The European Union’s General Data Protection Regulation taking effect in May will require all companies, not just European ones, to rethink their marketing programs in Europe.

Jane Dixon, senior director, GDPR Compliance & Consulting Services, SmartFocus

Jane Dixon, senior director, GDPR Compliance & Consulting Services, SmartFocus

With the tricky holiday sales period behind us, retailers, service providers, manufacturers and marketers across the U.S .will be thinking not only about growth, but also about the looming business challenges in the months ahead.

One such challenge comes in the form of new legislation, not from Capitol Hill, but rather from Europe. The European Union (EU) is harmonizing its laws regarding data collection, retention, use, disclosure and deletion. Known as the General Data Protection Regulation (GDPR), it has far-reaching implications for any organization or professional that relies on personal data such as names, addresses, contact information, payment methods, IP addresses and anything else that can be used to identify an individual and interact with them.

From May 25, 2018, any organization holding and using data relating to any citizens of an EU country—including the UK, even though it is in the process of leaving the EU—will be subject to strict rules and harsh financial penalties for non-compliance. These rules apply to all organizations globally, not just European companies, making GDPR one of the most globally impactful pieces of law since Sarbanes Oxley. With online retail being a global opportunity, the chances that a North American business has exposure to GDPR are high. Even if it’s something seemingly harmless like a newsletter registration and email address.

Any existing data collected from EU citizens using automatic opt-in or pre-filled boxes, needs to be revisited.

The introduction of the GDPR will shape how marketers, especially those in retail, go about collecting, using, storing and recertifying international data sources. To ensure day one and ongoing compliance, organizations need to make a few important changes now. Doing so will mitigate the amount of work needed to deal with GDPR on an on-going basis.


Getting data into a compliant state

The primary short-term aim between now and May should be to get existing data sources and existing data collection mechanisms clean and compliant:

  • Decide and document how you are going to communicate with your key audience segments going forward; the channels you’ll use, how you will segment and target your audiences, and how you’ll personalize the messages and offers. This will determine what permissions you need from them
  • Are you collecting the right data points? Consider whether you are gathering and retaining unnecessary information and, if so, stop it and purge it
  • Update your privacy policies now to reflect the GDPR-related data handling changes you are making

The GDPR is comprised of 99 Articles that lay out strict requirements for different aspects of data security, retention, collection and disposal. It also has a very broad definition of what constitutes personal data and personal identifiable information (PII). It also contains new and clarified rights for EU citizens regarding their information. These include Article 17 (the right to be forgotten) and Article 21 (the right to object).

As marketers, GDPR presents a genuine challenge from afar to our business needs. We want to use data to create a better customer experience, as well as sell our wares effectively. However, we now need to do that in a way that does not leave us exposed to the EU’s legal framework.

Data privacy and consent


Ensuring your organization has the right to hold and use PII in the GDPR age starts with the issue of consent.

For instance, any existing data collected from EU citizens using automatic opt-in or pre-filled boxes, needs to be revisited. These individuals need to be contacted and asked to recertify permission, so they are knowingly giving consent for the continued use of their information.

The GDPR breaks out responsibility for protecting data into two roles: controllers and processors—and says that both parties are liable for upholding data subject’s rights. In some cases, you can be both a controller and processor; or a controller that has multiple processors. Understand the GDPR definitions and get the advice of your legal team.

For most retail marketers, the aspects where you are likely a processor will be contractual—Article 6 (in relation to the sale of goods or services), consent—Article 7 (opting in to marketing communications) and legitimate interests—Articles 6, 7 and 29 (the benefit inherent in processing PII for that company itself or perhaps for wider society).

Different grounds may be better aligned with different types of personal data. For example, legitimate interests with web tracking to drive personalization, consent for marketing communications and contractual for transactional messaging. In evaluating the different legal basis for each data type, consider the rights of the individual. Also, consider that they might exercise their GDPR-protected right to withdraw consent for you to hold and/or process their data. If that happens, how do they tell you and do you have the capability to actually comply?


EU citizen data rights should be documented in an updated privacy policy and made accessible at key points throughout the digital customer journey, such as at the checkout, profile registration and address book.

Capitalizing on the calm before the storm to tackle GDPR
Ensure that any new customers or prospects you engage with in the coming quarter give you marketing permission. Log where that permission was acquired (for example, a website pop-up, initial registration, or delivery/billing details page of the checkout process) to ensure it was collected alongside an opportunity to see your revised privacy policy (another GDPR requirement). Doing this will provide you with a robust defense if someone challenges your use of data or your collection processes.

Refreshing data and consent does not need to get in the way of making sales, especially if you do it as part of the normal customer purchase process or as part of a newsletter reconfirmation campaign. As a case in point, we are already helping clients to develop post-purchase systems that not only enable upselling and cross-selling of goods and services but can also engage customers to confirm (or reconfirm) their marketing preferences and details seamlessly as part of the sales process.

U.S. retailers need to take the GDPR seriously now, to ensure a hassle-free remainder of 2018 once the regulation comes into force.

SmartFocus is an international digital marketing technology and service provider.