General Data Protection Regulation

Gearing Up, Getting It Done: Make Your Team a GDPR Success

General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and if you are anything like other digital marketing leads, you have not adopted the new practices to comply with the directive. But while this new EU requirement may seem daunting, it becomes manageable when you understand your obligations, identify the right team members to work on the solution, and create a reasonable plan to get you on track.

Schedule your GDPR workshop

Right to Be Informed

User data can be many things, including email address, zip code, date of birth, or even an IP address. Ask explicit permission before collecting a user's data.

The data you collect still belongs to the user, you are just borrowing it.

Clearly tell users the following about their data:

  1. What you are collecting
  2. Why you are collecting it
  3. Who will have access to it
  4. How it will be stored and processed
  5. How long will it be kept

Users have the right to ask for their data back at any time. They don't need a reason.

You must tell users whom to contact if you are not treating their privacy and data correctly.

Right to Lawful Processing

You must obtain consent to process an individual’s personal data.

You may use personal data to deliver a product or service that an individual has requested.

You may not lie, trick, or mistreat an individual in order to use their data.

You do not need to ask for a user’s permission to share their data with government or legal organizations that prove they have authority to access that data.

Right to Access

If a user requests to know what information you have about them, you must respond within one month.

If you have a valid reason, you may take up to three months to respond to a user’s request for access to personal data.

For example, if the data is dispersed across 230 databases and two years of backups.

When responding to a user’s request for access to personal data, you need to be certain whether you have that user’s data or not.

Right to Rectification

If you collect a user's data, you must protect it.

If the user asks you to correct their data, you must do so.

An individual can ask you to remove all of their data and not to collect any new information.

It is known as the "right to be forgotten".

You must delete a user's data if there is no reason to use it.

You might have a valid reason to keep the data, such as legal or regulatory, or to continue providing a service.

Right to Restricted Processing

A user can ask that to stop collecting and using the user's personal data. You have to comply.

You must also notify partners or 3rd parties to stop processing the user's data.

You can keep a user's data if there is a pending lawsuit or a dispute about the accuracy of data.

Right to Data Portability

When asked, you must provide the user with a copy of the user's personal data.

You must provide the information in a commonly used, machine readable format.

Users may take their data to your competitor - it is their data to do with as they wish.

Right to Object

If a user does not like how you are collecting, using, or storing data, the user can ask you to immediately stop collecting and processing the data.

You are allowed to continue collecting or processing a user's data even if you are asked to stop. But that is only with a very good reason.

Profiling, marketing, or the lack of technical implementation are not considered valid reasons.


You must be able to prove that you asked and were given consent to collect and process personal user data - either on your own or through a 3rd party.

You must take measures to secure users' data and handle it appropriately.

You need a policy and a plan to comply with GDPR and the commitments you make to users.

Data Breach Notification

You must notify users within 72 hours of a serious loss of personal data, or if the users could suffer harm because private data was accessed while in your care.

If there is a data breach, you must also notify the relevant regulatory authority of the breach within 72 hours. The authority will differ based on your country.

If you cannot meet these requirements, serious penalties can be imposed.

Data Transfer

You are not allowed to transfer a user's personal data unless you know that the receiving organization has proper safeguards in place. The safeguards must be the same or greater than your own.

You must encrypt data being transferred outside of the EU.

National Derogation

There are a handful of exemptions to data transfer under the GDPR. These are mostly legal or national security related.

Before assuming that you are exempt, you should review your situation to make certain it meets the requirements.