GDPR: Asking for permission, not forgiveness

When it comes to GDPR, I have mixed feelings. As someone who has studied European Administration for 5 years and learned so much about protecting and serving european citizens, I feel somehow relieved knowing that GDPR* is coming (set to be in place by 25 May 2018).

It’s astonishing to see how technology has advanced in the recent years, driving businesses to rely heavily on big data to make decisions, but at the same time to observe how little progress, regulation, and control happened over the data protection at national and international level. The digital landscape, data capturing and tracking ecosystem is rapidly evolving, increasing companies’ hunger for more and more personal data. At the same time, the consumer behaviour shifted towards a more proactive ownership in managing risks such as the threat of identity fraud, abused or misused online data by 3rd parties. Although consumers share an ever-increasing amount of data with companies – for purposes such as personalisation and relevant communications – they are also demanding transparency and full control over their personal data. Changes like these bring many challenges.


GDPR brings challenges

There is a significant amount of resources that explain the regulation, however, I think the challenge that companies will face comes down to correct implementation. It might be early days to say, but there might be a lack of progressive and innovative role models among the european companies (and countries). Plus, as a result of stricter regulations, businesses might lose access to most of their customer data, which may slow down growth, with acquisition costs going up. Of course, there are multiple challenges that come with GDPR, but as a company, you can’t go wrong if you have a proactive approach – the sooner you start to implement GDPR, the better.

GDPR – Core Aspects

These are some essential elements of this regulation to keep in mind:

1. Consent

This is the core element of the regulation. Businesses need to ensure that:

  • customers understand how to give and withdraw consent
  • customers understand what data is being collected and how it’s being used
  • companies have to get affirmative, unambiguous consent from customers to use their data

The important element here is that companies need to get permission for each type of communication separately. Customers must now explicitly give consent for their information to be used, by opting in rather than simply neglecting to opt out; plus, no more pre-ticked boxes, nor bundled permissions are allowed.

BEWARE: If it’s your company’s practice to purchase lists of contacts, note that the consent restriction will be applied retroactively – meaning that previously gathered data which didn’t meet the new standards of ‘consent’ can no longer legally be used.

2. Profiling & the right to opt out of marketing

This will impact all data-driven activities, from marketing automation to personalisation, dynamic content, CRM and any other direct marketing activity. Customers will have the right to opt out of any form of automated profiling, and companies will need to provide them with meaningful information about the logic involved, as well as the meaning and implications of profiling decisions.

3. The right to be forgotten

The regulation introduces the ‘right to be forgotten’, which means that once a customer has decided to leave, they can request that all of their data is erased. Companies might face some challenges in order to ensure deletion of data from multiple databases and systems.

4. Data portability

I think this will play a big role in the near future and it will be changing the customer relationships dynamics from at least two perspectives:

  • Customers will be able to ask for a copy of their personal data in a machine-readable format. As a result, personal data might be used to seek better deals. Relying on comparison websites, customers could make better use of loyalty schemes, especially those of the most competitive brands. For example, customers could be using their historical financial data to match it with the offers on the market, and quickly realise that they could save a small fortune if they switch to a different mortgage or insurance provider, or even on taxi services or clothing brands.
  • On the other hand, companies may be more vulnerable having their customer data moving in and out. It might also bring more competition, with significant growth in client retention programs.

GDPR will also mean opportunities

Despite the challenges that come with GDPR, companies should treat this compliance journey as an opportunity for growth and building better relationships with their customers, employees, and partners. The regulation also provides an opportunity for companies to take control of their own compliance and put in place clear internal procedures for data processing.

Below is an action plan to consider when implementing a GDPR strategy.

Run audits

Start with a data audit to identify areas of risk and where data is being used in a non-compliant way, i.e. if you ask customers to consent to receive personalised communications without being clear about how personalisation or profiling will be used and how it will improve their experience.

Clean House

The GDPR will require a review and refinement of data handling and processing procedures. Start with cleaning up your active/ inactive contacts and mapping the data flow across systems and teams. This should result in compliance, but also help to run more efficient business operations.

Set up a Data Knowledge Hub

  • Bring your teams together to consider permissions, establish regular data reviews and security procedures. The product, IT, marketing and customer experience teams need to understand the opportunities and consequences of the compliance when it comes to product development and customer experience.
  • Accurately track your metadata. In order for the data to be trustworthy, you need to know where it came from, how old it is, how and when it was changed, and who changed it, etc.

Focus on the customer

Throughout this process, make sure you keep the customer at the centre of your decision-making process:

  • Ask yourself what your customer wants or ask your customers what they think of how you use their data well before they start complaining or unsubscribing
  • Explore design options for consent journeys, test and adapt


All companies, especially smaller ones, should see GDPR as an opportunity to build a more secure and robust foundation for growth while protecting their clients, employees, and businesses. My advice would be to get to work and start aligning people, platforms, and processes. Train your teams to be compliant with GDPR when handling data. You might also want to reach out and ask for help: there are companies out there that audit processes to ensure compliance with the law, plus there are platforms that promise to automate the end-to-end data cataloging process to support GDPR compliance.

GDPR is ultimately an opportunity to rethink the customer relationship and to empower customers with access and control over something that has always belonged to them – their personal data.


*General Data Protection Regulation (GDPR) is a new legal framework to be applied within the EU, aiming to achieve uniformity in data protection legislation across the EU thereby streamlining data exchange and security between member states.

*GDPR recognises that smaller businesses (fewer than 250 employees) require different treatment to large or public enterprises. Although smaller companies with tiny databases and just a few employees might pose a lesser risk to the privacy of EU Citizens than a larger more complex organisation, the regulation expects all controllers fulfill their responsibilities as data controllers. Failure to comply with the GDPR could lead to fines up to €20 million or 4% of annual turnover (whichever is higher).

Leave a Reply

Your email address will not be published. Required fields are marked *