A digital marketer’s checklist for GDPR

By Jen Neumann / Guest Column

The European Union’s General Data Protection Regulation (GDPR) is all about how companies use the personal data of those they interact with.

Everywhere we go on the internet, we leave a digital footprint. That footprint consists of our demographics, behavior, purchases and interac­tions, and it has become something of great val­ue. (As the Economist says, “personal data is the world’s greatest resource.”) As is the case with anything of great value, it creates the need to protect that data from abuse – from the benign to serious breaches and malicious intent.

While GDPR is activating in the EU, it will also have implications for U.S. businesses – even those with no business dealings overseas. Any U.S. company with a website that markets their product or services on the internet needs to shore up their policies and procedures as it relates to consumer data collection.

What type of collected data is covered by GDPR?

GDPR covers most of what you collect from those you do business with or may potentially do busi­ness with. Data that is subject to GDPR includes:

  • Basic identity – name, address and identifi­cation numbers
  • Weblogged data such as location, IP ad­dress, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation


It’s now your job to protect EU users’ data (and everyone else’s if we’re being honest). If your data records are breached, GDPR requires that your company report any EU user’s data that has been compromised within 72 hours of the breach to the regulatory body and to users. Failure to do so will result in fines, although it is unclear at this time how those fines will be as­sessed to multinational companies.

Collecting information for marketing/re-marketing purposes

In order to be compliant with GDPR and poten­tial future U.S. regulations, marketers must:

  1. Institute consumer opt-in/opt-out per­mission rules
  2. Maintain a record of consent to market. (One way to achieve this is through a CRM sys­tem like Hubspot, which maintains records of contacts in the activity feed)
  3. Provide a way for consumers to request to have their personal information removed, aka “The Right to be Forgotten”


This means that the difficult, but attainable, “double opt-in” method is the best way to en­sure you have the full consent of the consumer, and that you must have the processes in place for them to opt-out and be removed from your system entirely. This is a good practice for email marketing anywhere.

In a double opt-in, the user may choose to opt-in to communications via your website, and subsequently gets an email that asks them to confirm their consent. In the U.S., you will be best served by a confirmation email that allows users to either confirm that they are opting in, or at minimum, allows them to opt out or request that their information be deleted.

Targeted digital marketing efforts

If your company, in the scope of marketing ac­tivities, targets a user in the EU, that data is now subject to GDPR. Normal, everyday marketing (non-targeted) such as SEO is not considered subject to the regulations. If a consumer in the EU searches the internet for a product or service and is served up your company’s website, in your country of origin’s language, then it is not subject to GDPR. However, if you offer a version of the site in the searcher’s language and/or your site references EU clients and customers, then the page is subject to GDPR, as it is considered a targeted effort.

If a U.S. company is planning to launch campaigns in an EU country (let’s say Germany), and plans to collect the email address or data of visitors, then certain rules must be met. Users must acknowledge that they know and understand what the company will do with their data (see “Collecting information”).

How long can data be stored?

The regulation states that data records should be kept for no longer than is needed for the purposes for which the data has been processed. How do you determine how long that is? While the regulation is somewhat vague, it is best to determine what your data retention policy is and establish that timeframe within your privacy policy.

You must also determine how you will provide data records to a user if they are requested. While this article pertains mostly to marketing, this can apply to other types of data, such as employees, clients or contractors.

How far should you go if you are not doing business in the EU?

A lot of GDPR is solid security protocol. You should have a secure site that keeps your contacts’ records safe. You should use permission-based communications processes. You should also protect your company from exposure and risk by implementing GDPR stipulations for any EU users. While it’s unknown at this point how aggressive the regulations will be carried out, examining your data, setting policies and procedures, and ensuring the data you collect is collected and treated in a manner compliant with the spirit of GDPR should be a priority.

This column, and its related checklist, originally appeared on the de Novo Marketing blog at blog.thinkdenovo.com.

Jen Neumann is a partner with de Novo Marketing in Cedar Rapids.