Regulations relevant for marketers

Privacy and data security is no longer a matter for just IT and legal teams. Sales & marketing play an active part in how data is generated and processed through our active lead generation and nurturing. 

Just about everyone in marketing has now heard about GDPR and some people are actively working towards compliance. BusinessBrew is here to help with GDPR training, support and knowledge in clear language that will ensure you can run compliant marketing campaigns going forward. 

We ensure that existing regulations like the ePrivacy Directive (aka "The Cookie Law" or PECR in the UK) are adhered to as well as the GDPR. 

What is GDPR?

Simply put, since 25 May 2018 all companies working within the European market have to be compliant with a new set of data privacy regulations known as GDPR or General Data Protection Regulation.

The European Union accepted GDPR in April 2016 and the deadline given to companies to comply by was 25 May 2018. The legislation aims to give individuals more options to control how their personal data is held by organisations. 

For organisations whose core business entails processing personal data or organisations that are (part of) a governmental organisation, it may mean having to appoint a data protection officer. Read more on this below. 

GDPR affects your entire organisation: IT and your systems, legal, HR, accounts and, of course, marketing and sales. The bottom line, not only is there a lot to consider but you need to ensure your business is fully compliant to avoid fines.

Read more about what GDPR means for inbound marketing teams here or read how you can get started working on GDPR compliant campaigns here.

Does GDPR apply to my business?

If you don’t handle any data from Europe and are not based in the EU, the GDPR won’t affect you. However, even businesses outside of the EU who handle personal data of data subjects who are in the Union must comply. 

Now you ask, is this a good thing? Does it cause trouble for me as an Inbound Marketer? In our opinion, it is a good thing and if you stick to the inbound principles (#purist) marketing in a GDPR compliant manner should be a manageable process.

Varnish Software Logo.png

"BusinessBrew's GDPR Workshop sheds a light on all the different nuances of GDPR. It helped put the marketing and sales team at ease about doing business in a new GDPR era and even be excited about what it brings." Hildur Smaradottir, VP Marketing 

How can BusinessBrew help towards GDPR and ePrivacy compliance?

BusinessBrew specialises in getting sales and marketing teams ready for GDPR. 

GDPR online course for marketing & sales

This online self-learning course will help you to understand the legislation work towards compliant online lead generation and inbound marketing.



GDPR workshop for marketing & sales

A full day customised workshop where we help your teams understand how the GDPR will apply to your business and prepare you for documenting your data processes. 


GDPR support

Ensure your business has the right support when implementing the GDPR from data processing inventories, risk analysis to ensuring ongoing compliance. 


Digital22 GDPR .png

"Nikita took a complex and controversial subject and delivered a laid back, inviting and, of course, informative talk. GDPR is a subject which is filled with ambiguity and therefore her common sense approach was a breath of fresh air. We received great feedback from everyone we spoke to about her talk." Rikke Lear, Director

GDPR concerns for marketing teams

The GDPR affects the entire organisation. Marketing teams tend to get hit first as we collect, segment and analyse personal data every day.

Your marketing team has to be ready to take care of the following:

1. Handle requests from individuals to understand how their data is being held.

2. Be able to show how and when consent was obtained.

3. Allow individuals to withdraw consent easily and at any time.

4. Provide clarity to your data subjects (leads, clients, employees, candidates and anyone else who's personal data you might process). 

5. Provide language around your data collection and processes that is clear and written in normal (i.e. human, not law specialist) language.

6. Must execute requests from individuals “without undue delay and at the latest within one month of receipt of the request”.

7. Report a personal data breach “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

In short, marketing is for many organisations the first point of contact. Here, data is first collected and stored; most likely marketing will also work on the processes and responses to data requests and communication around data breaches.

If you want to get to work, download our GDPR checklist for marketing teams.

GDPR Checklist for Marketing

Inbound marketing and ISO certified GDPR specialists 

We are inbound marketing experts who embrace the GDPR. 

Nikita received her GDPR certification from the International Association of Privacy Professionals (IAPP). This is the largest nonprofit organisation that brings together the people, tools and information management practices we need to stay up to date with the fast moving information economy. The CIPP is the global industry standard for professionals in the field of privacy. With the CIPP/E credential we show that we understand the principles-based framework and knowledge base in information privacy within the European context, including critical topics like the EU-U.S. Privacy Shield and GDPR. The certification is accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024: 2012.

It was important to get trained so we can ensure we are up to date on best practices for privacy and data security when advising you on your marketing strategy.

We are uniquely positioned to support you in building ePrivacy/PECR/GDPR compliant marketing campaigns because we combine our inbound marketing experience with data privacy insights.

CIPP-E_Seal Certified Information Privacy Professional Europe.png

What is ePrivacy or PECR?

The directive has been in place since 2002 and has been updated as a proposal text in January 2017. By many marketeers, it is know as 'the cookie law'. However, it covers much more than that. The Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) concerns electronic communications and the right of confidentiality, data and privacy protection. Electronic communication covers websites, email, text messages, advertising, apps and IoT devices.

You may see ePrivacy and PECR used interchangeably by some. The PECR is the UK version of the ePrivacy Directive. They cover many of the same issues but are not the exact same thing. It's important to be aware the ePrivacy Directive varies in all 28 member States. Unlike the GDPR, where one set of rules apply.  

ePrivacy and PECR contain specific sets of rules for:

  • Marketing calls, emails, texts and faxes
  • Cookies and similar technologies
  • Keeping communications services secure
  • Customer privacy as regards to traffic and location data, itemised billing, line identification, and directory listings.

Update to be aware of

In 2017 an update to the ePrivacy Directive was proposed. It not only requires popular messaging systems such as Facebook Messenger, WhatsApp and Skype to adhere to the regulations, but it also clarifies some of the, previously more complicated, aspects of the regulation. In addition, the Directive will be replaced with a directly applicable regulation which means that going forward there will be one set of rules (like the GDPR) rather than 28 different ones. 

The proposal has yet to be fully accepted. It's expected that it will come into force in early 2019. 

EU factsheet on 2017 PECR.png

Do you need a Data Protection Officer?

You may have heard that you need a Data Protection Officer or a DPO under GDPR. This isn’t necessarily the case. There are three scenarios where you need to appoint a DPO under GDPR:

  1. The processing is carried out by a public authority (except for courts);
  2. The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  3. The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10).

As you can see, most businesses don’t need to appoint a dedicated DPO. BusinessBrew can advice in the case you do not need a DPO or if your DPO needs support in translating policy into workable marketing activities.

Get in touch.

You know you have to work on GDPR compliance but are not too sure what should be on your to-do list and how to get there? Leave us a note here and we'll get back to you.