Mar 27, 2023

GDPR and Marketing

by Digital Marketing Institute

Savvy consumers are aware that their activity and data are being tracked online. That's why it's become so important to have regulations that offer privacy (especially on social media) and allow customers to choose what personal information they share.  

The General Data Protection Regulation (GDPR) is a law that was introduced by the European Union on May 25th, 2018. This law replaced the Data Protection Directive 95/46/EC and was designed to:

  • Harmonize data privacy laws across Europe
  • Protect and empower all EU citizens’ data privacy
  • Reshape the way organizations across the region approach data privacy

Top tip: check out our defintitive GDPR Checklist for Marketers for advice on how to get started with ensuring you are GDPR-compliant.

What does GDPR mean for companies?

As a regulation enforceable by law, the GDPR is not optional. If a person or organization wants to do business within the European Union, or with EU citizens, it must abide by the regulations. 

With GDPR legislation, companies must be explicit about the ways in which they collect personal data for marketing purposes. This means asking specific explicit permission as they collect it, as well as offering consumers a valid reason for having the information.

In essence, the GDPR:

  • Gives individuals more control over the use of their personal data
  • Gives clarity across the region on how data can be used from one EU country to the next (and beyond)
  • Demands that businesses assign more resources to data privacy, as well as take on more responsibility for it

Legal bases for processing data

To comply with regulations, the GDPR provides six legal bases for processing and storing personal data. In data protection a legal bases refers to the justification for the processing of personal data. 

The six legal bases for processing data under GDPR regulations are: 


  1. Consent of the individual concern - Data is freely given by the individual in clear unambiguous circumstances.
  2. Contractual obligation between the organization and the individual - The organization needs certain data to provide them with a service – for example, an address for ecommerce delivery.
  3. Legal obligation of the organization - The organization may need certain information to comply with legal or statutory requirements.
  4. Vital interests of the individual - The organization may need to process certain data to protect someone’s life
  5. Public interest/public task - The organization can process information to perform public functions set out in law
  6. Legitimate interest - The organization has an interest in processing data such as contact details, because it has a legitimate commercial interest in emailing or calling the individual for sales reasons.

Data marketers’ responsibilities

Digital marketers must understand their specific responsibilities in relation to the six legal bases and the rules associated with data processing and storage.

These include:

  • Data consent rules: Data consent refers to collecting personal data about leads and prospects via an organization’s various digital marketing channels, and gaining their explicit and unambiguous consent to opt-in to hearing from the organization.
  • Data processing rules: Data processing refers to how an organization uses the data it collects, and whether the leads, prospects, and customers understand why it needs to be processed in that way.
  • Data retention rules: Data retention refers to how long an organization retains personal data and the business reasons for doing so.
  • Data transfer rules: Data transfer refers to the transfer of the personal data of European Union citizens outside of the EU for legitimate business purposes.
  • Data deletion rules: Data deletion refers to when and how personal data is permanently removed from an organization’s systems

Role of the Marketing department in GDPR compliance

The Marketing department – and, by default, the Head of Marketing – plays a key role in enabling, supporting, and communicating GDPR and its impact on the business to senior management.

Because of Marketing’s unique role in collecting, processing, retaining, transferring, and deleting data belonging to the public and to the organizations’ users and customers, the person or people within the team nominated to roll out GDPR compliance must be fully aware of the scope and responsibilities of the project.

This is typically a cross-functional team effort, as the digital marketer leading GDPR-related activities will need to work with IT, Sales, Support, Engineering, Customer Success, and Product, for example, to ensure that data privacy processes and any dependencies are understood and supported across the organization.

Data Protection Officer

The appointment of a DPO, or Data Protection Officer, will help to steer the resources into place for GDPR compliance:

[The] GDPR calls for the mandatory appointment of a DPO for any organisation that processes or stores large amounts of personal data, whether for employees, individuals outside the organisation, or both. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like that which details race or ethnicity or religious beliefs.

Data Controller and Data Processor

Digital marketing team members must also be familiar with the Data Controller and Data Processor roles. It’s imperative to understand in which scenarios they are the Data Controller, or the Data Processor.

The Data Controller can be defined as: 

The person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.

The Data Processor can be defined as: 

A person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.

It is important for a digital marketer to know when they play either or both of these roles every time they deal with data in their roles. 

Legitimate business interest

“Legitimate business interest” means that there must be a clear reason for the business to collect and process particular data about a data subject. For example, this could be the name and home address of a customer for a pizza delivery business. Just because a person orders a pizza does not automatically mean it is legitimate for this information to be used for direct marketing purposes – for example, sending them flyers. Passing this information to a third party without legitimate interest would also likely be considered a breach of GDPR.

The reasons for collecting and processing must not violate any rights of the natural person. As a digital marketer, you must carefully consider: what data is being collected, and why?

For this reason, recording consent is a very important requirement of the GDPR. Consent must be freely given, unambiguous, clear, and transparent to the data subject. There must not be long, baffling reams of legalese for them to read through. Consent must be correctly recorded. Also, the route to unsubscribe must be just as simple – and clear – for the data subject.

GDPR and marketing roles

Line managers and senior management are also expected to be aware of the complete workings and impact of GDPR on their team as a whole, and that of individual contributors. 

Considering an average digital marketing team, what are some of the key roles and tasks that individual contributors, and their managers must be conscious of: 


  • Website forms are set up correctly.
  • Website plugins are compliant.
  • Website platform is secure.
  • CMS is integrated correctly.

Data analysts

  • Analysis tools are compliant.
  • Integrations are used where possible to prevent exporting data onto computers.

Graphic designers

  • Internal-only company information is not used on public-facing graphics.
  • Customer data used for public-facing content must have signed and recorded explicit consent.


  • Internal-only company information is not used on public-facing content.
  • Customer data used for public-facing content must have signed and recorded explicit consent.
  • Contractors must not have unauthorized access to CMS data.


  • Gain, record, and maintain consent from media contacts to send materials.
  • Prepare data breach communications.
  • Maintain a trustworthy brand regarding data management.


  • Gain, record, and maintain consent from booth visitors before adding them to your CRM for marketing.
  • Check the event attendee list terms and conditions. (Are the attendees aware that they signed up to receive communications from your organization, and what communications align with those expectations?)
  • Review the policies of any third-party apps and services you use to run or attend an event. (Who owns the data, and is it secure?)

Digital marketing

  • Privacy impact assessments (PIA) on all processes and projects

Sensitive data

Depending on the industry, some digital marketers will have more rigorous demands than others when it comes to GDPR regulations. 

These include:

  • Healthcare
  • Finance or fintech
  • Public service
  • Organizations that deal with the data of a person under 16 years of age
  • Organizations that collect PII data that is sensitive and vulnerable.

All these organizations require adherence to the most stringent data privacy and data protection policies 

Responsibilities of the Marketing department

So, what are the responsibilities of a digital marketing team for recording, maintaining, and reporting data in relation to GDPR? 

These include: 

Defining and recording email opt-ins and opt-outs
Design an opt-in and opt-out flow that is clear where consent can be interpreted unambiguously; ensure that opting out is as easy and clear as opting in.

Standardizing how a new contact comes into the CRM via all marketing avenues
Understand every data intake process of the CRM under the jurisdiction of the marketing team, and ensure that in the case of EU citizens, each process has clear guidelines around consent.

Outlining the process of honoring data subject requests and deletions
Do a trial run of a data subject request and a data deletion request; refine and document the process, and train the relevant team members.

Communicating data breaches
Understand the time frame within which you have to publish notice about a data breach, and have pre-approved comms templates at hand for a crisis scenario.

Keeping the website's Privacy Page and Terms & Conditions Page up to date
At regular intervals, have your DPO, IT team and a legal expert review your public-facing data usage documentation.

Vetting and approving how CRM data is used for marketing purposes internally and externally
Ensure that your team members have appropriate permissions for data access within the tools they use and that they’re aware of what the data they have access to can and cannot be used for in marketing. Have an established policy regarding co-marketing or partner marketing, where the data subject is protected in accordance with GDPR regulation.

Understanding GDPR regulations, best practices and how you can comply ethically is imperative to your role as a digital marketing professional. 

Ensure your digital strategy includes data protection

Data protection is now central to any digital strategy. Our digital marketing strategy course will not only cover the fundamentals of strategy but explore automation, analytics, budget, digital channels, leadership, and much more. Enroll today to get started!  


Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.