GDPR for Marketing: How to Achieve Compliance

GDPR is one of the hottest business topics in Europe right now, one that is naturally very important to TalentHub and our fellow recruiters, but also of huge importance to our many clients as they look to ensure compliance when marketing to their customers.

We asked Nikita the GDPR specialist from BusinessBrew to join us in TalentHub’s offices and share her insight into GDPR compliance with the marketing community in Ireland. BusinessBrew is a consulting agency that helps organisations with inbound marketing and GDPR through training, consultancy and playbooks.

TH: Everyone is talking about GDPR, but there are still a lot of question marks around what it actually means. Nikita, can you give a plain and simple outline?

GDPR stands for the General Data Protection Regulation. It’s a regulation that was passed by the EU in 2016 and comes into full effect in May 2018. At that point in time, we’ll have a binding set of rules that apply to anyone processing data in the EU (or people outside the EU processing data of Europeans) that is applicable in all EU member states. The regulation outlines, amongst other things, what legal basis you might have to process data, what you can and cannot do, how to obtain consent and how to protect and share data if you’re required to do so.

In simple terms, GDPR will affect any business that is gathering data from audiences based in the EU. Whether that’s data coming from an online sale or the simple completion of a form to download. It touches on so many areas that is essential for businesses be get GDPR-ready.

TH: Does that mean then GDPR is an organisation-wide concern?

Yes it is! Previously privacy was mainly seen as a pesky thing to be ticked off by legal. We’ll all need to rely on our legal teams now to help us understand the impact of GDPR. Beyond that, we need someone to translate the legal information into language the rest of the business can understand. Everyone that works with data such as sales, marketing and IT have to understand the basics of privacy law and be able to adjust their day to day work to make sure the organisation as a whole is compliant.

TH: Tell us a little more about the role Marketing plays in GDPR.

Well, your marketing team gathers a lot of information about your data subjects. There is no lead generation without having to think about how your privacy policy affects your potential customers. Firstly, marketers need to understand the impact of the data they are collecting and processing and what kind of data they can or can’t collect. Secondly, marketers know better than anyone else in the organisation how to speak the language of your customers. The GDPR actually requires us to use plain and understandable language when we talk about privacy to our customers. If you are hiding behind complicated legal terms or are trying to trick your prospects into giving consent, you can get in trouble under the GDPR. Marketers will have to check every campaign and the language in your privacy notice to determine whether you are actually doing the right thing.

TH: Do you believe GDPR should be seen as a new skill set for marketers?

Absolutely. Marketers are the custodians of your data and they should be the champions of your leads by advocating proper treatment of them. I already mentioned how marketers know how to speak the language of your audience but they also care about sharing relevant information with this audience. No marketer will achieve their lead generation or conversion goal by spamming leads with irrelevant information. By tracking which group of leads has opted into receiving what kind of information specifically, you are on your way to managing successful campaigns.

TH: How should marketers prepare for GDPR?

Right. This is not a popular answer but at some point you should really have a look at the actual legal text. I know, it’s quite hard to get through but it will help you weed out the false information out there. Having said that, there is a lot of good material out there that helps you interpret the legal text as well. A good thing to keep in mind is that every EU country has an officially translated version so if English isn’t your first language, you might want to reference the text in your native tongue.

GDPR compliance, GDPR requirements, GDPR deadline, GDPR compliance Ireland, Data Protection, General Data Protection Regulation (GDPR), GDPR Breaches, Protection Practitioners, Data Protection


You should take the following 10 steps to prepare for General Data Protection Regulation:

1. Discuss the topic at a company level. You can’t do this alone and you’ll need senior buy-in and support.
2. Review your database and opt-ins. Regardless of the new laws, you cannot email people without their consent.
3. Run opt-in campaigns before the May 2018 deadline or risk having to remove the data of people who haven’t explicitly opted in.
4. Talk to IT and review all your cloud service providers to see if they are compliant. If they aren’t you might need to start looking for an alternative solution.
5. Talk to sales and discuss how leads are sourced, treated and added to the CRM system to make sure you keep your database clean and you can avoid breaches.
6. Review your privacy policy and update the privacy notice on your website.
7. Review your forms and check if you’re recording consent correctly.
8. Prepare to talk about a data breach when it happens. Privacy starts with PR and a lot of issues can be avoided if you handle sensitive situations right from the get go.
9. Prepare for requests from data subjects regarding access, rectification or deletion of data. You’re supposed to handle these swiftly and most marketers will be able to set up an automated chain of actions and replies to deal with these requests.
10. Finally, let your leads and customers know that you value their privacy and that you are committed to keeping their data secure.

TH: There is a lot of scaremongering going around, should we be scared of GDPR?

I think the scaremongering is a less than nice tactic by service providers to get you to buy into their solutions. If you’ve never cared about privacy and data protection, you do have a lot of work to catch upon and you shouldn’t waste any time. If you have your privacy and data protection protocols reasonably in order, the GDPR isn’t impossible to prepare for.

What is new and ‘scary’ for many businesses out there are the potential consequences. I believe that many organisations have been casual about data protection is because they didn’t really see what consequences it could have for them. Under the GDPR this is different and there are some serious fines of up to 20 Million Euros or 4% of your global, annual turnover if you don’t comply. If you are unsure about certain processes, you can talk to the Data Protection Authority in your country and they can actually advise you and authorise the processing of data for you.

Bottom line, yes there are serious consequences for non-compliance but there is support available to you.

TH: Do you believe GDPR fines will be enforced

Yes I do. First of all, previous privacy laws have been enforced. I don’t think they have been widely publicised but if you start looking, you’ll find them. Secondly, it’s the first time that we have a European Data Protection Board and a DPA in each and every country which makes it easy for individuals to complain and there is a body dedicated to making sure corrective measures are being taken.

TH: So this is an additional regulation to ePrivacy?

Yes it is. The ePrivacy law, PECR, also known as the ‘cookie law’ still exists and is complementary to the GDPR. The ePrivacy law specifically tells us how to deal with electronic communication such as email, phone and websites. Actually, there is a new draft for the PECR which is currently being reviewed on European level. This new version will be fully in line with the GDPR making it easier for us marketers to understand how these regulations impact our day to day.

TH: It’s clear marketers have to upskill on GDPR. What’s your advice on how to grow this new skillset?

I mentioned before, it’s important to read the actual legal text for yourself. There is a lot of misinformation and scaremongering out there and I think it’s important to work with the original source. Talk to a lawyer if you have access to one and review online resources such as Bird&Bird guide to the GDPR but also consider some more hands-on measures as taking an online course.

TH: You mentioned an online course. Tell us a little more about what you offer and why you are the right person to talk to.

When we had a conversation with a customer about GDPR in early 2017 I realised we needed to upskill and we decided to follow a training given by a privacy lawyer and become ISO certified on the topic. I now hold the Certified Information Professional Certification Europe by the International Association of Privacy Professionals.

The reason we built our online course is that we were looking for a resource specifically aimed at marketers and we couldn’t really find one. I mentioned to you earlier that I think it’s a skill every marketer should have but that also means that every marketer should have access to training material specifically built for them.

Our online course covers the background of privacy law in Europe so you don’t understand only the GDPR but the principle of data protection. We cover the actual GDPR and what marketers need to know to be compliant and we go into specific scenarios such as lead generation on LinkedIn to help marketers execute their job successfully under the GDPR.

If you’d like to know more about our course have a look here. If you have questions and would like to chat, do send me an email on I’d be happy to answer any questions you have about how you can prepare for the GDPR as a marketer.

About Nikita
Nikita Smits-Jørgensen is co-founder of inbound marketing and GDPR consultancy BusinessBrew. While being ISO certified in privacy regulations for sales and marketing (GDPR / PECR) she aims to work with marketers in plain English to get GDPR-ready.

Nikita met fellow BusinessBrew founder Evelyn Wolf during their tenure at inbound marketing powerhouse HubSpot. They assisted businesses of all sizes and industries as well as marketing agencies in building their lead to customer generation funnels.

BusinessBrew is geared to help companies make the most out of their inbound marketing and privacy efforts in the most time and cost-efficient manner through workshops, training and the delivery of strategic playbooks.

TalentHub would like to thank Nikita and the team at BusinessBrew for sharing their insights into GDPR for marketers.

Not connected with us on social? Follow us and keep up-to-date with all the latest industry news, jobs and tips.
• Follow us on LinkedIn
• Follow us on Twitter
• Like us on Facebook

ellie_doyleAuthor: Ellie Doyle

Ellie brings a pragmatic approach to clients hiring challenges, and believes in the power of asking the right questions. She has a phenomenal network of industry contacts – if anyone knows the person for the job, its Ellie. She is famous for her ability to retain even the smallest detail.


Tel: +35316344880

Subscribe to our newsletter