Marketing, CRM & GDPR – The Perfect Storm

Ian Moyse, Sales Director Natterbox, Non Exec – Assuredata

In a recent survey 92.3% said they maintain databases to host information on customers or prospects(Source : Global Alliance of Data-Driven Marketing Associations (GDMA) and Winterberry Group). With this in mind GDPR is going to be a huge data nightmare and as you will read below may lead to drastic steps!

Getting data right in CRM has always been a challenge and ongoing investment. Getting it right now is going to be a compliance need. The GDPR (General Data Protection Regulation) coming into enforcement in May 2018 has significant and far reaching implications for marketers and those responsible for CRM data.

GDPR affects any organisation that collects and/or processes personally identifiable data of any EU citizen. The UK’s Brexit will not exempt UK businesses as GDPR is already agreed and in place ready for enforcement in the UK.

Being that any company with a CRM is using it for prospect and customer data and to record information on and communications with real identifiable people this falls firmly into scope.  Compounding this is that most CRM’s are used to feed marketing tools such as MailChimp, Dotmailer, Marketo, Eloquo and the like , feeding data out of the CRM into a marketing automation workflow.

Today often data will go into the CRM from a sales rep, who then ticks a box to say add them to our mailing list, or by default based on some rules that contact is automatically added to a marketing nurture list and pushed across into the mailing tool used!  Now that consent to mail to that contact may have been given (email or verbally) or not asked for at all. Under GDPR this will be non-compliant and could leave you in a bad place if this is a widespread process for your business and not an isolated error.


A recent DMA Survey found that 70% of marketers were most concerned about how GDPR would affect marketing consent and more concerning is that only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline.

Marketing and its approaches have to be reviewed and quickly to ensure data, processes and activities leave you in compliance or close enough to it to not be at risk from complaints and fines.

Under GDPR there are some key areas marketing must address and get right;

  • Opt in consent
  • Rights to use data and what for
  • Length Data can be kept
  • Right to be forgotten


Traditionally marketeers have had an opt in tick box on a web form for example, it being a catch-all option (ie we and partners can mail you about anything) and often this was pre-ticked, the default being you are opting in unless you untick.

Data collected through this method or any other an organisation took as its own to use and act upon as long as it chose, meaning often people were getting content years after having 1st ‘opted-in’ if they indeed truly did so!

And finally we have all experienced the world of trying to remove yourself from a mailing list to keep hearing from them again and again afterwards.  This has improved with most reputables providing clear opt-out/unsubscribe options in the past few years.

Now for the changes!    Firstly GDPR mandates that consent must be ‘freely given, specific, informed, and unambiguous’. You will no longer be able to have a pre-ticked box and opt-in based on inactivity. You need to gain consent and store that proof clearly, if getting consent over the phone start thinking how you will record calls and link those to the CRM record of the customer to allow easy retrieval if needed!  You must also specific clearly what the scope of use will be – ie if you will pass to partners which partners. Individual companies must be named when requesting consent for third-party marketing.

You need to have a reasonable legal basis for processing personal data, which should remove the collecting of data for unnecessary, or frivolous reasons and remove the random scans at shows as we have all experienced. You also do not have carte blanche to use the data for anything at your will. The data you hold is on loan from the citizen whose information it represents (and they can recede the loan at any point).


You cannot hold that data for ever, only for a reasonable time deemed necessary to serve the purpose that was given. So expect to see re-subscribe checks to ask do you still want to receive this newsletter and affirmative action to be required to stay opted in!

Oh and don’t think about using negative enticement to keep them subscribed, stopping access to a service if a user withdraws or withholds consent will not be allowed!

Much of this led to the recently publicised and unprecedented announcement of a major brand deleting its marketing database rather than trying to clean it!


Following all this you have the right to be forgotten. An important and not necessarily easy one to deal with.  This gives the right to the data owner (the citizen) to contact a business and enquire for free what data they are holding on them and if they wish to request that it is all deleted, ie they forget that citizens information in whole. Now there are caveats and exceptions. For example you can apply for and be granted dispensation for special data, where there is legitimate reason to retain such data and refuse the request (for example criminal records,  medical records etc). Also you will need to keep something on the individual to record that they are unsubscribed and not to be marketed to.

For many however this along may prove a challenged. Firstly you need to provide an easy method whereby the citizen can make the request and provide your required information to be able to identify and help them. You then need the capability to search all data you hold in all systems and backups to identify if you have data and it fits the scope to remove it (ie not specially carved out).  And then finally you need to ‘truly’ perform the removal and confirm to the citizen it is completed. In organisations I have spoken to this has been identified as difficult in itself in a single request instance, let along this is law and citizens become widely aware of their data rights, imaging 200 such requests  in a month for a large firm.  Will we see more doing the same as Wetherspoons and drawing the line and taking their traditional marketing to social, where interactions are expected and easier to justify as the nature drives users to opt in for example to your Facebook page.

The level of detail needing to be considered also is underestimated. Backups have to be considered and what about Cookies. You prompt for consent when first storing on an individual, but they are going to need to have an easy way to remove their consent to be cookie tracked and remove past stored data, now who does that today!?


So for a marketer there is a job ahead. Firstly, to comply with the legislation you need to understand it. Marketers need be set up to react quickly and appropriately to requests to view, amend or destroy data. There is a need now to change the approach to data collection, database building and data management.

Non GDPR Compliance is not an option and the clock is ticking quickly to the enforcement data of May 25th 2018.  GDPR has some grey areas and nuances for sure, but relying on these to protect you will not be acceptable. Marketers need to be starting their GDPR journey now, ensuring legal and valid consent is stored and documented and that data and processes are reviewed and polished.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s