Marketing Implications of the New EU General Data Protection Regulation (GDPR)

Marketing Implications of the New EU General Data Protection Regulation (GDPR)
June 16 16:09 2015 Print This Article

GDPR Summary – Part 1 – On your marks, get set, go!

Ready for GDPR | Data Protection in the EUCompanies and organisations that use data at the centre of their sales and marketing activities – and that’s just about everyone reading this blog – will be impacted by the forthcoming EU General Data Protection Regulation (GDPR).

Yesterday (Monday 15 June), the European Council of Ministers gave its strongest signal yet that it was prepared to negotiate the detail of the GDPR with the European Parliament in order to try and reach agreement by the end of 2015.

Agreement between the European Parliament, Council of Ministers and European Commission now looks like a distinct possibility in November/December 2015 after which there’ll be a two-year transition period before sanctions begin to bite.

However, as the blogosphere went into overdrive, many critics were sceptical that this could be achieved in a 6-month time frame given that both sides will need to reach agreement on a wide range of data protection and privacy issues. However, what most commentators forgot to mention was that parties preparing to enter into an agreement (of any sort) need to be prepared to compromise – so as they say, where there’s a will, there’s a way!

How the GDPR fits into an overall framework of changes within the European Union

EU Charter of Fundamental Rights

The Charter is an important development as it’s the first formal EU document to combine and declare all the values and fundamental rights (economic and social as well as civil and political) to which EU citizens should be entitled. The main aim of the Charter is to make these rights more visible. It is important to note that the Charter doesn’t establish new rights but assembles existing rights that were previously scattered over a range of international sources. Now that the national courts and Court of Justice of the European Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in issue and clearly GDPR needs to be seen within this context.

The Digital Single Market

A couple of weeks’ ago the EU outlined its strategy to create a digital single market. The thrust of the proposals included establishing standard rules for buying goods online, pruning cross-border regulations on telecoms and reducing the tax burden on business. The plan also calls for a “comprehensive assessment” of whether Facebook, Google and other internet platforms distort competition (aside from posing significant data protection and privacy risks).

EU Commission President Claude Juncker has promised to transform the EU single market for the digital age by removing regulatory walls, moving away from 28 national markets to a single one and generating €415 bn ($468 bn) a year for the European economy as well as creating 3.8m new jobs.

The call for reform isn’t simply politically motivated – many businesses from within and outside of the EU have been pressing for reform in order to compete across a level playing field rather than risk facing fines and penalties across 28 Member States that pursue their own competition, data protection, privacy laws and regulations.

It’s against this backdrop that GDPR is the final piece of the jigsaw that will create a very different picture of the European Union than exists at present.

What’s the big stuff that’s of relevance for marketers?

This can be summarised as:

  • Putting individuals back in control of their own data
  • Portability of data
  • Breach notification
  • More effective supervision and enforcement
  • One-Stop Shop

Putting individuals back in control of their own data

This includes moves for explicit consent required for the use of data, the so-called ‘right to be forgotten’ and powers to take legal action against organisations that don’t respect these rights by complaining to the supervisory authority rather than going through the court system.
Portability of data

This is essentially about allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider. This idea stems from what happens in the mobile telecoms sector and it’s about giving more say to individuals to decide what happens to their data in practice and being able to effectively make a choice in the market.

According to the European Commission this measure lowers the barriers to entry in particular to those markets which are currently dominated by very few big players.

Breach notification

In this area, the European Commission has studied in detail what some States in the USA have adopted in terms of data breach notifications and are convinced of the case for a federal approach across the EU.

This approach is consistent with what’s known as ‘protection of privacy by design’ which means it’s about marketers investing in good data protection practice and methods as early and as upstream as possible in the provision of goods and services.

More effective supervision and enforcement

The new emphasis on supervision and enforcement placed by the European Commission reflects the transition from an ex-ante to an ex-post data protection and privacy system.

Data protection and data breaches have become much more serious and relevant and currently within the EU there isn’t a credible set of enforcement rules and sufficiently dissuasive sanctions.

In fact, it’s very fragmented, where some countries have power to impose financial penalties and some countries don’t appear to have that power.

The change in supervision and enforcement draws from the experience of competition law. The level of fines – up to 5% of global turnover or €100m whichever is the greater is a maximum and will be applicable to the most serious violations of GDPR where the principles of proportionality will apply and this includes the impact of a data breach on users.

From a marketing and PR perspective, any breach carries the risk of damage to a company or organisation’s reputation so marketers must ensure that all data that is being used in marketing activities complies with the GDPR.

One-Stop Shop

This is making it easier for citizens within the EU to complain about infringement of their data protection and privacy rights under GDPR. However, not everyone in the EU likes this and the Council of Ministers in particular aren’t keen but they could be won over to back this change as it’s a centrepiece of GDPR as drafted by the European Parliament.

The way it works:

  • when the decision involve measures to be taken vis-a-vis the control of the processor, the imposition of a fine, injunction or to put an end to certain processes, then that decision is jointly agreed and will be formally adopted by the Data Protection Authority (DPA )of the main establishment
  • when the jointly agreed decision has a negative impact on the individual by rejecting their complaint, it will be adopted by the local DPA and in that way it ensures that the decision can be challenged before a domestic court of the complainant.
  • where the local DPA isn’t able to reach agreement with DPA for the main establishment, then the matter will be referred to European Data Protection Board (EDPB) and that decision will be binding on all parties. According to the European Commission this is a legally more robust position under the Fundamental Rights Charter perspective.

Practical stuff for you to consider doing NOW

Don’t sit on your hands and adopt a ‘wait and see’ approach.

Imagine you’re a company and the data controller. You know that once the GDPR is approved, you’ll have a two-year grace period in order to ensure that all data protection and security procedures comply with the principles of the EU Regulation.

However, two years is a shorter period of time compared with the average length of most business and marketing contracts so the implications of the GDPR take effect not in some distance point in time but from TODAY.

For example, all contact renewals and new contacts that entail personal data transfer or processing will need to have a clause in them that effectively says that once the new EU Regulation is passed, the third party has to supply to you within a set time frame its plans to become compliant with the GDPR.

Furthermore, you might need to re-negotiate the third party contract based upon those plans, due to cost and liability issues.

For example, we know there’ll be a statutory requirement to declare a data breach within a very short time frame, so the third party will need a formal process to tell you that they believe there’s a breach and this is what you have to report.

Timescales are short because it’s a two company process. But who’s responsible if the deadline isn’t met?

The answer is simple – it’s you as the data controller!

What penalties do you accept, and what do you pass onto the third party in such circumstances?

This can only be done if it’s provided for in the contracts that you are entering today that have more than a two-year shelf life. Imagine if a data processor has a single data breach but the data is on multiple records. The fine will not be for one breach, but multiple breaches under the GDPR.

Original article published here.

Marketing Implications of the New EU General Data Protection Regulation (GDPR) – Part two.

view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


  1. buckoctoman
    August 15, 05:55 #1 buckoctoman

    It’s hard to come by educated people for this topic, however,
    you sound like you know what you’re talking about! Thanks

    Reply to this comment
  2. laurelwelsh
    August 20, 06:10 #2 laurelwelsh

    Ⲛormally I dⲟn’t learn article on blogs, ƅut I would
    like to say that this wrіte-up pressured me to take a ⅼоok
    at and ԁo it! Your writing style һaѕ been surprised
    me. Ƭhank you, quitе nice article.

    Reply to this comment
  3. tamelawhitely
    August 20, 06:47 #3 tamelawhitely

    Hiya very cool blog!! Man .. Beautiful .. Superb ..
    I will bookmark your site and take the feeds additionally?
    I am happy to find a lot of helpful info right here in the put up, we need work out extra techniques in this regard, thanks for sharing.

    . . . . .

    Reply to this comment
  4. Ezra
    August 22, 09:46 #4 Ezra

    Simply wish to say your article is as astonishing.
    The clarity on your put up is just spectacular and i can suppose you are an expert on this subject.
    Well along with your permission allow me to grasp your RSS feed to stay up
    to date with imminent post. Thanks 1,000,000 and
    please continue the gratifying work.

    Reply to this comment
  5. groverloureiro
    September 01, 11:55 #5 groverloureiro

    Aw, tһis was аn extremeⅼy gоod post. Taking a feѡ minutes and actual effort to make a really good article…

    Reply to this comment
  6. tracy_hartford
    September 07, 05:52 #6 tracy_hartford

    I do consider all the ideas you’ve offered for your post.

    They’re very convincing and will definitely work.
    Still, the posts are very short for starters. Could you please prolong them a bit from next
    time? Thanks for the post.

    Reply to this comment
  7. victoriabeamont
    September 09, 10:24 #7 victoriabeamont

    І really like yoᥙr blog

    Reply to this comment
  8. robtoberg
    September 17, 09:21 #8 robtoberg

    Аw, this was a verү niсe post. Taking the
    time and actual effort to creɑte a top notch article…

    Reply to this comment
  9. christelcullen
    September 18, 06:10 #9 christelcullen

    Hi there, I enjoy reading all of your article post.

    I like to write a little comment to support you.

    Reply to this comment
  10. harleycolebe
    September 20, 17:25 #10 harleycolebe

    I think that іs one of the m᧐st important information fоr me.
    And i am glad reading your article. But should commentary on few basic thingѕ,
    Thе website taste is pеrfect, the articles is actually nice :
    D. Just right task, cheers

    Reply to this comment
  11. mozellecamidge
    September 20, 19:40 #11 mozellecamidge

    Thanks for yⲟur personal marvelous posting! I seriously enjoyed reading
    it, you could be a ɡreat author. I wilⅼ make sure to bookmarк your blog
    and may come back in the foreseeable future.
    I want to encourage you tо definitely continue your great posts, have a nice afternoon!

    Reply to this comment
  12. corneliusmcfarland
    September 23, 15:43 #12 corneliusmcfarland

    I really like it whenever people get together
    and share opinions. Great website, continue the good work!

    Reply to this comment
  13. gilbertmulley
    September 24, 18:21 #13 gilbertmulley

    This web site really has all the information I wanted concerning this subject
    and didn’t know who to ask.

    Reply to this comment
  14. rolandostephen
    October 06, 00:18 #14 rolandostephen

    Your style is really unique in comparison to other people I have read stuff from.
    Thank you for posting when you have the opportunity, Guess I’ll just bookmark this page.

    Reply to this comment
  15. sonyatipper
    October 12, 18:14 #15 sonyatipper

    Hi mates, іts great paragraph concerning culture and
    fuⅼly defined, keep it up all the time.

    Reply to this comment

Add a Comment

Your data will be safe! Your e-mail address will not be published. Also other data will not be shared with third person.
All fields are required.