The document provides an overview of the key requirements of the General Data Protection Regulation (GDPR) and practical guidance for marketers on becoming compliant. It outlines four key GDPR requirements: consent, security and protection, access, and erasure. It then details various "Do's and Don'ts" for marketers regarding analytics, newsletters, data storage, and more. The document emphasizes getting clear consent, having a withdrawal mechanism, documenting breaches, and establishing data processing agreements with vendors.

1. GDPR
The Do’s and Don'ts
for Marketeers

2. GDPR COMPLIANT
Deadline: May 25th, 2018

3. IS THIS REALLY SO
DIFFERENT THAN BEFORE?
No, not really.
It is about respecting privacy.

4. BUT THE FINES ARE:
4%
of global
annual
turnover
or
Whichever is higher.
20
million euro

5. FOUR GDPR KEY REQUIREMENTS:
Consent
Art: 7 + 8
Security &
Protection
Art: 25 + 32
Access
Art: 15 + 16
Erasure
Art: 17
Explicit consent for the
particular purpose. This
consent must be stored
in an audible and
secure way.
Data subjects should
have access to their
own data and have the
ability to modify or
correct it.
The right to be
forgotten, a right for
individuals to have
personal data erased.
Data protection and
security is required by
design.

6. The GDPR does not cover
internet cookies*, device
fingerprinting and other
similar technologies. Those
will be covered in the new
ePrivacy Regulation.
* But consent is linked to the GDPR.

7. OK, BUT HOW DOES THIS
AFFECT MY LIFE AS A
MARKETEER?

8. PRACTICAL:
Analytics
Contact forms
Retargeting
Newsletter signup
Consent Access Erasure Security
Third party tools
Visitor
Third party tools
Third party tools
Third party tools
Your website

9. Do’s Don’ts

10. Don’t:
MAKE
UNCLEAR
OPT-INS
Don’t assume that
visitors who fill out a
web form want to
receive marketing
emails.

11. Do:
MAKE CLEAR
OPT-INS
Let users explicitly
confirm that they want
to be contacted. A
pre-ticked box that
automatically opts in
won’t cut it anymore –
opt-ins need to be a
deliberate choice. Keep
your terms and privacy
policy always separate
from other consent.

12. Don’t:
COLLECT
MORE
INFORMATION
THAN YOU
NEED
Only collect data that
you actually need.

13. Don’t:
STORE DATA
FROM
CHILDREN
You cannot process
personal data of
children without the
consent of the parent. In
the Netherlands those
below the age of 16 are
considered children,
but this varies between
the age of 14 and 18 in
other EU member states.

14. Don’t:
ASK FOR
‘SPECIAL
CATEGORIES’
DATA
Racial or ethnic origin,
political opinions,
religious or
philosophical beliefs.
Data concerning health
or a person’s sex life
may only be processed
in case this is obliged by
law.

15. Do:
BE CLEAR
WHY YOU
COLLECT
DATA
Be transparent with
your users why you
collect certain data.
Source: uswitch.com

16. Don’t:
STORE
REFER-A-
FRIEND
PROGRAMS
If the data is stored and
used for marketing
communications, you
are in violation and not
considered GDPR
compliant.

17. Do:
FACILITATE A
REFER-A-
FRIEND,
WITHOUT
STORING
DATA
If you don’t store
anything, the
refer-a-friend email is a
notification instead of
promotional. You don’t
need consent.

18. Don’t:
STORE DATA
IN DIFFERENT
SILOS
Avoid silos within the
organization, for
example between
marketing and service,
but work with one single
source.

19. Don’t:
STORE DATA
LOCALLY
Goodbye Excel Sheets!
It’s impossible to be
compliant by storing /
copying data across
multiple data sources,
especially if they are
offline.

20. Do:
MAKE A
SINGLE POINT
OF TRUTH
Get a (global) CRM
system in place, where
you keep the consent of
data subjects who can
view, change and delete
their data. Keep all the
data together and use
this database for third
parties.

21. Do:
HAVE A
SIMPLE
WITHDRAWAL
MECHANISM
Make it easy for users to
see and change their
settings.
Source: Twitter.com

22. Don’t:
USE YOUR
CURRENT
MAILING LIST
Make sure the data you
use in your mailing list
meets the GDPR
requirements. Remove
anyone from whom you
do not have a record of
their opt-in.

23. Do:
ACQUIRE
CONSENT FOR
YOUR
MAILING LIST
Acquiring consent is an
opportunity to help you
segment your
customers and focus
your communication
based on specific
interests, rather than
sending a ‘one size fits
all’ email campaign.

24. Don’t:
WAIT UNTIL
THE DEADLINE
TO RE-
PERMISSION
CONSENT
Can you imagine what’s
going to happen in April
2018 as the deadline
looms?

25. Do:
MARKET
YOUR OPT-INS
If you rely heavily on
email marketing,
develop a strategy for
inviting visitors to join
your mailing list. For
example by using a
pop-up on your website,
because the bottom of
the page just won’t do
anymore.

26. Do:
MAKE
GOOGLE
ANALYTICS
GDPR
COMPLIANT
Change the settings to
ensure Google is not
using the data for other
services, and make sure
the IP addresses are
shortened.

27. Homework:
Google Analytics
Sign the Data Processing
Agreement with Google.
You can find this under
Account Settings (you need
to be Admin).
Source: Google Analytics

28. Homework:
Google Analytics
Make sure you don’t share
the data you collect within
Google Analytics. You can
find the data sharing
options under Account
Settings (you need to be
Admin).
Source: Google Analytics

29. Homework:
Google Analytics
We recommend turning on
the IP Anonymization
feature in Google Analytics.
This requires a code change
to enable. If you use Google
Tag Manager, adjust your
tag or Google Analytics
Settings variable by clicking
into More Settings -> Fields
to Set and then add a new
field named ‘anonymizeIp’
with the value ‘true’.
Source: Google Tag Manager

30. Do:
HAVE A DPA
WITH YOUR
VENDORS
For every vendor
processing data, the
data processor and
controller need to make
agreements regarding
the processing of
personal data through a
data processing
agreement.

31. Homework:
Privacy Policy
The most important update to
your Privacy Policy under
GDPR is that these notices
need to be written in a way
that is clear, understandable,
and concise.
Consider the following questions:
What information is being
collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the
individuals concerned?
Is the intended use likely to make
individuals object or complain?

32. Do:
DOCUMENT &
NOTIFY
BREACHES
In case of a personal
data breach, the
controller should notify
the data subjects
without undue delay if
the breach is likely to
result in a high risk to
the rights and freedoms
of natural persons.

33. Don’t:
USE
PERSONAL
DATA FOR
APPLICATION
TESTING
You need to obtain the
clear consent from data
subjects to use their
data for testing
purposes.

34. Do:
ANONYMIZE
DATA FOR
TESTING
PURPOSES
Data can be used if it is
anonymized, the data
subject should not or no
longer be identifiable.

35. Bottom line, GDPR
compliance is simple:
● Don’t contact someone unless they
specifically ask to be.
● Don’t send them irrelevant information
they didn’t request.
● Do increase your data quality.
● Do make the data transparent.

36. About Burst
Burst is a leading digital agency with Dutch roots,
experienced in blending business, data, creativity
and technology. Like our clients, we have a holistic
view and adapt quickly to new challenges.
www.burst-digital.com

37. Amsterdam
Wilgenweg 12a
1031 HV Amsterdam
The Netherlands
Rotterdam
Delftseplein 30C
3013 AA Rotterdam
The Netherlands
+31 10 82 001 40
info@burst-digital.com