May 5, 2023

The Definitive GDPR Checklist for Marketers

Many marketers are still confused when it comes to regulations around data privacy, especially the GDPR. There's a lot to take in, but how does it work in practical terms? The following marketer’s guide should help you get your marketing processes in order when dealing with GDPR regulations.

For some background you might also want to read our overview of GDPR and Marketing and listen to our podcast with expert Steven Roberts on Data Privacy 101.

GDPR Preparation

Audit your data

This guide is for marketers who work in companies that process information about EU citizens. Many companies based outside of the EU may also inadvertently process data relating to EU citizens – so the first step for those companies is to audit their data and discover whether any of it relates to EU citizens.

Pro tip: Don’t make the mistake of assuming that if you’re GDPR-compliant, you’re probably compliant in all markets. Although GDPR is arguably the most robust data regulation in the world, you must also be aware of the nuances of local regulations in any markets that you trade in, such as the California Consumer Privacy Act (CCPA).For full information on who is affected and where, consult the official EU GDPR site.

Get familiar with your IT team

The majority of GDPR compliance falls under the responsibility of both marketing and IT. In this guide, we’ll discuss the items that fall under marketing, but you will need to work closely with your IT department or provider.

The IT department will need your help to cover highly important elements of GDPR compliance, such as:

  • Knowing where data is stored (In what country is it stored? Is it on a legacy machine or a server on premises? Is it in the cloud?)
  • Preparing for a security breach
  • Ensuring there are security measures along every step of the data process

Comply with GDPR

Data is often regarded as the ‘new oil’. It makes sense to take steps to ensure you’re using it in a compliant way.

We have seen many high-profile data breaches in recent years, with resulting financial and reputational consequences. British Airways was fined £20 million for failing to protect the personal and financial details of more than 400,000 of its customers. And the Marriott hotel group was fined £80.5 million for failing to keep millions of customers' personal data secure. 

Non-compliance can be caused by several factors. It may be a deliberate decision. Many organizations have been found to be less than transparent in how they use personal data, for example. In many cases, however, it is simply the result of human error or organizational carelessness. (This is why ongoing training is so important!)

Did you know? EU Data Protection Authorities issued nearly €1.1 billion in fines in the 12 months up to January 2022!

To ensure GDPR compliance, companies need to:

  • Be transparent about how they collect and use personal data.
  • Have processes and procedures in place to protect this data. 
  • Be accountable when that data is compromised.

See our GDPR and Marketing article for more information on marketers’ responsibilities for GDPR compliance.  
 

8 steps to GDPR compliance

Here is our eight-step checklist for GDPR compliance:

  1. Get your privacy policy page up to scratch.
  2. Audit your current databases for opt-in consent.
  3. Re-opt-in campaigns for current databases.
  4. Create a process for opt-in consent.
  5. Get the sales team on board.
  6. Review third parties who have access to your databases.
  7. Have a streamlined process for information requests.
  8. Prepare for a security breach.
     

Step 1. Get your privacy policy page up to scratch

GDPR contains strict regulations regarding your privacy policy – how it must be written, what it must contain and how it must be accessed.

  • While you should work with your legal team or legal consultant on the wording of your privacy policy, GDPR regulations stipulate that it must be written in language that is “concise, transparent, intelligible and easily accessible, using clear and plain language”.
  • You must give a “meaningful overview of the intended processing” – how exactly you will use the data you collect.
  • Provide the identity and the contact details of the data controller and the data protection officer in your organisation.
  • If you intend to share data with third parties, identify those organisations and the safeguards put in place to protect the data transferred.

In addition, provide the following details:

  • Intended retention periods or the criteria used to determine that period
  • Details on rights of access to and correction or deletion of personal data 
  • Details on the right to withdraw consent for any and all purposes of data processing
  • The right to lodge a complaint with a supervisory authority
  • Details of any automated decision making, including details of the logic used and potential consequences for the individual 

Top Tip: Lead from the top and identify advocates for data protection throughout the organization. GDPR isn’t just a marketing concern!

Step 2. Audit your current databases for opt-in consent

Begin by determining whether you have explicit consent to use the personal details of your current database, and for which exact purposes they have given consent for their data to be used. 

Ensure their consent for each purpose is documented and then divide your database into separate lists based on documented consent by purpose. Next, create a ‘next steps’ plan for each list – reaching out to reconfirm consent or request consent for different purposes. You may need to reconfirm opt-in in the following situations:

  • Contact details sourced from third parties
  • No opt-in recorded
  • Unspecific opt-in (doesn’t explicitly give consent for each use of data)
  • No opt-in for certain ways you have been using or wish to use the data for
  • In cases where opt-in is recorded but you haven’t engaged for an extended period

Step 3. Re-opt-in campaigns for current databases

Based on the lists you identified in step 1, create engaging campaigns to request contacts to opt-in or re-opt-in for certain purposes for which you wish to use their data.

This is no easy feat as consumer sentiment regarding the privacy of their personal data has never been more fraught with tension. People will be unwilling to share that valuable data with you if they don’t trust that you’ll use it in a reasonable and fair way. By showing your commitment to GDPR, you can help reassure customers and enhance your reputation. 

Clearly convey the benefit to the consumer as to why they should provide you with consent to use their data, and assure them that the utmost care will be taken to protect their data.

  • Create the right messaging for each campaign.
  • Create engaging landing pages and opt-in forms.
  • If relevant or possible for your business, follow up the emails with personalised phone calls from the marketing or sales team. 

Note: Verbal consent to a clear question on a recorded call is a valid form of opt-in. Create a script for team members making these calls.

Step 4. Create a process for opt-in consent

For any new contact details you add to your database following your audit, you want to ensure there is a process in place to gather the required level of opt-in for each new contact, and that their details are added to the appropriate list. 

GDPR regulations stipulate that consent must now be gathered by customers actively opting-in, rather than that being the default and them having to opt-out. For example, this means that checkmarks to allow sales and marketing communication at the end of contact forms must be unchecked by default, and users must check the boxes to opt-in. 
Here are some examples of ways that people can actively opt-in:

  1. Check an opt-in checkbox
  2. Click an opt-in button or link
  3. Select from a Yes/No option drop down or buttons
  4. Set preferences in their account dashboard.
  5. Respond to an email requesting consent
  6. Answer yes to a clear verbal consent request – in-person or over the phone
  7. Sign a consent statement on a paper form. 

Opt-In Consent

You also need a separate opt-in consent for each way in which you wish to use their data. Once you have decided on your new opt-in process:

  • Adjust the blog or newsletter subscription form on your website to include specific and explicit opt-in for each way you wish to use data.
  • Adjust all forms (contact, quote request, demo request, and so on) on your website to include specific explicit opt-ins.
  • Link to your privacy policy from all forms.
  • Offer clear ways of unsubscribing.
  • If you keep duplicated copies of databases for whatever reason, document a process by which all customer information can be deleted from each copy if opt-out is requested for all or specific types of contact
  • Train all existing and new team members on the importance of following this procedure.
  • Ask how every new project, tool or process might impact your data collection, processing and storage procedures.

Remember: Your business is only as compliant as the least trained person on your team, so ongoing training of existing staff is essential!

Step 5. Get the sales team on board

If yours is a lead-gen business (as opposed to retail or ecommerce), marketing will likely bring the leads in and pass them on to the sales team for conversion.

In the past, your sales team might have taken databases of leads who provided their email in order to download gated content or subscribe to the newsletter and contacted them with a sales pitch or offer of a free trial or demo. However, under GDPR, unless the leads give explicit consent for the sales team to contact them, this practice is no longer permitted.

Hold GDPR training for the sales team to:

  • Prepare them for reduced lead numbers.
  • Educate them on the consequences of non-compliance with GDPR.
  • Let them know which leads they can engage with.
  • Educate them in how to obtain and record opt-in consent when networking, engaging with a cold lead or on LinkedIn.
  • Review the process of how leads are transferred from marketing to sales and work with IT to ensure all steps on that path are secure.
     

Step 6. Review third-parties who have access to your databases

What third parties do you share data with? How do they use it? What are their GDPR policies?

  • Review all partners that access your customer data. Do they need access? What do they use it for? Revoke access if required.
  • Contact all external partners who still must access your databases and confirm that their work processes are secure and GDPR-compliant.
  • The same applies to software providers into which you input or through which you collect customer data. Ask where they store the data (country) and if there is anything you need to add to your privacy policy regarding the software.

For Marketing Agencies

If you’re a digital marketer in an agency (as opposed to in-house), you are likely one of those third parties who handles many companies’ databases. You may, for example, have clients who share with you documents, Excel files, CRM access or website CMS access that shows you their customers’ personal data. 

Audit your dealings and levels of access for each client, and where you find you have access to personal data:

  • Request that your level of access to software where you can access personal data is modified to only allow you to see what you need – such as transaction numbers and revenue without any personal data.
  • Give clients owner access to things like Google Ads (if they don’t have it already) and train them to upload their own database lists.

Step 7. Have a streamlined process for information requests

Being GDPR-compliant will help ensure you’re able to respond to data access requests in a timely and appropriate manner. Remember, one of the key principles of GDPR is that you make reasonable use of personal data, and customers may query you about this. 

Did you know? This is sometimes called The Reasonable Person Test. What would a reasonable person consider practice to be legal and fair? Colloquially, this person is often referred to as the man on the Clapham omnibus

GDPR rules stipulate that you must be able to provide a full response to a request for information within one month at the latest. A ‘full response’ must include:

  • What data is being recorded about the individual
  • Where that data is stored
  • Why you’ve recorded and used the data
  • For how long you intend to keep it

Set up a streamlined process for retrieving this data:

  • Create a landing page on your website with an information request form.
  • Assign a member (or members) of the team who is responsible for checking requests, pulling the data (from the automation tool if possible) and responding within one month.
  • Draft a template response email into which the individual data can be added, which also includes the option to unsubscribe or manage levels of consent, as well as the option to have data updated or deleted.

Step 8. Prepare for a security breach

While your IT team will take on the lion’s share of the work in preventing, preparing for and handling technical security breaches, often marketing and customer service are on the front line to field customer complaints and questions when a security breach makes the headlines.

Prepare boilerplate crisis communication documents that deal with the eventuality of a security breach, including:

  • A process document including points of contact, emergency contact numbers, spokesperson and so on
  • A draft media statement, blog and social media updates
  • A draft script and brief responses to field customer questions over the phone or social media
  • One-pagers and Q&A documents, outlining the steps taken by all departments to comply with GDPR and IT security

5 final tips for your data protection practices

On our Data Protection 101 podcast, Steven Roberts suggested the following five takeaways.

  1. Audit your data
  2. Look at your processes and procedures carefully 
  3. Regular training
  4. Get the basics right and keep building on that.
  5. Identify data protection champions in your marketing team
     

Don’t Panic. Document Your GDPR Process.

GDPR compliance helps you check that you have robust data protection processes in place and you can respond efficiently to any data breaches. 

Being compliant with GDPR is not some ‘nice to have’. Organizations could face hefty financial fines and reputational damage if they fail to protect personal data. Being compliant makes business sense, and to stay compliant, you must keep up to date with the latest data trends and threats. 

If you follow the guidelines above and document your process, you can show you are doing the utmost to comply with the regulations. 

Note: Do not take this checklist as legal advice - you should work with your IT team and legal team to ensure there are no loose ends regarding compliance.

Ensure your digital strategy includes data protection

Data protection is now central to any digital strategy. Our digital marketing strategy course will not only cover the fundamentals of strategy but explore automation, analytics, budget, digital channels, leadership, and much more. Enroll today to get started!  


Steven Roberts
Steven Roberts

Steven Roberts is Group Head of Marketing at Griffith College with 20 years experience in marketing at senior and director level across the education, tourism, not-for-profit and heritage sectors. He is also a Fellow of the Chartered Institute of Marketing (FCIM) and a Certified Data Protection Officer (CDPO). Member of the Marketing Institute of Ireland, Public Relations Institute and Association of Compliance Officers in Ireland. He has written Data Protection for Marketers.

Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.