In preparation of the new General Data Protection Regulation (GDPR) law change coming into effect from the 25th May 2018, we’ve put together a GDPR Digital Marketing Checklist.

Please be aware that this information does not constitute legal advice and you should seek your own legal professional for guidance on implementation of GDPR for your own organisation.

GDPR signpost
Photo credit: Convert GDPR

Some Information About GDPR

  • The General Data Protection Regulation applies to the storage and processing of personal data, which is defined as:
    “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” This includes online identifiers, location data and identification numbers
  • GDPR looks at the responsibilities of data controllers (organisations which collect data from users) and data processors (agencies, tools etc.)
  • The storage and processing of personal data must be necessary
  • Personal data can only be used in the nature for which consent was given
  • Personal data should not be held for any longer than is necessary for the purposes for which the data is processed
  • Increased emphasis is placed on the secure storage of personal data
  • You must tell users how you will process their personal data and why
  • You must regularly review and if necessary update your privacy information and then bring any new uses of personal data to each user’s attention before you start the processing

GDPR Applies To

In the context of Digital Marketing GDPR may affect the following elements of your business:

  • Website Privacy Statement
  • Website cookies
  • Website contact forms
  • Remarketing of any kind
  • Personal data storage or reporting tools
  • Email Marketing
  • CRM database

We have reviewed the ICO’s GDPR guidelines and pulled together some considerations for you on how to meet GDPR compliance.

Please Note: We are not GDPR legal experts and nothing contained within this document should be considered legal advice. This is also not an exhaustive list. We recommend that you conduct your own GDPR compliance audit, or appoint a qualified person/company to do so.

1. Website Privacy Statement

This should include:

  1. The personal data that you collect about users on your website
  2. How this data will be processed
  3. Your lawful basis for collecting and processing this data
  4. Who will have access to and may process this data on your behalf
  5. How long you will store this data for
  6. The details if the data will be shared outside of the EU
  7. A user’s rights in regards to the data
  8. How a person can:

    –Revoke consent (if applicable)

    –Request deletion/to be forgotten

    • This should be written in clear, plain English
    • It should be concise
    • This should be easily found on the website
    • It should be updated if there are any changes to the information provided


  • Cookies, IPs and other online identifiers count as personal data
  • Processors include: your company, all relevant agencies, Google
  • Your Google Analytics Data Retention settings for duration of storage

2. Website Cookies

This is certainly a more complicated aspect of the new regulations. The extent to which this will impact you depends on the type of cookies that you use and the related data that you collect and process.

One lawful basis for data collection and processing is legitimate interest which can be used where “you use people’s data in ways they would reasonably expect and which have a minimal privacy impact”. Therefore, cookies which track user data for the purposes of fraud detection, Analytics, eCommerce processing or security could arguably be processed and stored under legitimate interest.

Cookies used for marketing purposes operate outside the defined parameters of legitimate interest and must require consent from the user.

  • When requesting consent you should be clear about what the data will be used for and it can only be used for those purposes
  • A user should be able to deny consent for these cookies and still be able to use the website
  • A user should be able to revoke their consent at any time

Whatever cookies you use and the related lawful basis must be included in your website privacy statement.

3. Website Contact Forms

  • These should only collect personal data directly relevant to the purpose of the form
  • These should have a clear Privacy Statement on the page which covers off points 2-7 from the Website Privacy Statement information page (page 4) relating directly to the data provided in the form


This personal data should only be shared with relevant people for the purposes of which it has been submitted.
Example: Job applications should not include the Sales Team as recipients and vice versa.

Storage and Processing

4. Remarketing

  • As stated in the Website Cookies information page cookies intended to be used for marketing purposes must gain active consent
  • This active consent must be recorded alongside the personal data stored in your database
  • When requesting consent you should be clear about what the data will be used for and it can only be used for those purposes
  • This consent should only be valid for a reasonable duration
  • A user should be able to revoke their consent at any time
  • All current remarketing lists must be checked to ensure that all users included provided active consent for their data to be used for marketing purposes
  • Any users who have not provided active consent, either initially or in any communications you may have sent out recently, should be removed from all remarketing lists before 25th May

The security of this personal data and how it is shared with 3rd party processors (such as digital agencies) is also now of increased importance.

Documents sent over email are unlikely to be considered adequately secure.

5. Tools

Any tools which you use for personal data storage or processing qualify as 3rd party processors of the personal data that you control. From a Digital Marketing perspective this may include, but is not limited to:

  • Google Analytics and AdWords
  • Facebook Business Manager
  • Email Marketing software
  • CRM systems
  • Web Form software

Both you as the data controller and the data processor have obligations for ensuring that this data is stored and processed legally and is kept secure.

  • The storage and processing of personal data should be necessary for the stated purpose, if there is a means of achieving the same thing without storing or processing personal data then that route should be taken
  • If it is not necessary to have personal data in all the tools that you use then consider changing the way that you use those tools

You are responsible for ensuring the security of the personal data as much as you can be within these tools.
For example having a secure password which is regularly updated.

6. Email Marketing

Your Current Database

  • Active consent is required for email marketing

“Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.”

  • If your current database contains email addresses gained from automatic opt-ins or any other means than active consent it will not be GDPR compliant
  • You must record the legal basis for storing and processing the personal data – consent in your database
  • Mailchimp has information on how to do this with their software

Age/Relevance of Data

Personal data should not be stored for any longer than is necessary for the purposes for which the data is processed.

Data Management

7. CRM Database

Of the 6 lawful basis for personal data storage and processing these 3 are most likely to be relevant to your CRM database:

  • Consent
  • Contract
  • Legitimate Interests

Whatever the basis, the user should have been able to refer to a clear Privacy Policy before providing you with their data which includes points 2-7 from the Website Privacy Statement information page.

You should have a field in your CRM system which specifies the lawful basis for storage and processing.

Age/Relevance of Data

Personal data should not be stored for any longer than is necessary for the purposes for which the data is processed.

Data Management

  • Users should be able to revoke their consent at any time
  • In relation to the relevance of data, this should be actively managed by yourselves and irrelevant data should be deleted in a timely manner
  • Data should be stored securely and any security breaches should be handled and communicated to users in a timely manner

Further Information on GDPR for Digital Marketing

The following sources may be helpful in finding out more:

To keep up-to-date with the latest digital marketing industry updates, you can opt-in to receive our ThoughtShift Guest List Newsletter.

Similar Posts