What Every Online Marketer Needs to Know about the EU’s GDPR

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR will have an enormous impact on marketing practices in 2018 as it affects nearly every aspect of online marketing. This sweeping regulation updates data privacy laws originally enacted in 1995 by requiring companies to be more transparent about how personal data on EU citizens is collected, stored, and used.

It also provides end users (“data subjects” in GDPR lingo) with something like an online Bill of Rights. Some of the rights for end users include:

  • Breach notification within 72 hours
  • Right to access the data companies have collected on them
  • Right to be forgotten
  • Privacy by design

The GDPR is a huge step forward for consumer privacy because of its transformation of the way an end user’s data is collected and used. It’s little wonder why the changes are so vast; the last few years are littered with stories of data breaches. Perhaps none are as egregious as Yahoo. After their systems were breached in 2013, it took Yahoo over three years to disclose that 3 billion accounts were compromised. Yahoo customers had little control over the data.

But the GDPR isn’t solely concerned with breaches; it’s more concerned with shifting power back to the end users to help them regain control over their own personal data.

How the GDPR Affects Your Business

While the regulations originated in the European Union, one of the most significant changes to the 1995 regulations is that they can now apply to any company that handles the personal data of an EU citizen. Even if your business isn’t located in the EU, any infringements can result in serious penalties, including fines of £20 million or 4% of annual turnover (whichever is greater). To be compliant with the new rules, companies need to proactively make changes before the deadline.

What sort of changes are afoot?

First, it must be easy for customers to ascertain what companies are doing with personal data. No more complicated legalese in end user agreements. Companies will need to be upfront with how data is stored and used when they ask for permission—and they must ask for permission. “Data processors,” the companies that use the personal data, must also make it “as easy to withdraw consent as it is to give it.”

The GDPR defines personal data as anything that can be used to directly or indirectly identify the person. This means anything from a name, a photo, an email address, or bank details to posts on social networking websites, medical information, or a computer address. Even indirect information, like user names and IP addresses, are subject to the new regulations.


These new regulations also mean that practices such as profiling need to be done with the utmost care.

Profiling allows companies to create targeted advertisements based on information such as buying habits, browsing history, and location data. Such practices won’t go away, but there needs to be extreme transparency on the part of the companies who use the information and the analytics companies who process the data. That means you not only have to ensure your company is compliant, but that the analytics companies you use are also compliant.

U.S.-Based Companies

Non-EU companies aren’t subject to the regulations if they don’t specifically target EU countries and citizens. For instance, an EU citizen that stumbles onto a U.S. company’s website won’t be protected by the GDPR, but accommodations such as custom domain suffixes (.fr instead of .com) suggest targeting. In the latter instance, the company’s data policies would be subject to the GDPR. Companies with any EU-based customers or marketing are better off following the guidelines set down by the GDPR.

Data Ethics Can Help You Stand Apart

At Ambitny, we’re long-time advocates for ethical data use. The GDPR puts into law some of the best practices we recommend to our clients. One of these practices is ensuring that data gathering protects the privacy of the end user over the use of the data itself.

We also believe data-based digital marketing techniques need to be done from the customer’s perspective to foster trust between companies and end users. As we wrote last year:

Whether it’s sending Facebook ads that match a customer’s recent status update or issuing “abandoned cart” email reminders without individuals requesting such communications, these techniques can feel invasive.

Such techniques may create opportunities for growth, but you also risk alienating your users.

The GDPR has exposed the small number of companies that actually approach data use from the customer’s perspective. As of Nov. 2017, only 6% of IT professionals in North America felt prepared for the GDPR to take effect, according to eMarketer. Contrast that with findings from identity management company Gigya last year that show nearly 7 out of 10 people are concerned about how companies use their personal data.

By addressing the changes required by the GDPR, you not only minimize your risk, but you gain a way to stand out from your competitors. If you adopt transparent data practices and give consumers control over their data again, you’ll be addressing a critical concern of your consumer base.


Overall, the GDPR will help ensure that personal data belongs to the customer, not the company. This shift may be burdensome (especially at first), but we believe it will have positive effects for compliant businesses.

Helpful Resources on the GDPR

Direct Marketing Association (DMA) article discussing profiling under the GDPR: https://dma.org.uk/article/what-exactly-is-profiling-under-the-gdpr