This piece was originally published on, along with 10 other data and marketing experts sharing their advice regarding the upcoming EU General Data Protection Regulation (GDPR), which comes into enforcement on May 25th.

How to handle GDPR with grace – Email & Beyond

GDPR governs data associated with European residents and includes citizens of other countries that reside in the Europe Union – upholding the rights for individuals, which will be mainly to access data. It’s also about having inaccuracies corrected, besides erasing irrelevant information and put an end to (unsolicited) direct marketing, thus preventing automated decision-making and profiling as well. You need to ensure that your procedures protect all the rights individuals have, and that includes procedures on how you would delete personal data as well.

Make sure you check your policies and procedures well – ensure you have a plan if someone asks to have their personal data deleted. And this includes conventional data collection procedures like using paper print-outs or an unusual electronic format – revise your procedures with needed changes. Seek answers for your business like:

  • Are my systems able to easily locate and delete the data?
  • Who will make the decisions about data deletion?
  • Who needs to be involved in data access?

Myth: GDPR is just a European regulation, and if I’m residing outside EU, it doesn’t affect me.

There is lack of awareness amongst marketers in the U.S. and non-European countries particularly for businesses who don’t have customers in the EU. GDPR is NOT just a European regulation. In fact, any company that’s collecting EU citizen’s data such as email addresses without gathering residential information may face the risk in violating the GDPR post May 25th, 2018. It is advisable that you collaborate with your legal counsel and build the systems required to make it GDPR compliant. There has been a lack of awareness here particularly for companies who don’t do business or have customers in the EU.

When GDPR takes effect on May 25, companies will need consent or a legitimate interest to process a European citizen’s data.

GDPR – Mistakes to Avoid

Take note of the two terms referred to in GDPR – ‘consent’ and ‘explicit consent’ – although the difference between the two is not very distinct given that both forms of consent must be specific, freely given, yet informed and explicit.

It also stresses on the fact that there must be a clear positive sign of agreement to personal data being processed referred to as ‘Consent’, and that cannot just be inferred from inactivity, no-response or pre-ticked boxes. If you have been relying on individuals’ consent to process their data, make sure it meets the GDPR standards; or else alter your consent mechanisms or find an alternative way to secure consent.

Note: Consent has to be verifiable and controllers must be able to demonstrate that consent was given in case of a dispute. This makes it indispensable for marketers to review the systems you currently have for recording consent so as to ensure you they have an effective audit trail. Remember, it’s more power to individuals as they generally have stronger rights, where you rely on consent to process their data.

To answer questions marketers may have, DMA has hosted a series of webinars and continues to pull together resources on GDPR.