GDPR Part 3: The tools marketeers use.


The new data protection laws coming from the General Data Protection Regulations (GDPR), means all businesses are going to have to rethink the way they operate. The GDPR will an especially huge impact on the way marketeers use personal information to promote their business and communicate with their customer base.

The new European privacy law aims to unify existing data protection and anti-spam laws throughout the EU. It’s set to be enforceable from May 25, 2018, and will pretty much impact every organisation in the world.

If you aren’t familiar with the General Data Protection Regulations (GDPR), our ‘ Are you ready for GDPR? ’ article will help give you a basic understanding of the new law.

To help you prepare for the upcoming change, here is some GDPR specific advice for some of the most common digital marketing platforms and tools.

Just bear in mind that we’re not lawyers, so if you’re concerned about how the GDPR will affect your business, we suggest you make contact with an independent advisor. Also, we’re not affiliated with any of the websites listed below, nor are we advocating any third party software or plugins they may suggest. We just found them to me useful resources to consider when preparing for the GDPR.

1. WordPress and or other CMS platforms

Your website is probably capturing a whole host of personal data without you realising it. Every time someone enters their personal information on your website, whether that’s through a login page or via a simple ‘contact us’ form, your website is probably storing that information somewhere. – How apparent is that to the user?

Storing this information isn’t a problem, so long as it’s secure. You don’t have to go removing contact forms and logins because of GDPR, but you may have to be a bit more transparent and explicit during these data capture moments. For example, your ‘contact us’ form should detail that you will store their information and why you need to do so. A tick box of consent should then be enough to seal the deal. – Just make sure you don’t add this information to any marketing/promotion lists without specific consent.

For more information, have a look at the following:

a.’s blog article on wordpress

b. Plugin specifically designed to help you prepare for the GDPR change *not tested by us

2. Direct mail, email marketing, phone and SMS

If you use direct mail, email marketing through as Mailchimp, Campaign Monitor or another service, SMS or telephone marketing, this is probably where the biggest change will come. GDPR’s stricter consent requires you to obtain specific, proven consent to contact individuals. However, if you can prove lawful basis, or ‘legitimate interest’, you may not need to gain this prior consent.

The GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ and therefore consent is often not required under the GDPR. Recital 47 of the GDPR actually says that:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

For example, if you want to email your clients about a new product, you can do so in reliance on their ‘legitimate interest’. This does not need specific consent, and if you think about it, how else are they going to know about it in order to consent to it? You will, however, always need to make it clear how to opt-out.

Now, you may think ‘legitimate interest’ is the get out of jail free card, but that may not be the case. You need to think carefully about how you use ‘legitimate interest’. You can not use personal data to segment contacts or deliver specific information without consent, unless it is required to achieve ‘legitimate interest’. – Sounds complicated, I know!

For example, contacting potential clients about your service or products could be considered ‘legitimate interest’. However, contacting these clients with your weekly newsletter without consent, could be argued as falling outside ‘legitimate interest’ – If you think about it, they don’t know you, so why is this of interest? Our suggestion is you’ll need to clearly distinguish between legitimate interest contacts and those that have consented. We suggest you always aim for consent and try to get all your ‘legitimate interest’ contacts converted into proven consenting contacts.

One way to help prove your mail contacts have given specific consent, you must use very clear and unambiguous data capture methods such as Mailchimp’s Double Opt-In
[]. For more information about GDPR and direct marketing have a read of:

a.’s blog artile on GDPR

b. Field Fisher’s guide to GDPR

3. Facebook, Twitter and other social media platforms

For most of us, GDPR will have little impact on how you interact with your social media contacts. You will be pleased to hear that consent and personal data use will be effectively covered by the terms and conditions and privacy notices of each of these software tools. – Phew!

However, it’s worth considering how you use the plethora of information that can be gained from social media. GDPR will prohibit you from extracting information from social media, such as usernames or messenger contact details, and adding them into your own databases without specific and proven consent. – If you remember that users gave that information to Facebook, LinkedIn (or other) and gave them permission to display it and use it, they didn’t give you that permission – even if it’s right there in the public domain for everyone to see (you can look, just don’t touch!).

If you are using social media as a means of collecting potential contact’s details so you can target them as potential clients, I suggest you refer back to the ‘ Direct mail, email marketing, phone and SMS ’ section and ensure you meet the ‘legitimate interest’ requirements. – To avoid this quandary, you can always contact them on the platform you found them on, this would avoid any issues around consent.

For more information, have a look at the following:

a.’s blog on Social media and GDPR

b. The Social Effects blog on GDPR Social Media Strategies

4. Google Analytics

In Short, as standard, Google Analytics doesn’t store any personal information. If a customer phones up, you cannot identify which vist/user they were using Analytics. Just make sure that you don’t use personal information in login URLS. This isn’t standard practice, but you should check to make sure.

For more information about GDPR and Google Analytics, have a read of:

a. Simple blog article from

b. Googles’ compliance information

For more information on GDPR, read our other articles ‘ Are you ready for GDPR? ’  and ‘ What does GDPR mean to my business ’ , or visit the EU GDPR website [ ] or have a look at this infographic from the European Commission [ ] .

Friday 30th March