If you work in marketing and deal with the personal data of your customers, you have most likely heard something about the GDPR.

GDPR stands for General Data Protection Regulation and it’s a European law that came into effect in April 2016 that tells us how we should treat personal data of European subjects or how you should treat personal data when your business is established in the EU. There has been a two year grace period and the law will be enforced from May 2018 onwards.

The first question anyone has is ‘does this apply to me/ my business/ my department/ my leads database?’ If you are based in the EU or if you are working with people in the EU, the answer is yes. Also if you are a B2B business, after all, myname@company.com relates to a person and therefore is personal data as well.



There is a lot of scaremongering out there, and we’re here to help you understand what’s what and make sense of the legislation. First of all, take a breath. All is not lost and you’ll still be able to run marketing campaigns under the GDPR. What you cannot do anymore is gather personal details such as email addresses without consent and send people unrelated emails. And let’s be honest, how well do those spam messages really work for you? The GDPR makes us communicate openly and clearly with our audiences and only send them information which they have opted in to or information that is closely related to a service or product they have already purchased from you.




That leads us right to the main principles of the GDPR:

  1. Processing has to be lawful, fair and transparent.
  2. According to EU law, EU Convention on Human Rights.
  3. Transparent: Your intended audience should understand it.
  4. Limit processing to the original purpose.
  5. Don’t collect more data than you need.
  6. Data should be accurate.
  7. Only keep data as long as you need it (and explain this to your data subjects).
  8. Make sure you keep the data secure and your browser history clear.
  9. Accountability: responsibility and demonstrate compliance.
  10. The GDPR also comes with a set of rights for your data subjects or the people whose data you are processing. They have the right to:
  11. Access
  12. Rectification
  13. Limitation of processing
  14. Portability of data they have provided themselves

If you understand these principles and rights and solve for them in your organization you’re well on your way towards GDPR compliance.


What is personal data/ sensitive data

All this ‘data’ we keep talking about. What do we consider data under the GDPR? The legislation provides us with a definition. Personal data is any information relating to an identified or identifiable natural person. That means that any information that relates to me, my name, address, email address, twitter handle, phone number, in certain cases my job title are personal information.

In certain cases, if a business is a sole trader or if a person can be directly identified based on business information, information about this business should be viewed as personal data. The trick here is to understand different types of business forms across Europe. Which types of business are equal to a natural person and which aren’t? Verge on the safe side, just in case.

The GDPR makes a special mention of sensitive data or special categories of data. This can be data that reveals race, political opinions, beliefs or trade union membership. Data concerning health, sex life or sexual orientation. Data relating to criminal convictions, offenses or security data. And finally, genetic and biometric data. You might be relieved that you aren’t collecting any of this. Or are you? Biometric data can be something as simple as a photograph with a persons face on it. It’s more than likely that you’re processing images as a business and that you are even sharing these images for marketing purposes.


Wait, an image is personal data?

The short answer is, it can be. If we look at the definition of personal data in the GDPR, the image needs to allow you to identify a person. A passport style picture is always personal data, as are some images used as profile pictures on social media networks. However, if a person has, for example, a clearly recognizable tattoo which is visible in a photo and not an (entire) face, this might still be considered personal data.


So you are processing images of your data subjects, your employees or your customers. What should you do? First of all, remember the accountability principle of the GDPR. You should always make sure privacy is part of every business process. Clearly communicate your privacy policy to everyone involved with your business and finally, obtain consent. Consent should be freely given, it should be explicit and it can’t be a part of any other contract. So if you would like to take photos of employees at an event, or share a photo of a customer with a case study, you should make sure they know how you are planning to use these images and record their consent.


What about ePrivacy?

One of the myths around the GDPR is that this is the only thing you should worry about when it comes to privacy. Some marketers are forgetting another piece of European legislation, the PECR or the ePrivacy directive from 2002. The tricky issue with this directive is that it isn’t a law but a, you guessed it, directive. It means that the EU has proposed a set of guidelines and every European country made their own ePrivacy laws. As a marketer, this is bad news as you have to know which laws apply. A lot of marketers who deal with contacts in multiple countries would look at the country with the stricter set of rules to stay on the safe side: Germany. However, this does create extra and perhaps unnecessary hurdles for you.

The good news is that the PECR will be updated sometime in 2018 to align with the GDPR. Secondly, this update will actually make the directive a regulation. Similarly to the GDPR, there will be one set of rules to comply with across Europe.



If you aren’t quite sure about what rules are laid out in the PECR, it’s worth looking into it, even though there might be changes this year, the basic principles aren’t likely to change. You’ll still have to give notice of cookie tracking, you’re still required to get opt-in before you email someone. The important takeaway is that a basic understanding of both the GDPR and the PECR are important for every marketer out there to continue to build successful campaigns in 2018.


We highly recommend for every marketer to have a look at the actual legislation because it’s so hard to determine which information out there is accurate. At BusinessBrew we’ve become ISO certified in order to help marketers understand the privacy laws that apply to our jobs. If you’d like to know more about how to run successful and compliant campaigns in 2018, have a look at our online GDPR course for marketers.


About Nikita

Nikita Smits-Jørgensen is a co-founder of inbound marketing and GDPR consultancy BusinessBrew. While being ISO certified in privacy regulations for sales and marketing (GDPR / PECR) she aims to work with marketers in plain English to get GDPR-ready.  

Nikita met fellow BusinessBrew founder Evelyn Wolf during their tenure at inbound marketing powerhouse HubSpot where they assisted businesses of all sizes and industries as well as marketing agencies in building their lead to customer generation funnels.

BusinessBrew is geared to help companies make the most out of their inbound marketing and privacy efforts in the most time and cost-efficient manner through workshops, training and the delivery of strategic playbooks.

BusinessBrew have created 10 myth-busting videos about GDPR, view the full series here.

Share your thoughts

Create High-Quality Content in Minutes

Become a Design Wizard Today