Econsultancy’s latest research shows that over half (59%) of client-side marketers still feel unclear about what does and does not constitute compliance with the GDPR.

These findings are based on a survey conducted in January 2018 amongst over 1,000 marketers in the UK.

In this post, I discuss some of the common questions and myths circulating about the GDPR discovered in the research.

gdpr report banner

1. Obtaining consent

When marketers were asked about their top three priorities ahead of the legislation’s enforcement, 86% of client-side marketers and 77% of agency-side respondents indicated that they are prioritising a review of consent mechanisms for collecting and processing data.

Econsultancy GDPR survey - top three priorities ahead of May

The compliance conversation among marketers has been heavily centred on the notion of obtaining consent but there are, in actual fact, six legal grounds for processing personal data under the GDPR. In addition to consent – legitimate interests, public interest, contractual necessity, legal obligations and vital interests represent other legal grounds.

RedEye Compliance Director Tim Roe notes the confusion and hype around consent:

“For marketers, there’s a lot of confusion out there, which is stopping them from moving forward. On one side, they know that consent is not always a viable proposition but on the other side, they are being told by compliance people and they are being told by lots of consultants that they need consent…And people are creating less than ideal situations because they can’t comply in that way”. 

“The regulation was constructed in such a way that allows marketers to use legitimate interests for the majority of their data processing. All of the exciting stuff that we do, all the segmentation, the targeting and the profiling…all of that, in most cases, can be used under legitimate interests. That’s the major thing for marketers to realise”.

2. Appointing a Data Protection Officer

While over half (59%) of client-side respondents and 40% of agency respondents say that their organisations have either appointed or are planning to appoint a Data Protection Officer, it is not mandatory to do so unless in certain circumstances such as:

  • Where the processing of personal data is done by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity 
  • Large scale regular monitoring 
  • Large scale special data categories e.g. health records, criminal offences, mortgage applications

Econsultancy GDPR survey - appointing a DPO

3. The GDPR and Brexit

It is a misconception that Brexit will mean that the GDPR will not have any impact in the UK. The UK will still be a part of the EU when the GDPR is introduced in May 2018 and will remain an EU member state for several months after that. The position for the UK after that is less clear and will depend on negotiations but the UK has already proposed a Data Protection Bill, which intends to modernise data protection laws in the region.

Irrespective of Brexit, if British businesses want to do business in Europe and need to process the personal data of EU citizens, they will need to comply with the GDPR. The regulation has international implications as it concerns any organisation storing or processing EU personal data, regardless of where the organisation is located.

4. The May ‘deadline’

With the enforcement date looming, many businesses are understandably concerned with being ready and prepared in time for 25th May.

Richard Merrygold, Group Data Protection Officer at HomeServe, says that the 25th May is only the start of your compliance journey:

“This isn’t about the 25 May. It’s not a deadline. It’s not a hard stop. The 25th May is the beginning. If you do this properly and you approach it in the right way, this is a genuinely beneficial activity that can improve your organisation, improve your customer relationships. But you have to prepare to embrace a cultural change. I think in the short term it might be a little bit painful but in the long term, there will be some real customer benefits.”

Compliance with the GDPR needs to be built into the culture of a company, and not just to an individual department or contract with an agency. Marketers therefore need to think about integrating their strategies with the efforts of other parts of a business and plan and execute in a holistic way. In this way, transitioning to a post-GDPR world will require compliance that is both ongoing and iterative.

online gdpr course 

Donna-Marie Bohan

Published 20 March, 2018 by Donna-Marie Bohan @ Econsultancy

Donna-Marie is a Research Manager at Econsultancy. You can follow her on LinkedIn:

5 more posts from this author

You might be interested in

Comments (2)

Aurelie Pols

Aurelie Pols, Co-founder & CVO at Mind Your Privacy

Your last paragraph goes against what the ICO says and is a totally wrong interpretation of the last phrase of recital 47.

Quoting Elizabeth Denham's keynote speech, at the DMA’s Data Protection 2018 event on February 23rd in London:
"Until the e-privacy regulation comes into force, PECR will sit along side the GDPR (that the UK’s transposition of the current ePrivacy Directive)
That means electronic marketing will require consent. Yes, there is potential to use legitimate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it.
It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent.
You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them. You will have complete confidence that your customers have given informed consent."


5 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

Hi Aurelie. If you speak to Tim Roe, who Donna quotes, he is definitely clear about the fact that marketers need consent under the PECR to send electronic comms. No more sneaky getting around consent, for the reasons you state. It's other forms of processing that Donna is referring to, and I do think it's right to recognise that though consent is a natural focus (because it's beefed up by the GDPR), some marketers are perhaps a little confused and think consent is needed for everything.

I'm with you though, and it's really encouraging to see so many marketers refreshing marketing consent where they feel they are on shaky ground and haven't made data subjects fully aware of what they have consented to.

5 months ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.