60 days to GDRP

What is GDPR?
GDPR is new regulation passed by the European Parliament, the council of the European Union and the European commission in an attempt to protect personal data of European citizens. It was approved on the 14th April 2016 and will come into action as of the 25th May 2018.

Who does it apply to?
Even though this is a European law, it applies to all companies (whether they are in Europe or not) who collect and use personal data from EU citizens. That is, if you are collecting email addresses and send email to subscribers in the EU, you’ll have to comply with GDPR – no matter where you are based.

Key GDPR concepts


With the new rules in place for the GDPR, marketers will now have to be more careful with the data that they use. In fact, people who have opted-in to be contacted for one reason cannot be contacted for another reason. Let’s say someone signed in for your newsletter. That allows you to send him your newsletter but it does not allow you to contact him for a survey for example. Additionally, not only will people have to give their consent, but they will have to actively do so.

Have a look at the examples below. Example 2 is good but example 1 is not. In example 1, the field “I agree that Vintage sends me marketing materials” was preselected for the person which is not in agreement with GDPR. In example 2, though, the person actively selects the field “Yes, I agree to be send other marketing materials by Vintage”, and is thus in agreement with GDPR practices.

The signup process must inform subscribers about the brand that’s collecting the consent and provide information about the purpose of collecting personal data. Additionally, under the GDPR, the burden of proof that sufficient consent has been given lies with the company. This, if challenged, you will have to show evidence that you are GDPR compliant.

GDPR does not only apply to data that will be collected from the 25th of May 2018 but to any data that your company has. If you collected data in a manner that does not align with GDPR practices, you will either have to get the consent of the people in the database or you will have to stop using the data.

A person is allowed to request deletion of his personal information at any time. The company then has to prove that the data was deleted. This also applies if the data was shared with a third party. The later will then also have to comply. You must provide users with a way to withdraw consent and review personal data that has been collected on them.


“The right to be forgotten”

In case of a data breach, the burden falls on the company to inform each person whose data may have been stolen, and that within 72 hours whenever feasible.

“Notification of a data breach”

Only keep the data that you need
GDPR does not set out any specific minimum or maximum periods for keeping data but it does stipulate that personal data should not be kept for longer that is necessary for the purpose for which it was collected. Once you have used the data for the purpose for which the person gave you the data, you then have to delete it. For example, if I give you my email address in order to get a specific whitepaper, once the whitepaper is sent to me, you have to delete my data. You cannot reuse that data to send me an infographic in a month unless I specifically indicated that I agree to receive further material from you.

The fine
GDPR brings more clarity for the usage of data in this big data age and it brings protection of individuals but that is not the only thing it comes with. It also comes with a heavy fine for company who are not compliant. Not complying with GDPR puts you at risk for a fine of up to €20 million or 4% of a brand’s total global annual turnover (whichever is higher).

So to sum up:

  • You must request the explicit consent of every user before you collect data
  • Old data which is not GDPR compliant must be reviewed
  • You must provide users with a way to withdraw consent and review personal data that has been collected on them
  • Your privacy policy must be clear and accessible and show how the data collected will be used
  • You should only keep data that you need
  • If you get a data breech, you need to inform users
  • You better get GDPR compliant or get ready to pay


[Disclaimer: this is an informative summary of some of the aspects of GDPR. It is not representative of all the aspects of the new regulation and is our understanding of it. We would strongly advise you to check with your legal department before you finalise your GDPR compliance journey.]