Personal data protections have marketers reaching for aspirin. Headaches mount as May 25 approaches. That’s the enforcement date for the European Union’s General Data Protection Regulation (GDPR). This isn’t news for those in the EU, but many companies in the United States have yet to realize how this will impact their businesses and their data-collection processes.

GDPR expands previous data-protection laws. All companies that process data of any EU resident – regardless of whether that company is based in the EU – must comply. Because business today is increasingly global, the regulation affects most of us. If a company 1) collects or processes data of any EU resident, or 2) its activities relate to offering goods or services to EU citizens, regardless of whether payment is required, then it must comply with GDPR.


GDPR protects an individual’s personal information. This can include name, address, phone number, email, location and even IP address. Greater protection means that individuals have the right to know how their data is being collected, processed, stored, used and transferred.



Why should you care? A GDPR violation could impact your bottom line. Potential fines could be up to 4 percent of a company’s annual global revenue, or £20 million (almost $24 million), whichever is greater, and based on the severity of the infraction.


There are a number of requirements under GDPR. Before we go through these, I should mention that we are by no means providing legal advice, but highlights and examples to aid understanding. Please consult legal counsel to identify any areas of major concern.

You Need Permission
If you’re collecting personal data from EU residents, you must obtain and have proof of explicit consent. This means that people have to take affirmative action to check a box to be added to various email lists. Or if they fill out a contact form on your website and that information is stored in your customer-relationship-management (CMS) system as a record, they must check a box that prove they understand how their data will be stored.

Strict Privacy by Default
This one is primarily for social platforms such as Facebook or a search-engine conglomerate, such as Google. However, if you’re in the business to create software, apps or even forums, where users log in, engage and connect to the internet, you will need to make sure that strict privacy settings are the default, not a voluntary user choice.

Greater Control of Personal Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, used and transferred. Moving forward, you will need to implement a process that allows a user to access his or her data and see where, why and how the data is processed. This includes the right to request a report and the ‘right to be forgotten,’ which essentially means that he or she can tell you to purge their data from your system.

For example, let’s say that you have a contact form on your website for lead generation. This contact form feeds into your CRM, like Marketo, and your sales team uses that data to reach out to the new prospect.

Based on this scenario, your contact form needs to include the following:

  • Country must be a required field. This enables you to sort data down the road.
  • Clear language stripped of legalese that indicates to users that filling out the contact form gives your team permission to reach out regarding their request.
  • A link to an updated Privacy Policy and Terms and Conditions stating that you are collecting data through the website, you are processing data in a specific CMS, using it to respond to their requests, and how long you are storing the data.
  • A link or process to how an individual can check on data and requests to be forgotten.

Breach Notification
Organizations must report certain types of data breaches to individuals within 72 hours, unless the breach poses no threat or risk to the individual. This is one of the largest gray areas in GDPR, and we would recommend reviewing data-breach processes with your legal counsel.

Other Areas of Impact
If your company monitors sensitive personal information, monitors personal data on a large scale or is a public authority, you may be required to hire a data-protection officer. If you happen to market services to anyone under 16, you must obtain parental consent before storing any data. You can fine more information about GDPR regulations here.


Don’t let the looming GDPR deadline cause panic. Use this checklist to evaluate what you need to do and again, get in touch with your legal counsel to address your areas of specific concerns.

Perform an Audit
Assess what data you have, where it came from and how you share it. Once this is complete, determine what you need to do to comply. If you are using a third-party tool like a CRM software, find out how it plans to implement GDPR.

Update Your Privacy Policy
You know that seldom-clicked link in your website footer? Your privacy policy needs to be updated to include how you collect data, how it’s used, how it’s stored, and if you share this information with others.

Obtain Consent
Email Marketing: If you use email marketing but do not have proof of consent, you will need to send an opt-in email before May 25. Moving forward, use inbound marketing tactics and provide a checkbox for voluntary consent to join your email marketing list.

Google Analytics: If you collect user IDs, IP addresses, cookies or behavioral profiling, you will either need to anonymize the data before downloading and storing, or add an overlay to your website that asks for permission to use cookies.

Retargeting Ads and Tracking Pixels: If you are using retargeting pixels from a platform like LinkedIn or through a third-party media provider, you must obtain informed consent, similar to the cookie permission listed above.

Contact Forms: Before users submit any information through a contact form, get their explicit consent via a checkbox.


GDPR will take affect in a couple of weeks. If you haven’t taken action, do so quickly.

Here are some great resources:

An aviation-specific version of this column appeared in the May 10 issue of BlueSky News.