Regulations relevant for marketers

As marketers, we have a set of rules to comply with. There is a lot of information out there and BusinessBrew helps businesses with building compliant marketing strategies and running effective but compliant marketing campaigns.

Just about everyone in marketing has now heard about GDPR and some people are actively working towards compliance. In doing so, many of us forget the the ePrivacy directive. This directive dates back to 2002 and my marketers know it as 'the cookie law'. In all honesty, that's how we at BusinessBrew thought about it before we decided to support businesses in building GDPR compliant campaigns and helping them clean up their overall sales and marketing efforts to align with the latest regulation.

What is GDPR?

Simply put, by 25 May 2018 all companies working within the European market have to be compliant with a new set of data privacy regulations known as GDPR or General Data Protection Regulation.

The European Union accepted GDPR in April 2016 and aims to give individual more options to control how their data is held by organisations. The deadline given to companies to comply is 25 May 2018. In addition, you must have processes ready to handle data requests from any individual.

For some organisations (those whose core business entail processing personal data or those who are (part of a) governmental organisation, it may mean having ot appoint a Data Protection officer.

GDPR affects your entire organisation: IT and your systems, legal and of course marketing and sales. The bottom line, not only is there a lot to consider but you need to get started today to ensure your business is compliant well before the deadline hits.

Read more about what GDPR means for inbound marketing teams here or read how you can get started working on GDPR compliant campaigns here.

Does GDPR apply to my business?

If you don’t handle any data from Europe, GDPR won’t affect you. However, even businesses outside of the EU who deal with data from European citizens must comply.

Now you ask, is this a good thing? Does it cause trouble for me as an Inbound Marketer? In my opinion, it is a good thing and if you stick to the inbound principles (#purist) preparing for GDPR compliance should be a manageable process.

What is ePrivacy or PECR?

The directive has been in place since 2002 and has been updated as a proposal text in January 2017 is by many marketers knows as ‘the cookie law but it covers much more than that. The Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) concerns electronic communications and the right of confidentiality, data and privacy protection. Electronic communication covers websites, email, text messages, advertising, apps, IoT devices...

PECR contains a specific set of rules for:

  • Marketing calls, emails, texts and faxes
  • Cookies and similar technologies
  • Keeping communications services secure
  • Customer privacy as regards to traffic and location data, itemised billing, line identification, and directory listings.

2017 update to PECR

The 2017 update to PECR is good news for us marketers. It not only requires popular messaging systems such as Facebook Messenger, WhatsApp and Skype to adhere to the regulations, but it also clarifies some of the, previously more complicated, aspects of the regulation

On top of that, the EU is replacing the ePrivacy directive with a directly applicable regulation which means that we only have to deal with one set of rules instead of 28 different ones.  Read more about the proposed 2017 update here.

EU factsheet on 2017 PECR.png

How can BusinessBrew help towards GDPR and ePrivacy compliance?

BusinessBrew specialises in getting sales and marketing teams ready for GDPR.

When working on any service, both PECR and GDPR are on our minds and we never suggest practices that do not align with either of these directives. However, we also realise that your marketing team has been active for a longer period of time so we help you clean up your current marketing practices as well. We can help you with the following:

  1. We support key departments and make sure they are aware that the law is changing, and anticipate the impact of GDPR.
  2. We create an overview of what personal data is held, where it came from and with whom it is shared.
  3. We help you review current privacy notices, and make any necessary changes.
  4. Review workflows to address the new rights that individuals will have.
  5. Plan how to deal with requests within the new time frames, and provide the required information.
  6. Review how consent is requested, obtained and documented.
  7. Help you review procedures to detect, report and investigate data breaches.
  8. Work with internal resources to transfer responsibility for data protection compliance.

Our consulting services and workshops ensure that your marketing and sales team can continue to market to your contacts and generate new leads following 25 May 2018.

GDPR workshop for marketing & sales

A full day workshop where we help your  teams understand the basics of GDPR, how it impacts their day to day and what they can do to work according the directive.


GDPR cleanup project for marketing teams

We join you in a project where we review and adjust all of your marketing practices according to the GDPR legislation to support you in becoming fully compliant. 


GDPR online course for marketing & sales

This course will be launched soon and will help you to, in your own time, work towards compliant online lead generation and inbound marketing.


Do you need a Data Protection Officer?

You may have heard that you need a Data Protection Officer or a DPO under GDPR. This isn’t necessarily the case. There are three scenarios where you might need to appoint a DPO under GDPR if:

  1. The processing is carried out by a public authority;
  2. The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  3. The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10).

As you can see, most businesses don’t need to appoint a dedicated DPO. BusinessBrew can advice in the case you do not need a DPO or if your DPO needs support in translating policy into workable marketing activities.

GDPR concerns for marketing teams

GDPR affect the entire organisation. Marketing teams tend to get hit first, we collect, segment and analyse personal data every day.

Your marketing team has to be ready to take care of the following:

  1. Handle requests from  individuals to understand how their data is being held.
  2. Be able to show how and when consent was obtained
    • If consent hasn’t been explicitly given, it can be implied by the person's relationship with the company such as a request to receive information or a prior contractual engagement. The data that has been obtained should however be for specific, explicit and legitimate purposes. So, if I request to download a white paper on subject X, this doesn’t imply that you have my consent to contact me about subject Y.
  3. Allow individuals to withdraw consent easily and at any time.
    • When a request ‘to be forgotten’ is made by an individual, all data collected has to be permanently removed and this should be confirmed to the individual who made the request.
  4. Provide clarity on any of the following points:
    • Contact details from and identity of the organisation (so make sure that your microsite clearly states which organisation it is linked to!).
    • The purpose of collecting the data and plans for future use.
    • Where the data will be held (country) and if it will be transferred internationally (Which will be the case for most of us using cloud solutions, clearly state what software you use and where your provider stores your data.).
    • How long you intend to store the data.
    • The right to access, rectification or removal of data as well as the right to withdraw consent at any time.
    • The right to file a complaint and how to do  this.
  5. Provide  language around your data collection and processes that is clear and written in normal (i.e. human, not law specialist) language.
  6. Must execute  requests from individuals “without undue delay and at the latest within one month of receipt of the request”.
  7. Report a security breach “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
    • The breach should be reported timely “without undue delay and, where feasible, not later than 72 hours after having become aware of it” if the breach is likely to “result in a risk for the rights and freedoms of individuals”.
    • Where requests to access data are manifestly unfounded or excessive then small and medium-sized enterprises will be able to charge a fee for providing access.

In short, marketing is for many organisations the first point of contact. Here, data is first collected and stored; most likely marketing will also work on the processes and responses to data requests and communication around data breaches.

If you want to get to work, download our GDPR checklist for marketing teams.

GDPR Checklist for Marketing

Inbound marketing and ISO certified GDPR specialists 

We are ISO certfied GDPR specialists as well inbound marketing experts. 

Here the background on our certification: The International Association of Privacy Professionals (IAPP) is the largest non profit organisation that brings together the people, tools and information management practices we need to stay up to date with the fast moving information economy. The CIPP is the global industry standard for professionals in the field of privacy. With the CIPP/E credential we show that we understand the principles-based framework and knowledge base in information privacy within the European context, including critical topics like the EU-U.S. Privacy Shield and GDPR. The certification is accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024: 2012.

It was important for us to get trained and certified so we can guarantee you we are up to date on best practices for privacy and data security when advising you on your marketing strategy.

We are uniquely positioned to support you in building ePrivacy/ PECR / GDPR compliant marketing campaigns because we combine our inbound marketing experience with data privacy insights.

CIPP-E_Seal Certified Information Privacy Professional Europe.png

GDPR Insights

If you are interested in reading more about data protection and security, check out our GDPR blog topcis.

Get in touch.

You know you have to work on GDPR compliance but are not too sure what should be on your to-do list and how to get there? Leave us a note here and we'll get back to you.