The General Data Protection Regulation (GDPR) is the biggest change to data protection legislation for 2 decades.

Despite it being pretty much a constant topic in the marketing and wider business community for a number of years, we still get questions from businesses on a weekly basis about how to approach GDPR strategy. If you haven’t got your house in order yet either, don’t panic. You’re not alone.

To help you get your house in order, we’ve pulled together all of our resources, expertise and advice on GDPR into this ultimate guide. From timescales to telemarketing, from definitions to documentation, if it pertains to marketing under GDPR, you’ll probably able to find it here.

What is GDPR?

The General Data Protection Regulation (GDPR) replaces the Data Protection Act (1998) as the piece of legislation and set of guidelines on data privacy in the EU.


Although it has technically been European law since April 2016, GDPR will be officially enforced from the 25th May 2018. From that day forward, your data processing activities are subject to the regulations and non-compliance could cost you up to 20 million euro, or 4% of annual turnover (whichever is larger).


“A-ha!” We hear you say! “But Brexit! The United Kingdom will leave the EU on the 29th March 2019. If the GDPR is an EU thing, why are we worrying?!” Slow down there, slim. First of all, the UK is still in the EU for just under a year after GDPR comes into effect. Secondly, if you’re trading with – and presumably marketing to – customers and businesses in Europe (who are still in the Union), you’ll still need to comply. And thirdly, there are plans to bring in similar legislation on a national level. So no such luck.

What is GDPR? Key takeaways

  • GDPR is European Union wide data protection legislation which will be enforced from the 25th May 2018.
  • Brexit does not give the UK a free pass. We are still a member state of the EU until 29th March 2019, giving us almost a full year under GDPR, and there are plans to bring in similar legislation.
  • Non-compliance puts you at risk of fines up to 20 million Euro or 4% annual turnover (whichever is greater).


If you’re reading this, and you are, you’re quite likely a marketer. We’re all marketers here. We know about the murky world of marketing consent. We know all the tricks – the pre-ticked boxes, the confusing wording. Have we used them? Maybe. Do they work? Sometimes. Well, it’s now time to make your way out of the darkness and into the light – consent is BIG topic under GDPR, and the old ways just aren’t going to cut it anymore. Read on to find out more about getting consent right for GDPR.

How is consent defined?

The legal wording:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement ot the processing of personal data relating to him or her.”

GDPR Standard of Consent

This is a very long-winded and regulatory-speaky way of saying that if you are seeking to obtain consent to send marketing communication to an individual, they must have very clearly and unambiguously said “YES” to receiving such communication from your business. This removes the ambiguity present in the Data Protection Act definition which doesn’t mention clear affirmative action – leaving a big fat loophole for marketers to jump through with their tick-boxed based trickery.

What does this look like in practice?

First and foremost, it means revisiting any forms that exist on your website or any other of your channels, and assessing what the marketing consent field looks like. Is it intentionally confusing? Ditch it. Does it ask them to untick the box if they don’t wish to receive communication? Kill it with fire.

Reviewing your practices

Here are just some of the tactics that won’t cut it under GDPR. If you use any of these, revisit, revise and relaunch. Now. Here are just some of the consent-getting tactics we’ve seen over the sears which aren’t going to cut it under GDPR.

  • Pre-ticked boxes – the classic “untick this box if you don’t want to receive communication from us. GDPR specifically “bans” this one.
  • Universal opt-in – i.e. signing up to receive all marketing communications. You should be specific and granular about what they are consenting to, and give them the opportunity to choose exactly what they opt in to receive.
  • “Historic consent” – just because they’ve always been in your database doesn’t mean they’re opted in.
  • Making unsubscribing a nightmare – “Bury the unsubscribe detail in the footer of the page” or “Make them write to us through the post to unsubscribe” are just not going to cut it. The unsubscribe process must be EASY.

Precondition of service – GDPR specifically states that consent cannot be a precondition of service. You can’t bury a “I consent to receiving marketing communication” in your general terms and conditions. It has to be separate.

Double opt-in

The guidance on top level, first interaction consent is pretty clear. In order to put a really big, bold tick in the “unambiguous, affirmative action” box, people are playing around with the idea of double opt-in.

What does this mean?

ActiveCampaign define it as:

“A double opt-in means that after a contact submits a form, they are sent an email asking them to confirm their subscription to your list.”

You could easily apply the above process to telemarketing and direct marketing too. If a contact agrees on a phone call or via a written letter (as unlikely as that may seem) to be subscribed to a marketing list, you can then send an email asking them to confirm.

Reasons to do it:

  • Managing different channels – under GDPR, you need to have a record of consent. This can be challenging over the phone or through the post. Double opt-in is great for the multi-channel approach because it gives that time and date stamp, in a digital format, regardless of where the actual initial consent was given. It means you only have to maintain one process going forward.
  • Getting rid of crap – without double opt-in consent, there’s a case to argue that marketing information may be sent to people who never consented to receiving it – they may have ticked something by mistake, or been accidentally automatically signed up for something without knowing. When you have that additional step that double opt-in provides, you can ensure nothing has slipped through the cracks.

Reasons not to do it:

  • Getting people to do stuff is hard – When you ask someone to change channels during a conversion process, it will negatively affect conversion in some way. This can be applied to the notion of consent too. It could be that by introducing a double opt-in consent process that you find it difficult to get consent, which defeats the whole purpose.
  • There’s no legal requirement – simple, yet true. There is no specific guideline or wording under GDPR that states you must have a double opt-in process.

Consent key takeaways

  • Avoid ambiguity. Consent to process data under GDPR must be clear and involve a positive and affirmative action from the user.
  • Be granular. Exercise transparency and specifically tell the user what they’re opting into.
  • Review old data from your database. Consider the conditions under which these details were obtained and whether you have record of consent. Consider running a re-opt-in campaign (more below).
  • Make it clear, easy and accessible for people to withdraw their consent and opt-out of communication.
  • Do not bury consent within wider T’s and C’s, as a precondition of service.
  • Double opt-in, while not a requirement under the legislation, can ensure you are fully covered. Review your process as a whole and decide whether this is for you.

Campaigns and strategy

Reactivating lapsed subscribers

Savvy marketers who don’t want to see their entire list disappear once they remove anyone who hasn’t consented to communication may want to run a reactivation campaign. This means trying to get as many of your existing database on-board the marketing train as possible, whilst obtaining consent in a GDPR-compliant way (see more above).


Step-by-step, this is what a good reactivation campaign should look like.

Data audit

Load up your marketing automation or CRM system of choice, look at your data and ask yourself the following questions:

  • What is the total number of contacts?
  • What is the blend of customers, prospects and lapsed etc?
  • How many contacts have email addresses?
  • How many have phone numbers?
  • How many have postal details?
  • What is the last contact date?
  • How did they end up on the list?

Once you have some answers, you need to figure out what you’re going to do with this data. You’re going to need to go out there at some point and directly ask for that all-important opt-in. For those you don’t currently have email addresses for, think about the implications of getting consent from them. Indicative costs for contacting each individual are:

Telephone – £3 per contact

Postal – £2.50 per contact

Don’t worry about email. Email’s free (well, sort of – you might be paying for an email marketing tool/marketing automation system, but it doesn’t require any additional investment in this context).

Make them care

The next step is getting this people to recognise the value of your content before they consent and give you a tick in the box – a key difference between a clear opt-in, and people not being arsed to opt-out (which you’ll know is important, if you’ve been paying attention). You need to ensure that the content they are receiving is helping the contact in their daily lives somehow. Now that’s not just helping them when they’re ready to buy something, with product sheets, comparisons and the like – it’s also getting involved much earlier in the buyer’s journey. That is, when they’re experiencing the symptoms of a problem, or assessing the range of solutions that are open to them to solve that problem. A strong newsletter made up of valuable content is a great way to do that. More on this below.

For those with no email address

If you have a load of contacts, with no email address and no phone number, one option is to create a proof of concept hard copy newsletter. It could mirror the content in the digital one. You can use this as a means to drive people to an online subscription form, and then drive them to an opt-in form to receive email versions in the future. It’s worth pointing out here, getting someone to recognise the value in a printed doc is the easy bit. Getting them to change channels and make the leap online to complete an opt-in process requires a helluva lot of action on the contact’s part. See double opt-in above.


If you found as part of your data audit that you have a tonne of contacts with phone numbers as the only decent contact details, you can decide to go down the telephone route. As part of a waterfall approach, this would be the final fall into the foam. That’s because it offers the highest cost per contact opt-in rate. It’s worth having good content examples and a strong telemarketing person to get the best results out of this tactic.

Building a marketing list after GDPR

You might be thinking “oh well that’s all very well and good, reactivating contacts. I’m just starting out, how do I build a list now?!”. Well we’ve put some thought into that for you, and it’s all about demonstrating value.

Content that makes them care

Within the inbound methodology, content starts with a process of figuring out what your potential customers are putting into Google to help diagnose their current problem, also known as keyword analysis. The end game here is to come out with a list of keywords that are the right blend between popularity (the number of searches on a monthly basis) and competition (how many other sites are competing on that keyword, and how authoritative they are). You then use this list to do some content planning. Look at the keywords that present the best opportunities, and build blog post titles around them. Once you’ve got a calendar in place – it’s writing time! We’d suggest a frequency of around 1 blog post a week if you can manage it. 2 a month minimum if you can’t.


The next step once you’ve bought visitors to your website is doing something with them – something here being grabbing hold of their email address, and hopefully, their consent. Go through your blog posts and make sure that every blog post has a relevant conversion point. We call these buttons or banners Call-to-Actions (or CTAs). Suffice to say, that CTA needs to be a logical next step. So it’s not so much about free trials and demonstrations as it is about research papers, webinars, white papers and the like. In addition to giving people the opportunity to download that content offer, get a tick box in there asking people to subscribe to receive a monthly email newsletter that has more of this great content in it.

Post-GDPR Strategy

Our final word on strategy is this – sustainable. Whatever process/strategy you put in place to reactivate people or quickly grab as many sign ups as you can before the big day, this needs to be sustainable going forward. Don’t just rest on your laurels – there’s a whole world of new subscribers out there! Not to mention keeping your existing ones engaged and driving them to convert. And you can’t hope to do this without a long-term content strategy. Happy planning!

GDPR strategy takeaways

  • Audit – look at your current database and assess the number of contacts, whether you have consent to contact them, and the means you have of contacting them.
  • Make them care – whether you’re building a new database or reactivating an old one, content is king. Build a content calendar that will help you produce regular, valuable content for your audience. Package this into a monthly or weekly newsletter for people to subscribe to.
  • Take a waterfall approach – for varying levels of contact detail, take a phased approach. Hit your email addresses first, followed by a postal campaign, then a telemarketing one. This will help you contain costs.
  • Don’t forget to convert – to go with your blogging calendar, build a steady plan for a number of conversion pieces to provide even more value – research papers, whitepapers, guides, checklists, etc.

Direct and telemarketing

Telemarketing and direct marketing (whether that’s email or “physical” campaigns) are still favoured tactics for many a marketer. And we’re under no illusion – done right, in the right context, these things work. But considering some of the points covered so far, where do you stand with these tactics in a post-GDPR world, when it’s all about consent?

Legitimate interests

Recital 47 of the mammoth GDPR text says: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interests.”

As you can imagine, we’ve spoken personally to a number of telemarketing agencies who have jumped on this like a cat with a laser pointer, and clung on for dear life like a cat on a pair of curtains (we’ll stop with the cat analogies now). For many, they see legitimate interests as a get out of jail free card to allow them to continue to cold call without consent. A significant point to bear in mind here though, is the wording around legitimate interests and when it can be used. Sure, the text mentions direct marketing. But it also says that this is deemed appropriate when “you use people’s data in ways they would reasonably expect and which have a minimal privacy impact”. You therefore take on some extra responsibility around this should you claim legitimate interests.

We’ll unpack telemarketing and direct marketing and how these relate specifically to consent and legitimate interests in the sections below.

GDPR and telemarketing

So, how do things look for B2B telemarketing under GDPR? Well, to answer that question we need to get into the weeds on the process a bit. GDPR is all about protecting the privacy and personal data of citizens living and working in the EU. In posh legal words, it’s about Personally Identifiable Information (PII). Company data, like switchboard phone numbers for example, don’t contain any PII.

Did a little lightbulb just go on? That’s right, this means you can legitimately keep company data in your CRM system ust as you do now. You will have to screen against the Corporate Telephone Preference Service, but obviously you’re already doing that. Right? RIGHT? As long as you’re not processing PII, you can call into these businesses. It just means instead of saying “Hello, please can I speak to Mary Matthews in Marketing?”, or calling Mary directly, you call reception and say “Hello, please I can speak to the lovely guy or gal who looks after marketing?”. Simple! Ish.


If PII starts to get involved, and you want to be able to continue to give Mary Matthews in Marketing a buzz whenever you like, then you shall need consent. If you’ve not already started, now’s the time to be addressing your existing data – see above.

How do you get about getting consent on the telephone do you ask? As you need an auditable process, it’s best practice to have a standard way of doing this. We have mixed feelings about telemarketing scripts, but in this case, they may actually be warranted.

Consider something like:

“Thanks for your time on the phone today. We take the utmost care in the processing of  data and I wanted to check you’re OK for me to store a note of our discussion to help me next time we chat and for me to call back on [insert date here].”


“We have a great newsletter too which helps keep you in the loop on our latest news. Are you happy to receive this by email once a month?”

Document this process, drum it into your telemarketers, and hang, draw or quarter anyone who doesn’t follow it. Or something less dramatic. Up to you.

GDPR and direct marketing

Despite being fully signed on to the inbound agenda, we are more than willing to hold our hands up and say a good direct marketing campaign still cuts the mustard. It just does. But how does the old faithful of marketing fair in a post-GDPR world?

One of the main areas of confusion is around GDPR, direct marketing and the Privacy and Electronic Communications Regulation (PECR). That is – what the hell does direct marketing actually have to comply with? Direct marketing in the form of email – so email marketing then nowadays to the young whipper snappers – is covered by PECR. Indeed, the ICO’s digital marketing guidance is based on the PECR regulations.

Most of GDPR talks in the language of ‘processing’ and is quite vague. This makes it either broad reaching or unenforceable depending on who you speak to and whose payroll they’re on. It does make mention of direct marketing in a few areas, most of which are really referencing the need to give easy ways for people to opt out or object to their data being processed in that way.

The fuss around GDPR and the future of direct marketing centres around consent. Article 5, Clause 1 of GDPR is clear that organisations can only process the data of individuals if they have a lawful basis for doing so. A fundamental test for this lawfulness comes down to consent. Or legitimate interests, if you want to go down that route.

As there are essentially two types of direct marketing (outside of telemarketing), let’s unpack them.

Direct mail (postal marketing)

This is outside the scope of the PECR. So unless you already run a consent basis for postal marketing, then the your best bet is probably legitimate interests. Ensure that you give people a simple way to opt-out and that you screen against the Mail Preference Service (MPS).

Direct mail (postal marketing)

We are under the remit of PECR here.

If it’s Business to Consumer (B2C), or to a sole trader or limited liability partnership – you’re going to need opt-in consent. That is unless you’ve sold something to them before, then you can email them about a similar product or service and give them the option to opt out (most email marketing systems handle this as a matter of course these days).Business to Business (B2B) on the other hand is opt out from the get go.

Again, you have to give people the opportunity to opt out (e.g. an unsubscribe link).

Stand by for this to change under the ePrivacy Regulation.

Direct and telemarketing takeaways

  • Legitimate interests is a potential lawful basis for processing covering direct marketing, but should be handled with care. Processing under this should be “consistent with what the individual would reasonably expect” and have “minimal privacy impact”.
  • Telemarketing can still be considered compliant under GDPR if you process company data rather than personal data.
  • Direct marketing (postal and email/SMS) can be claimed under legitimate interests, but you should also be aware of the PECR guidelines around this sort of communication, which are likely to be replaced by ePrivacy in the not too distant future.
  • For email/SMS, current guidelines state that B2C communication, or B2B communication to sole traders or limited liability partnerships are strictly opt-in, and B2B is opt-out.
  • Whatever you do, you should still validate your data against the Corporate Telephone Preference Service and the Mail Preference Service.
  • For B2B email marketing, you should ensure that individuals have a clear and easy way to opt-out of communication.


Note – this section is by no means exhaustive. We don’t think anyone’s sure at the moment exactly what impact GDPR will have on all the various marketing technologies and how we use them to get stuff done. We’ve covered off a few key ones here though, and we’ll be sure to keep it updated once we know more.

Also, technology is likely to be much more significantly impacted by the impending ePrivacy Regulation – see more below.

Google Analytics

Google is now giving you the opportunity to set data retention schedules for their data. We have focused on Google here as they have specifically addressed this and it is a common way for marketers to track individuals on their site and across multiple assets.

Data retention under GDPR

There are currently no restrictions on the length of time you can retain an individual’s personal data for. However, GDPR brings in this little gem: “You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.” The key takeaway here is documentation and transparency – you must keep a record of and clearly inform the user how long you intend to retain their data for.

Google's approach

Google is now giving you a number of options for retaining data in Analytics. After this period of time, it will remove user-level and event-level data associated with cookies, user identifiers (User IDs) and advertising identifiers (DoubleClick cookies, Android Advertising ID, Apple’s Identifier for Advertisers). This is particularly significant if you do any sort of remarketing or personalisation on your site. The timescales available are as follows:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

As mentioned above, there are currently no legislative restrictions in place as to how long you are allowed to retain data for, so this is completely up to you. Just bear in mind, if you choose “do not automatically expire”, and even if you inform your users as such, this may come across as a little woolly, which could leave you on shaky ground. It’s worth examining your processing needs and thinking seriously about whether you need to retain a user’s data indefinitely.Once you’ve made this decision, you’ll need to select the appropriate settings in Analytics. There’s more information on the Google support site.

If you use a service other than Google Analytics to track users on your site, it is worth checking with them directly what the approach is to data retention.

Updating your privacy policy

Once you have all of your ducks in a row regarding data retention and your various marketing tools, it’s time to let your users know (that’s the transparency part, geddit?).

The easiest way to do this is by updating your privacy/cookies policy. If you are currently looking at your screen a bit blankly because you don’t have a cookies or privacy policy page – it’s a very good idea to, you know, get one. “The right to be informed”, as you’ll have read above, also covers the purposes of processing data. This means you’ll want to inform website users of why you collect certain data and how you use it. You should add a line for each cookie/service you use explaining what’s being processed, why, and for how long.

Marketing automation

Marketing automation and GDPR should be a great fit. Indeed, a Marketing Automation System (MAS) can be a great tool in a business’ arsenal when it comes to meeting GDPR compliance requirements. Note the word can. In itself, running a MAS, much like any system, is not going to magically make you compliant. Similarly, the way that many businesses use a MAS currently, it would actually be more of a hindrance than a help. With that in mind, we’re going to talk about process rather than systems not least because there are literally hundreds of MAS vendors out there all flogging their wares (with admittedly varying degrees of success!).

Auto opt-in

Currently, many companies will take the fact that someone has downloaded a checklist or a white paper from their website as being a reason to subscribe them to general marketing lists flogging their wares. We can’t do that any longer. We need to make sure that if there is a form, and a landing page, that the ability to download that content offer is not linked as a matter of course to subscribing that person to receiving future communications. Where you have landing page or download form on your site, be sure to add a tick-box or similar field to capture consent in accordance with the guidelines covered in our consent section.


Under GDPR, not only do we need to make sure we have this consent, we have to make sure that the information of who gave it, when and in what context is stored in a secure location and available for audit from the Information Commissioner’s Office should they wish to validate your processes.

This is about ensuring your ship is in order:

  • Make sure your MAS supports time and date stamps against subscriptions. You need to be able to see against an individual contact record when they subscribed. If it doesn’t, customise it to do so or move systems. There’s no way around this – so get it done!
  • Linked to the previous point, your MAS has to have a way of identifying what they have specifically consented to.

The right to be forgotten

One of the more prominent areas of GDPR is the right to be forgotten. That is, if your personal data is held by a company, you can make a request with that company to completely delete that data record.

The tricky part here is that some systems don’t support record deletion…at all. Some systems support merging, or deactivating, but not deletion. This is particularly common if there is an order date within the system, as removing a contact from the record can have a knock-on effect elsewhere in their wider enterprise systems.

Again, if your system doesn’t support this, it needs to. Either with customisation or vendor change. I’ve heard some people hacking around this by replacing contact data in this situation with a series of random ‘XXXs’. This requires a lot of of human intervention, which may or may not be a good idea depending on the level of esteem you hold humanity in.


GDPR states that organisations should ensure they have “sufficient guarantees to implement appropriate technical and organisational measures” to meet the GDPR’s standards and and protect the rights of individuals.

Suffice to say, if you go through all the steps above and end up with a breach because you’ve got a historic employee operating with malice who can still access the system, or you’ve left your system open to the wrong type of person, then all this process work will be in vain.

  • If you’re running your MAS on a private cloud, make sure access to the system is encrypted. So when users authenticate, they’re doing so on a secure server.
  • On your website, if you’re running forms and landing pages, an SSL certificate becomes an absolute necessity.
  • Audit your users: run through who has access to the system. Get rid of anyone who doesn’t need daily access to your system and make sure you have a formal process for users to request access and for it to be granted, with access being on a time limited basis where relevant.
  • If your system supports it, consider forcing users to use ‘safe’ passwords. Train your people on basics like using credentials different to other systems such as your website CMS and social media management tools. You might want to consider supporting employees’ use of password wallets as a matter of course.

Two factor authentication – again if your system supports it, consider a verification step – where a code is sent via phone or SMS to the user. It provides that additional security step.

Technology key takeaways

  • Review which tools you are using to collect and store personal data about individuals who engage with you online. Set a data retention schedule if you can, and make this is clear to users.
  • Make sure you have an accessible privacy policy on your website which states which cookies and tools you use to collect and process personal data, why you use them, and data retention schedules where appropriate.
  • If you are using a marketing automation system:
    • Ensure that any landing pages have a compliant consent tick-box, and any workflows are not automatically opting-in form fills to any lists.
    • Check your MAS supports data deletion. If it doesn’t, think about getting one that does.
    • Review security around your MAS. Things to bear in mind include cloud hosting, SSL certificates (if landing pages, etc sit on your domain), user access and two factor authentication.
  • Get ready to chuck all of the above out the window when ePrivacy is finalised and enforced.

...And beyond

ePrivacy Regulation

“I’ve just read over 5000 words about GDPR. What more could the EU want to throw at us?” A-ha. Well. Enter the ePrivacy Regulation.

The draft ePrivacy Regulation is set to replace the ePrivacy Directive 2002/58/EC. We’ll then be dealing with a regulation rather than a directive. In the same style as GDPR, it’s applicable and enforceable in every member state and it’s again trying to bring harmony across the region regarding how consent, data and privacy is managed.

To avoid tipping this page into overdrive, and because the legislation is still in draft form, for now, we’ll link you to our blog post on this topic:


Once we know more about ePrivacy and everything becomes more concrete, we will update this page. Watch this space for more digital marketing and data processing fun.