Brands need to do things differently now to grow sustainably. Privacy regulations, business requirements from important partners, and savvy customers all demand respect for data and privacy. Privacy-Led Marketing is built on informed consent, legal compliance, and welcoming users’ preferences. Shape your digital strategy, protect your business, and make your customers happier. Read on to learn how.
Resources / Guides / Privacy-Led Marketing
Published by Usercentrics
15 mins to read
Sep 1, 2024

Learn about the GDPR and marketing in 2025

Quality data is invaluable for creating and delivering effective marketing strategies. But access to this vital information comes with a responsibility to obtain and handle it ethically and legally by complying with the General Data Protection Regulation (GDPR) in your marketing operations. 

Compliant data collection and handling are essential for building customer trust and engagement and protecting your brand reputation, as well as meeting regulatory requirements.

What does the GDPR mean for the marketing department?

GDPR compliance is more than a legal obligation for businesses that process customer data in the European Union. It’s also crucial for building trust with website visitors, app users, and customers. Complying with the GDPR in marketing can increase your sales, and it involves all members of your marketing team and a shift in how marketers think about data and customer relationships.

“The GDPR coming into force required a shift — which is ongoing — in data acquisition strategy, how customer experience is approached, how data is allowed to flow through the marketing ecosystem, and so many other elements of marketing operations.”
— CMO of Usercentrics

Marketers must handle data correctly

The GDPR outlines key principles for handling personal data. To navigate the GDPR for marketers, team members must understand how to apply these principles. 

  • Data must be processed lawfully, fairly, and transparently, which means that marketers must select and communicate a clear and valid legal basis for processing data, in addition to what data is processed, for what purposes, and other required information. This means that consent is required in many cases as the applicable legal basis.
  • The principle of purpose limitation helps ensure that data can only be collected for a specific, explicit, and legitimate purpose. If the purpose changes, marketers need to obtain new consent. 
  • Compliant data handling involves data minimization. Businesses should only collect as much information as is necessary for the specific, explicit purposes stated in the business’s privacy notices and policies and should share it with as few entities as are needed to complete processing. 
  • Storage limitation ensures personal data is only retained (securely) for as long as is necessary, then deleted or anonymized. 
  • Accuracy requires marketers to keep all personal data accurate and up to date. Data subjects have the right to access their data to check it, and to rectification.
  • Integrity and confidentiality means that your business must process data to ensure appropriate security, including contractual agreements with third parties that will access the data to ensure data protection and privacy standards. 
  • Accountability means that businesses must be able to demonstrate compliance and accept ultimate responsibility, including for the data processing of third parties they engage.
  • Once collected, data must be handled to prioritize consumer privacy and data security. This includes ensuring data is processed and stored to mitigate threats like unauthorized access, loss, destruction, and damage.
  • Marketers need to clearly explain their business’s data handling practices to clients at the point of collection and outline the various measures in place to protect this information. This is typically included in the privacy policy and needs to be easily accessible.

Ensure readiness for data subject requests

The GDPR empowers individuals with the right to access their personal data at any time (“right of access”) with reasonable frequency. Customers can exercise it by submitting a data subject access request (DSAR). 

Companies are required to provide an easily accessible means to submit DSARs and verify identity. From this, marketers are obligated to provide a copy of all the personal data they hold about that person (which would include consent history). 

Marketing departments must be fully equipped to promptly and accurately respond to these applications, with systems that enable them to efficiently retrieve, review, rectify, or delete users’ data. For companies without automated solutions to manage DSARs, this could create a heavy resource burden, especially if user data is stored and managed in various systems by various teams around the company.

If your marketing operations rely on consent as the legal basis for processing personal data, it is crucial to understand and implement valid consent management. 

For data subjects to be able to give free, specific, and informed consent, they must be made fully aware of what they’re agreeing to, that they have control over what they share, and that they can easily withdraw their consent at any time. Their consent must also be demonstrated by a clear, affirmative action, like ticking a box or clicking a button on a consent banner.

Clarity is equally important. Marketing teams must use plain language to explain the types and uses of data they’re collecting to ensure that data subjects are able to easily understand the potential outcomes of their agreement. 

For example, marketers need to be clear about what people are consenting to when participating in different activities such as entering a competition, subscribing to a newsletter, or the use of cookies on a website.

“The GDPR and other regulations require companies to make sure users clearly understand why their data is being requested, how it will be used, and what their rights are. This is critical to building trust so that users freely consent and engage with companies,” explains Peltea. 

Many successful marketing strategies use Google as a third party. Google Consent Mode is vital to ensure your campaigns using Google follow their amended EU user consent policy in the EU/EEA, UK, and Switzerland. 

Google now requires companies using their services to implement a certified consent management platform (CMP) that is integrated with Consent Mode to obtain, document, and signal consent. The Usercentrics CMP has Google Consent Mode integrated and enabled by default. 

Enable compliance with the right to be forgotten

The GDPR protects the “right to be forgotten.” This gives people the power to request that their personal data be deleted in certain circumstances.

Marketers must provide data subjects with a clear, straightforward process for making a deletion request and must act to erase the requestor’s data within one month of the application. Here, it’s essential to provide a user-friendly interface on your website and other marketing platforms where users can easily submit data erasure requests.

Automating this process is key for reducing human error when locating and removing data from your and any third-party records, while also ensuring that you have a clear trail to verify that you’ve honored an individual’s right to be forgotten in the event of any disputes or audits.

Not complying with a valid erasure request can result in complaints to data protection authorities, investigations, and penalties for the business.

What happens if you don’t comply with the GDPR?

Noncompliance with the GDPR can lead to major financial losses. The maximum fine for GDPR violations is the greater of 4 percent of annual global turnover or EUR 20 million. The financial damage may not be a one-time penalty, either. 

The loss of trust can lead to customers taking their business elsewhere, and the loss of brand reputation can scare away potential partners and investors, making noncompliance financially painful and dangerous to the business’s sustainability.

Regulatory authorities in the EU can also impose restrictions on your business’s data processing activities or require deletion of existing data, which can significantly impact your marketing efforts.

“GDPR noncompliance is a significant risk for all companies doing business in the EU. Marketing is the first department one thinks of for GDPR compliance because a lot of personal data is collected for their activities. News headlines are almost always about fines for huge tech platforms, but any noncompliant company is at risk, and penalties have a greater impact on smaller companies, which is something marketers never want to face,” says Peltea.

“Increasingly, though, the platforms that many companies rely on for advertising, data, audience access, and more are requiring proof of consent that’s in line with GDPR requirements. The noncompliance risk to day-to-day marketing functions, like personalization and retargeting in advertising, can create a much bigger sense of urgency regarding privacy compliance when it could immediately affect revenue and operational stability.”

Examples of companies that have violated GDPR compliance

Since the GDPR came into force in 2018, more than 2,000 fines have been levied for noncompliance. 

While news headlines usually focus on the penalties levied on big tech companies, entities of all sizes can be penalized for failing to meet the regulation’s requirements. 

Here are some examples of smaller businesses that have incurred GDPR fines.

CompanyFine amountGDPR offenseDescription
Tuckers SolicitorsEUR 115,000Insufficient technical and organizational measures to ensure information security.Following a ransomware attack on Tucker Solicitors’ systems, which was possible due to flaws in their digital security system, 972,191 files containing personal and special category data were compromised and released in underground marketplaces.
VintedEUR 2,385,276Insufficient fulfillment of data subjects’ rights.The Lithuanian State Data Protection Inspectorate fined this online secondhand clothing exchange platform for failing to honor users’ data access and erasure requests.
ChatWith.ioEUR 12,000Noncompliance with general data processing principles.Users were served data privacy notices when using the ChatWith.io platform, but regardless of whether they consented or denied consent to the collection of their data, the platform gathered, processed and stored their information.

Who is responsible for GDPR compliance in marketing?

“GDPR compliance is a company-wide responsibility, but focusing on marketing, the front-line responsibility is on those that are directly involved in collecting or using data. In very small companies all of marketing could be a single person, or it could be spread out among data analysts, email marketers, PPC specialists, and others.”
— CMO of Usercentrics

Responsibility for GDPR compliance depends on size, nature, and structure of your business, but there are specific obligations regarding marketing and GDPR. A GDPR checklist can help ensure specific teams and team members meet the requirements.

Let’s look at some of these roles.

Stakeholders

Although they may not be involved in the day-to-day execution of marketing actions, stakeholders like executives, managers, and team leaders are pivotal for facilitating GDPR compliance. They must foster a culture of compliance, champion ongoing training and privacy compliance best practices among their direct reports, and ensure that marketing strategies and processes are designed with data protection and privacy in mind. 

To enable marketing teams to adhere to the GDPR, these stakeholders must:

  1. educate and train on the latest compliance regulations and policies and data privacy standards
  2. implement privacy by design right from the planning phase of any marketing activity and built into web properties used for marketing
  3. regularly review data handling procedures and stored data and making updates, including deleting data that’s no longer needed
  4. manage risks from third parties and vendors to ensure their GDPR compliance, including contractual agreements that make standards and requirements clear

Data Protection Officers (DPO)

A dedicated DPO is responsible for ensuring personal data is processed in line with the GDPR, maintaining company standards and education, and is legally required in some organizations and business operations. The role can be internal or external. The appointment of a DPO signals commitment to practicing Privacy-Led Marketing, which helps build trust with customers and partners.

The DPO’s role includes:

  • creating robust data privacy and protection standards and policies with regular reviews
  • ensuring prompt and secure handling of data subjects’ requests
  • reviewing the organization’s ongoing compliance with the GDPR and any other relevant regulations, frameworks, or policies
  • maintaining compliant and detailed records of data processing activities
  • reporting any data breaches to the relevant authority and notifying affected data subjects as quickly as possible
  • educate and training staff on an ongoing basis about GDPR compliance and data protection practices

A robust consent management solution like Usercentrics CMP can empower DPOs to enhance GDPR compliance. It enables collaboration among teams to run marketing activities and activate data in a compliant way that integrates with the tech stack and marketing ecosystem. 

It also streamlines the collection, documentation, and storage of user consents to meet compliance requirements and enables streamlined responses to DSARs and data protection authority inquiries.

Email marketing managers

Email marketing managers must ensure email marketing campaigns in the EU comply with the GDPR. They should:

  • obtain and record explicit consent from all email recipients before sending communications (considering double opt-in)
  • provide easy opt-out options in every email, and ensure data collection and communications stop when people unsubscribe
  • review and clean email lists, ensuring up to date data for opted-in contacts and renewing consent for communications when necessary
  • add clear privacy notices or links to privacy resources to emails explaining how recipients’ data is used and stored

Marketing automation specialists

Marketing automation specialists manage the tools and software that automate marketing processes. To achieve and maintain GDPR compliance, they need to:

  • set up marketing automation platforms to ensure that all data is collected with consent where required, and handled in a GDPR-compliant manner
  • ensure the opt-out process is straightforward and data processing is stopped ASAP
  • regularly review and audit marketing automation tools to verify GDPR compliance, including reviewing who has access to the systems and data and limiting access as needed
  • manage data retention and deletion protocols for personal data

Developers

Developers should be responsible for implementing technical measures that safeguard user data and implement GDPR standards and ensure they:

  • set up data collection forms so consent is obtained before any data collection, and clearly state what data is collected and what it will be used for, as well as ensuring that consents acquired are active and explicit
  • verify that all website plugins that process personal data are compliant with the GDPR, and review regularly as web technologies changes (both those deployed by the company and those from third parties)
  • implement robust security measures — technical, physical, and administrative — to protect the website and data storage from data breaches or other violations
  • configure the content management system (CMS) to handle personal data securely and limit collection

Additionally, developers must properly integrate Google Analytics and GDPR compliance into websites and supply timely notifications that inform people about the collection of their data.

Graphic designers

Graphic designers should ensure any data they use to produce designs — like photographs, customer profile information, or other types used to create graphs — is handled in line with the GDPR, such as ensuring they: 

  • implement secure methods for storing and accessing (e.g. encryption and access controls) personal data used in designs
  • incorporate privacy considerations into the design process, so that personal data is used ethically and legally
  • set up integrations for cloud-based apps that allow data to be used without downloading
  • update software and audit tools to ensure ongoing GDPR compliance
  • do not use real people’s, customers’, or companies’ identities or information in graphics, videos, etc. without explicit consent

Copywriters

Copywriters are responsible for crafting compelling text that guides potential customers down the marketing funnel towards conversion. To produce GDPR-compliant text, copywriters must:

  • ensure explicit content is received for any people’s, customers’, or companies’ data used in public content
  • adhere to data classification guidelines to prevent internal data being used in public-facing content
  • prevent external contractors gaining unauthorized access to sensitive or extensive data within the CMS and limit their own access to the minimum needed

Public Relations (PR)

Due to the nature of their roles, PR professionals have very specific duties in relation to the GDPR. They must:

  • collect, maintain, and accurately record explicit consent given by individuals for using their personal data in communications
  • develop and implement a compliant response plan for potential data breaches, including timely communication strategies that comply with GDPR notification requirements
  • maintain a trustworthy brand, including being responsive to customer requests or complaints, since GDPR compliance is so important for building consumer trust

Events managers

Events managers must maintain GDPR compliance in all aspects of event planning, ensuring data collection is both lawful and transparent. They must:

  • limit data collection to only what is necessary for the specific purposes of the event, and ensuring it’s collected with consent where needed
  • write and display terms and conditions that clearly outline how event attendees’ data will be used, stored, and protected
  • ensure all third-party apps and services used are compliant with the GDPR
  • collect and maintain consent and practice responsible data collection and protection with vendors and event attendees
  • remove data post-event if a contact requests to unsubscribe or otherwise not be contacted

GDPR responsibilities for marketing teams

A meticulous approach to complying with the GDPR at every stage of their activities will help ensure marketing teams sustainably grow marketing operations, minimize the risk of fines, and build trust with customers.

Data consent rules

The GDPR requires marketing teams to obtain explicit consent from data subjects before collecting or using their personal information when the legal basis for their data processing is consent, which it will be for many companies’ operations. This consent must be freely given, specific, informed, and unambiguous. The purpose for data collection should be clearly explained and individuals must have the option to withdraw their consent at any time as easily as they initially gave it.

Data processing rules

Marketers must ensure that data handling is lawful, fair, and transparent. Data should only be collected for specified, explicit, and legitimate purposes. 

Teams also need to implement appropriate security measures to limit access to data and protect it against unauthorized or unlawful processing as well as accidental loss, destruction, or damage.

Data retention rules

Personal data shouldn’t be kept for longer than is necessary for the purposes for which it is processed. Marketing teams need to establish clear policies and timelines for how different types of data are held and ensure these are adhered to.

Data transfer rules

If personal data is transferred to third parties or across borders, marketers must provide an adequate level of data protection. This may involve verifying that international transfers are made to countries that offer data protection equal to the GDPR or are covered by appropriate safeguards like standard contractual clauses or binding corporate rules.

Data deletion rules

Marketing teams must ensure personal data is securely deleted when it is no longer needed for the purposes for which it was collected or when individuals exercise their right to be forgotten. Anonymization is sometimes a viable alternative to deletion.

Tips for GDPR compliance in marketing

Marketing teams are expected to apply practices that enable advertising, communications, and other activities, to achieve and maintain privacy compliance while building trust with their audiences. 

Limit data collection: Only collect data that is necessary for your specified purposes, which minimizes liability, raises fewer questions or concerns from data subjects, and simplifies compliance efforts.

Respect data subject rights: Ensure that data subjects are able to easily access, correct, and delete their data, or object to certain processing activities.

Enable granular preference management: Leverage zero-party data — data that customers intentionally share — to offer personalized marketing experiences that respect user preferences, deliver what customers actually want, and demonstrate that customers are in control. This can lead to a better customer experience, higher engagement, and ultimately, better lifetime value. 

Create transparency: Be transparent about how data is collected and used, how long it will be retained, and what data subjects’ rights are.

Double opt-ins: Implement double opt-ins where possible to ensure individuals explicitly confirm their willingness to receive marketing communications. This extra step can significantly reduce the risk of spam complaints and noncompliance issues.

Simplify the opt-out process: Make it easy for users to change or withdraw consent for data processing or opt out of communications. An easy and accessible opt-out process is a critical component of GDPR compliance and respects the customer’s right to privacy.

Protect customer data: Implement robust security measures and regular training to protect personal data from unauthorized access, loss, or destruction, which is critical to maintaining customer trust.

Keep detailed records: Meticulously document and manage consent over time, including how and when consent was given, what exactly was consented to, and when and how consent was withdrawn.

Stay up to date: Regularly develop and update policies and data practices as your marketing strategies and technologies evolve.Use a CMP: Simplify GDPR compliance to manage user consents across different channels and platforms, and keep up to date with regulatory changes.

How Usercentrics supports GDPR compliance for Privacy-Led Marketing

Usercentrics CMP simplifies GDPR data collection and management processes. It helps enable businesses to meet the outcomes of even the most in-depth GDPR implementation guide

By centralizing consent management and putting customers in control, you can build a Privacy-Led and growth-centric marketing strategy that enhances customer trust and keeps you compliant with the latest data protection standards.

Usercentrics CMP integrates with popular marketing tools to coordinate consent management across digital platforms. Learn how Usercentrics assisted SAG Digital with their GDPR compliance.

Use Usercentrics to streamline the process of obtaining, recording, and signaling consent while also giving your customers control over their data. Establish a Privacy-Led Marketing strategy that meets the GDPR’s standards and builds deeper trust with your customers for long-term relationships.