GDPR – 20 questions every marketer is asking

April 11, 2018

You’ve read the articles, done the training, joined the webinars, but, flip! GDPR is like a wild animal that refuses to be tamed – you still have questions and not enough answers.

Don’t worry, me too.

So I’ve scoured the land and found a GDPR expert who was kindly able to chat.

Thank you to freelance specialist Andrew Brenton for taking the time to answer my questions, for highlighting the opportunities that GDPR offers marketers and copywriters, and for explaining why unfortunately GDPR doesn’t mean the end of those irritating street sign captchas (God, how I HATE them!).

We’ve had plenty of warning, so why so many people and companies struggling with the GDPR?

They’re struggling because they don’t know where to start. There’s a lot out there, but not a lot of clear guidance, which makes it pretty overwhelming. There’s lots of information on the Information Commissioner’s Office (ICO) website, but it’s not very readable unfortunately.

There are lots of scare tactics going on, and lots of incorrect information. There’s an image of GDPR being this mystical thing that’s horrendously complicated, but it is, in fact, very straightforward. Come 25 May, as long as people are doing something, they’re probably going to be ok.

Broadly speaking, what’s needed?

Mainly new documentation – a privacy policy, documents to do with data subjects’ rights, notification processes for when something happens (rather than if), notices of processing –  ie telling people what data you have, why you have it, and how long you’re keeping it for.

Marketers also need to get their consent-based marketing sorted out.

Are there templates you can recommend we can use?

The Federation of Small Businesses has downloadable templates. The business section on Simply-Docs is also useful for GDPR, and at £35 a year is a good resource.

Some are a bit wordy – Google is your friend with this one.

Let’s talk consent then. What does ‘unambiguous and freely given’ consent mean?

Unambiguous means if you want someone to sign up for your newsletter then it is only that. If you are offering a whitepaper to download you can’t say “you have to sign up for my newsletter as well”.

Every newsletter then has to have unsubscribe link, so consent is as easy to remove as to give.

But opting in has to be 2-stage – a double opt-in. Asking them just to check a tick box makes it hard to evidence that consent was freely given and unambiguous. You need to be able to demonstrate consent to the ICO if they ask you.

But if you then also have the option to download a white paper, you’re going to end up with lots of different lists, aren’t you?

Instead you should let them download the white paper direct – because you can’t email them again anyway after that.

Really your website copy should be enticing enough to make them want to do business with you anyway! In a way, the GDPR will make marketing people work smarter not harder.

What about straightforward contact forms, where you’re not going to be marketing?

Whenever people fill form in, you have to tell them what it’s for and what you’re going to do with the data. For example, “The data on this form will be used to answer this enquiry. I’ll store it on CRM system, I’ll keep it as long as we’re exploring options, I do this on the legitimate interest of promoting my business.”

Article 13 on GDPR tells you everything you have to tell a client. You can condense this into bullet points then link that to a full notice, including a link to the ICO. You have to tell them their rights and how they can make a complaint. If you use Cookies, you need to add a Cookie statement to your privacy policy.

Sounds dry

True, most data protection notices are full of jargon and a wall of text, but now they HAVE to be put into simple language and be conversational. The two founding principles of GDPR are transparency and accountability, which means there’s a huge opportunity here for clear writing, which is something most people are missing.

Keep asking yourself “Am I being transparent and accountable?” You’ve got to take ownership and demonstrate the chain of custody of information all the way through the process. People are trying to look for ways of getting around it, but this is only going to get them into trouble.

Are you allowed to be humorous at the opt-in stage anymore? For example, by adding a final, fun-based question such as ‘What’s your favourite Quentin Tarantino film?’

Yes, if you really want to be humorous – go right ahead! As long as the required privacy information is clear and simple, the rest of the form can be as quirky as you like.

There’s no reason for websites to become stuffy – there’s no law against being funny – as long as the information is clear. I did hear a member of the ICO laugh once!

Let’s talk ‘legitimate interest’ then. What is it?!

If you have any form of relationship with a client, ie, they’ve filled in enquiry form, then you can use legitimate interest, but you have to demonstrate how your interest is legitimate.

If you do not have a relationship with them, for example you’re at a conference or trade show and you’re writing peoples’ names down, or taking their business cards, then your interest isn’t legitimate. If you market to them afterwards – you’re actually breaking current laws – as well as GDPR.

So no more prize draws at events then?

Correct. You can’t have a goldfish bowl at an event giving people the chance to win a bottle of champagne if they hand over their card.

Well you can, but you can’t do anything with the email addresses afterwards. You can email the person who won, because you have an implied contract to do that, but there’s no consent been given by any of the other people, so there’s no contract.

If you said ‘By putting your card in this box you are agreeing to being sent a newsletter by us’, or something specific, that’s ok, but you have to email them afterwards to confirm this, asking them to opt in, thereby demonstrating their consent, but you can’t use a prize in connection with this. A bit like the whitepaper scenario on the website.

It’s not just about having consent, it’s about proving it. You have to be able to demonstrate that you sent an email afterwards and gained a double opt in.

What about historic data – do companies now have to re-email people who might only have opted in once, to achieve a ‘double opt-in’?

The GDPR states that any consent must be able to be evidenced and must have been obtained in a GDPR compliant manner. In short, probably yes, a re-consent will be required. This needs to be done before May 25th and must be compliant with the current Privacy and Electronic Communications Rules (PECR).

FlyBe and Honda were both recently fined £80k between them because they decided in advance of GDPR to obtain consent from their existing list, but they emailed everyone by mistake – including people who’d previously unsubscribed – so the ICO fined them. You only need to do this where you’re marketing. If they’re clients because they’ve bought something from you, or they’re in a contract with you, that’s ok.

So, from a marketing point of view, legitimate interest/consent only concerns prospects?

Yes, the minute you’ve had a conversation or dialogue with someone, you’re not relying on consent, but you have to tell them you’ve moved them to a new legal basis and give them all the relevant information that is required. This is the most complicated part of the whole thing.

For example, by giving someone your business card, you can’t prove your relationship with that data subject. You can’t say “We’re having a chat”.

If you fully understand legitimate interest you will be a marketer among marketers.

In terms of content marketing, these changes seem like a good thing – in that they provide an opportunity for the provider to deliver on the promise made at opt-in stage by repeatedly providing high-quality, specific and relevant content. Would you agree?

Yes, it’s a good thing if people stick to it. Who likes companies who spam you, who say they’ll do one thing and send another, who write an article with a header saying they’re going to answer a question and then fail to?

At the moment I find a lot companies are doing that and breaking the rules, which means that companies who don’t will be more trusted.

In that sense it’s an opportunity. If you’re loud and proud about data protection, and make it clear to customers that you look after their data, that you’re not afraid to show them how they can complain, most people are ok with that – who wants to do business with a company who isn’t not sticking to the rules, or who doesn’t care?

Is the requirement to have a HTTPS padlock security symbol on a website also part of GDPR or is that an urban myth?!

It’s an urban myth although the GDPR makes an oblique reference to it by saying that technical protection should be ‘appropriate’, so I would do this. There are other reasons for doing so however, including the fact that Google will rank a non-secure site (‘http’) lower in its results than a secure one (‘https’).

Does GDPR mean an end to those ‘I’m not a robot’ captchas? The road sign ones are really hard!

Sorry, you are going to need to work out the road signs – and which pieces are actually signs and which are in fact just leaves from a tree – it is not a requirement of GDPR, but they may still be used to prove you are a human!

People used captchas because of being spammed by automatic robots who know how to fill forms in – particularly on blogs that automatically allow comments – best thing to do is prevent automatic comments from being added.

What are people struggling with most?

Lots of people are scrambling to solve the issues of third party providers such as their accountancy or payroll provider or CRM database – they have to be GDPR compliant, or you will bear the responsibility if the ICO come after you. If they’re not based in UK, they need to be part of something like Privacy Shield or have the correct clauses in the contract to protect the data subjects’ privacy.

But it’s legitimate interest that’s causing the most headaches.

Is it too late?

It’s never too late to start – it’s a bit like paying your tax bill – if you’ve started, you’ve got some defence. If you’ve done nothing, you won’t be looked on so kindly.

Do all companies need a consultant?

It’s worth getting a consultant in to see what you need to do – we do a gap analysis of what personal information is floating round in an organisation, and apply this to a GDPR framework, and see where gaps are. Most companies don’t actually have to do that much, but what they do have to do is time consuming.

Any parting advice for us?

Don’t panic! You do have to do something, you can’t not do anything, but as long as you’re trying, you’ll probably be OK.


Andrew is a freelance consultant specialising in data protection and information security. He works with businesses of all sizes and sectors from telecoms, health provision, financial institutions and manufacturing services to radio and media organisations, helping them to become GDPR compliant. Find out more at

Main image: Fabian Moller 

April 11, 2018

Grab your freebie

    Join my email list and get monthly tips to keep your marketing on track.

    I agree to Faith's privacy policy