The Ultimate Guide to GDPR (and why SME’s need to pay attention)

GDPR & Shopper Marketing Campaigns

Dubbed the biggest change in data privacy, the General Data Protection Regulation (GDPR) will come into effect on May 25th, 2018. Its two main objectives are to protect the private data of all European Union citizens and to transform the way in which organisations collect and store data.

As a result, the GDPR will have a significant impact on a myriad of businesses – and not only European Union organisations will have to follow the new rules. The new regulation does not apply geographically, so if an organisation outside the European Union offers goods and services to European Union citizens, then it will have to comply with the GDPR.

Umbrella has been processing data for marketing campaigns for more than two decades. As experts in our field, we are aware of the fact that the vast majority of brand owners employ secure systems for data gathering and storage. However, the process becomes more complex when data is passed from one agency to another or from one data processor to another. This raises a very important question: how will shopper marketing campaigns be affected by the General Data Protection Regulation?


What Do You Need to Know About GDPR?

The GDPR will require organisations to build-in or adjust the privacy settings of their goods, services and websites, as well as alter the method in which they intend to use their consumers’ data.

In a nutshell, the way that data is currently being gathered and used will change drastically. Marketers need to inform themselves and make sure they are up-to-speed on the latest changes that the General Data Protection Regulation will bring about.

Post-GDPR, the definition of consent will be different. Getting valid consent is going to be much more difficult than before. Additionally, consent that was obtained before May 25, 2018 will only be considered valid if it complies with the GDPR. Under the new regulations consent will have to meet all the following criteria:


  • Active, therefore no implied consent or pre-checked boxes will be accepted;
  • Applied to individual and specific purposes;
  • Named, therefore those who rely on the consent have to be identified;
  • Recorded and verifiable in order to show what the user provided consent for;
  • Renewed since consent is not permanent;
  • Unavailable to employer/employee relationship and public sector;
  • Revocable and as easy to retract as it was to submit;
  • Separate from various other terms and conditions.


To make this all easier to understand, we have created a list of the most important aspects of the new regulations that you should be aware of and ready to implement.



Possibly the most significant change the GDPR will bring about will have to do with soft opt-ins.

Soft opt-ins are a temporary permission granted by the user to the marketing campaign. This does not provide a specific registration form where users submit their data, give permission and express consent for receiving emails. In other words, soft opt-ins don’t need consent as long as marketers are sending messages/emails/information about goods or services similar to what they previously offered.

Opt-ins are crucial to GDPR.

Opt-ins are crucial to GDPR.

Soft opt-ins have to comply with two important rules: give the users the chance to opt-out when you get their data and give them the chance to opt-out when you send them messages/emails/information at a later date (for example, an “unsubscribe” option at the bottom of a newsletter).

Starting with May 25th 2018, soft opt-ins won’t be an option anymore. Under the General Data Protection Regulation, campaign marketers will no longer be allowed to automatically opt-in their users when these are signing up using their email address. In their stead, organisations will have to implement a “double opt-in” system which means that, in order to subscribe to a company’s marketing communications, the user will have to tick a box to express consent.

Regardless of the lifecycle they are in, prospects, leads and active customers will have to confirm that they wish to be sent any type of information, be it follow-ups or marketing communications. The implications are straightforward: shopper marketers will have to alter their sign-up or enrolment forms and ensure these comply with the rules of the new GDPR.


Data Access

Under the General Data Privacy Regulations, users are granted the right to withdraw their information from any marketer’s database. The aim of this regulation is to give consumers more control and power over how their private information is gathered and used.

To be able to abide by this rule, organisations will need to make sure their users can easily access their data and that they know or can easily find out how to remove it if they wish to do so. In the post-GDPR era, an intuitive way of managing email preferences as well as clear unsubscribe buttons will become a must.


Necessary Data

In this day and age, data makes the world go round. Information is essential for every shopper marketing campaign and the General Data Privacy Regulation, in an attempt to protect the users’ privacy and only disclose pertinent information, will make data collection more difficult.

Marketers can only ask justifiable and relevant questions.

Marketers can only ask justifiable and relevant questions.

The new regulations will require marketers to explain the information gathering process they are currently employing. Under the GDPR, marketers will only be allowed to ask for pertinent information that can be proved to be helpful to their marketing campaign.

For instance, as a seller, you need to obtain your client’s size when they are purchasing clothes, which can be justified. But marketers won’t be allowed to ask for this type of information when the customer is merely subscribing to a newsletter because the information isn’t relevant.


Did You Know?

During a live campaign, your users’ data can be transferred five times or more between central databases and various agencies. This is an example of a data cycle:


  1. A user submits their personal data (via text messages, website, phones or in-person).
  2. All the data collected from multiple touch points is transferred to a central database.
  3. The data is then transferred to a different agency before the prize draw takes place. Once concluded, the data returns to the original agency.
  4. Consumers send inquiries about the campaign and the collected data moves between multiple agencies to gather the needed information.
  5. Prizes have to be sent out. Since there can be various agencies involved, data must be sent to every one of them.


What’s going on Behind the Scenes of GDPR?

While the impact of the General Data Privacy Regulation is undeniable, organisations can take specific steps to ensure they comply with the regulations and don’t get fined. One of the most important aspects is to be aware of how data is gathered and what happens behind the scenes. These questions were designed to raise awareness and are the best food-for-thought in the remaining pre-GDPR months:


  • Are any of your agencies acting as a data processor? For example, do they receive consumer detail files in their email?
  • Is there a contract between you and each data processor you work with that comprises all the General Data Privacy Regulation requirements regarding data processing agreements?
  • Have you examined their data security arrangements?
  • Do you have policies that can confirm there are processes in place for secure data transferring? Is everyone abiding by the processes or is data occasionally sent through unsecure methods (such as via email)?
  • As required under the General Data Privacy Regulation, do you have evidence and keep records of all of your processing activities? Do all of the agencies you collaborate with agree and follow the same practices?
  • Are you able to quickly and efficiently determine when and where a user gave their consent? Can you pinpoint the purpose?


What Are the Benefits of the GDPR?

The post-General Data Privacy Regulation era is not all doom and gloom. While the regulations are primarily aimed at protecting the users’ privacy, marketers also will reap the benefits of the new regulations and should thus welcome the GDPR. Here is why:

Privacy should be improved for most users across the internet.

Privacy should be improved for most users across the internet.


Increased Transparency

Nowadays, few users understand what data is collected from them and how this is being used by marketing campaigns. The GDPR is about to change that, giving users more control over how their private information is being used. Customers are unaware of the reasons behind sharing data and they only submit it in order to buy goods or services.

When organisations become more transparent about their reasons for collecting data and once they start asking for consent, they will start providing value to their EU users. Customers will be less reticent to share information because they will have a better grasp on how and why it’s collected.


Higher Standards

The industry standards are about to be reshaped. Once the General Data Privacy Regulation comes into force, marketers will be compelled to offer better services, improve their processes and overall offer an improved user experience.

This is where new ideas, techniques and marketing strategies will come into play. The post-GDPR era will be marked by innovation and creative thinking. Marketers will have a tougher time competing for people’s attention which, in its turn, will make these professionals better at their job. But in return, they will gain valuable attention and loyal customers.


What Penalties Do Organisations Face if They Fail to Comply?

Under the General Data Privacy Regulation, the maximum fine an organisation could face is up to €20 million or 4% of their annual turnover. This would be for serious breaches of the GDPR, such as not having enough user consent in order to collect and use data. Both controllers and processors are affected by these rules.

The GDPR has a tiered approach to fines. For instance, an organisation could be penalised by 2% if it doesn’t have its records in order or if it doesn’t inform the supervising authority about a breach.


How Can Umbrella Help?

Ready or not, the GDPR will come into force in May 2018. Data controllers will be compelled to revisit their data gathering and storage processes and to implement more thorough policies. In other words, brand owners will need to pay more attention to contractual and operational methods of sharing data with agencies as well as their own data handling.

Don’t allow the new General Data Protection Regulations to catch you off guard, otherwise, you may suffer the costly consequences! The regulations will undoubtedly make you change some of your marketing processes, however, in the long run it will improve customer experience and, as a result, it will improve your campaigns.

At Umbrella, we have predicted, analysed and resolved a plethora of issues that a shopper marketing campaign could encounter under the new General Data Protection Regulations. The result of our endeavours is The Hub – a platform that will aid shopper marketers to have a seamless and smooth experience without worrying about the new regulations.

Our platform is part of our Promotional Fixed Fee package and, as such, there is no additional charge for using it. The greatest benefit of this powerful tool is that it ensures all campaigns are GDPR compliant. For more information, you can contact us by calling Beth Johnson on 01844 202 045, or emailing

0 811
Carl Poxon