re putting the data to good use, the easier it will be to build a trust-based relationship with your customers. 

Here’s a list of ten guidelines to help you ensure that your data privacy policies are as robust and effective as possible:

  1. Use a Gold Standard data protection approach: See which areas in your digital strategy require the most stringent data protection policies, and use this approach as your “Gold Standard” in all areas. Think beyond your own region, e.g. the EU and the GDRP.
  2. Step through the personal data journey: Identify roles that are needed to ensure data protection at all stages. What can you do to protect the data subject at each stage of the journey?
  3. Make your privacy policy a market differentiator: Demonstrate that you are taking privacy concerns more seriously than competitors are. Show that data protection is a core value for your business.
  4. Be clear with options and opting in: make sure people can clearly opt in and opt out and give them options for communications (e.g. SMS, email, phone). And don’t hide behind service notifications!
  5. Revisit email lists: Check if they need to be updated and work on your optimization strategies.
  6. Keep up to date: Watch out for emerging privacy concerns (such as cookies or tracking pixels) and be ready to address them before have to. Regulation in this area is only going to expand and become more robust!
  7. Consider using data relationship management (DRM) programs: They can help you better understand the different types of data you have and the relationships between them. They can also help you demonstrate data-protection accountability.
  8. Stay up to date with technology advances: As new technologies (such as the metaverse, AI, and the Internet of Things, for example) emerge, new data privacy concerns arise.
  9. Develop ethical awareness: Cultivate a culture where personal data is cherished and protected. Make the right decisions without being compelled to do so. Remember, just because you can do something doesn’t mean that you should do it.
  10. Be prepared for contextual advertising: The move away from cookies and from third-party to first-party data will see the emergence of contextual advertising, with corresponding data privacy concerns.

David Normoyle
David Normoyle

David Normoyle is an experienced data protection consultant and trainer with Pembroke Privacy Ltd, a leading data protection consultancy based in Dublin.

IAPP certified and a One Trust Certified Privacy Professional he has extensive knowledge of the GDPR, Data Protection, Irish Act 2018 and e-Privacy Regulations. David has experience in completion of Register of processing Activities (ROPAs), conducting Legitimate Interest Balancing Tests, addressing GDPR gaps and conducting Transfer Risk Assessments post Schrems II judgement where personal data is transferred outside the EU/EEA.

He delivers data protection training to Marketing functions for large and small businesses and has designed and implemented large data protection frameworks and has experience working on IT systems and electronic data collection. He also regularly carries out data protection impact assessments and audits for clients.

Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.