Below we have an overview about what GDPR means for clients and what you need to know about it as a digital marketing service provider

What will be covered in this topic

  • Explaining GDPR
  • Who may need these changes made
  • GDPR Definitions
  • What you need to know about GDPR compliance
  • GDPR Fines and other sanctions.
  • Importance of being GDPR compliant
  • Data subject rights
  • The role of having a data protection officer


Explaining GDPR

Its was ratified in April 2016 and become law in all EU states from May 25, 2018. The UK adopted it in August 2017 as one of the laws that would transfer over to the UK after leaving the EU. data protection laws that would transfer the GDPR into the UK

The Purpose of GDPR gives better protection to EU citizens even when the data holder is outside of the EU. Organisations will be required to appoint a DPO (data protection officer)

The fine for not being GDPR compliant is up to 20 million Euros or 4% of global turnover.


Who needs these changes made

Any customer using any script or function on their website that processes data.


  • Google Tag Manager
  • Google Analytics
  • Adwords Remarketing
  • Facebook Marketing / Facebook Pixel

As Per Google, “Advertisers using AdWords will be required to obtain consent for the use of cookies where legally required, and for the collection, sharing, and use of personal data for personalized ads for users in the EEA. This includes the use of remarketing tags and conversion tags. Where legally required, advertisers must also clearly identify each party that may collect, receive, or use end users’ personal data.”

In plain English, this means that if you’re using a Google product to track the on-site action of prospects in order to serve personalized ads down the line, you must acquire their consent to do so.

*Now this law is for EU citizens but also includes any user from other countries when travelling through Europe where these laws reside. This makes that particular organization accountable.


Definitions for the below explanations surrounding GDPR

  • A natural person – A human being.
  • Personal data – Any information related to a natural person or data subject that can be used to directly or indirectly identify the person.
  • Processing – Any operation performed on personal data, automated or manually, including collection, use and recording.
  • Profiling – Is an automated processing of personal data intended to evaluate, analyses, or predict data subject behaviour.
  • Controller – data controller. The entity that determines the purpose, conditions and means of the processing of personal data.
  • The Processer – The entity or person that processes data on behalf of the data controller
  • Supervisory Authority – A public authority which is established by a member state in accordance with article 46. Such as the information commissioner’s office (ICO) in the UK (They will talk to the Data processing officer (DPO) in your organization about fines and becoming compliant)


What you need to know about GDPR compliance

*Note: These principles exist in all EU states – The below must be stated in your privacy policy

  1. You cannot collect data for the sake of collecting data. All data collected must be used for a specific and explicit purpose (Because customers must be told what the data will be used for)
  2. Data must be accurate and maintained
  3. Data must be retained only for how long it is needed
  4. Data must be processed lawfully, transparently & fairly (This ties in with the 1st principle)
  5. Data must be processed securely and you must be able to prove this (THIS IS A MUST. You must be able to prove what data you collecting, why you collecting it, how long you will be using it and if you sharing the data with any 3rd parties and the security around this process) you must explain which system are used and the security around it
  6. Data held must be adequate. Relevant and limited to what is needed. (You can’t collect every piece of useless information, just because it might prove useful later)

Side Note:

  • Organisations is accountable and can be heavily penalized. You must adhere to the regulations including the 6 principles for compliance above.
  • Business must have a data protection officer to make sure that every aspect of your business adheres around the 6 principles and the GDPR


GDPR Fines and other sanctions

Determination of sanctions

  • Nature of infringement (did the business infringe by mistake or was it intentional)
  • The extent or how quickly the business/data protection officer (DPO) notified the Supervisory Authority about a data protection breach

Level of Fines

Lower Level

Up to 10 million Euro, 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringement of:

  1. Controllers and processors under articles 8,11,25-39,42,43
  2. Certification body under articles 42,43
  3. Monitoring body under article 41(4)

Higher Level

Up to 20 million Euro, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issues for infringement of:

  1. The basic principles for processing, including the condition s for consent
  2. The data subjects’ rights under articles 12-22
  3. The transfer or personal data to a recipient in a third country or an international organization.
  4. Any obligations pursuant to member state law.
  5. Any non-compliance with an order by a Supervisory Authority


The Importance of being GDPR compliant

  • Big Fines.
  • Legal Costs.
  • Costs of putting things right.
  • Loss of goodwill.
  • Loss of customer trust.


Data subject rights

  1. Portability (means the data is yours and gives you’re the right to move this data to another provider easily)
  2. Rectification (The right to rectify data that might be misleading)
  3. Erasure (The right to erase data or the right to be forgotten)
  4. Profiling & fairness (The right to look at profiling or data held. The profiling of demographic groups example their ability to afford insurance)
  5. Access (data subject access requests. Subjects must have access to the data held)
  6. Restrict Processing (Subjects must be able to restrict data or the time data is held)
  7. Object to Processing (Subjects can object to data processing)
  8. Information – Privacy (Data security and how its shared)


The data protection officer

Requirements, roles and responsibilities

Who is required to have a DPO

DPO’s are required where:

  • Processing is carried out by a public authority
  • Core activities need regular and systematic monitoring of data subjects on a large scale
  • Core activities involve large-scale processing of special categories of personal data, relating to criminal conviction and offences

Who does not need a DPO if:

  • It’s main activities seldom involve monitoring data subjects and with little infringement on those data subjects’ rights
  • It does not process category personal information
  • It is only processing the special category of personal information of a small group of data subjects.

Role and responsibilities

  • To assist data controllers and processors comply with data protection law and avoid the risks that organisations face when processing personal data
  • The DPO also acts as the person that data protection queries are directed to.
  • Gives advice about data protection impact assessments
  • Is the point of contact for the supervisory body
  • Monitors GDPR compliance
  • Informs and advises on data protection



The main role is to be played by the Member States of the European Union who will have to comply with the GDPR and ensure the rights and freedoms of individuals.

The best way to make sure that you are GDPR compliant is to stick to the 6 principles above, It is, however, important to get a lawyer involved in order to make sure you are covering all the bases of your business.

GDPR: Everything That You Need To Know

time to read: 7 min