GDPR Advertising Checklist

It just became more challenging to market or sell to prospective international customers.

GDPR - How To Market

That’s because the European Commission’s General Data Protection Regulation (GDPR) came into effect, heaping onerous new data-management regulations on organizations of all sizes, from multinationals to SMEs—and everyone in between. Think of it as Canada’s Anti-Spam Legislation on steroids (or maybe crack, depending on your interpretation). The legislation is complex, burdensome and compliance is relatively difficult.

In other words, it’s a technocrat’s fantasy. Imagine a cadre of Europeans huddling in Brussels for months to determine how best to gum up the marketing machinations of otherwise successful organizations. This is the legislation they would (and apparently did) produce.

Many US and Canadian SME owners may have shrugged when they heard the news that GDPR was a thing, and that it would soon be put into effect. ‘Who cares?’ they thought, reasoning that because they only sell their products or services domestically, they’d escape the GDPR’s reach. Not so fast.

The new law applies to any organization that processes data in the European Union, or that offers paid or free goods or services or monitors the behavior of individuals within the EU. There are exceptions if “processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals,” but the net cast by GDPR is wide. In fact, it basically covers the entire Internet and can ensnare unsuspecting businesses by default.

GDPR - Exceptions for personal data

Why? Let’s say you’re a Canadian company that doesn’t do business in the EU, but receives website traffic from overseas. If a French national simply visits your website, surfs around and leaves, you’re in the clear. But if someone from the EU enters their personal information to download a report from your website, as an example, you’re now deemed in control of their personal data under European law.

Your organization would then fall under the purview of GDPR. With that fun bit of news out of the way, here’s what that all means, according to the bureaucrats in Brussels:

  • “Personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).
  • You must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes (‘purpose limitation’).
  • You must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimization’).
  • You must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not (‘accuracy’).
  • You can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
  • You must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
  • You must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).”

That last point is the kicker. If it doesn’t already—and if there’s even a remote chance that GDPR could apply in your case—your organization must have data usage policies and procedures in place. Once those rules are implemented, it’s especially important to communicate them to the individual(s) in your marketing and sales departments, or the outsourced provider that handles marketing on your behalf. Odds are these team members will be the ones handling client or visitor data most often, so they need to be aware of their data-management responsibilities.

Also, be sure to double check your online search engine marketing targeting and retargeting initiatives to make sure you exclude any EU countries. That way if you have an email address in your database from past search marketing efforts, or if someone gets targeted in a ‘lookalike’ audience—individuals whose demographic profile is similar to your core target audience—the platform should block them from seeing your ad, thus reducing your risk.

GDPR and Retargeting

GDPR rules and regulations are far more detailed and complex than what I’ve outlined here, so if you enjoy being lulled into a coma, read the full legislative overview on the European Commission website ( It’s unfortunately worth taking the time to read: penalties for non-compliance can range from a stern warning to a ban on data processing in the EU (not sure how this could be enforced) to a fine of up to €20 million or “4 per cent of the business’s total annual worldwide turnover.” Ouch.

The most important takeaway is that no legislation should hinder your organization from marketing to its core audience—we survived CASL, after all. Compliance is never impossible, but you will need to make adjustments to satisfy the EU’s new regulations.

It’s wise to be proactive by adding a GDPR compliance page on your website outlining your company’s approach to data management and transparency. Explicitly inform website visitors of what you plan to do with their data and only use information you collect for the purposes you’ve outlined—or at least in cases where that data has derived from the EU. Then give your staff a primer on the GDPR’s key points and outline their data-protection responsibilities. It could be worth spot-checking their marketing efforts to ensure compliance.

The new reality is that you need to be more mindful of your organization’s digital marketing practices and only use tactics that are compliant or can be reasonably deemed not to be exploiting the online data and privacy of Europeans. Brussels is now watching.

GDPR and Digital Marketing Best Practices