How GDPR Impacts Digital Marketing for UK Small Businesses in 2018

Reading Time: 8 mins

GDPR comes into play in May 2018, and has caused quite a stir across almost all businesses and organisations, both small and large. One big thing GDPR directly impacts is digital marketing, and how marketers will be able to effectively target customers and effectively market to them.

So what will GDPR change about our digital marketing activities, and how does this impact small businesses?

What is the General Data Protection Regulation (GDPR)?

If you have somehow missed the GDPR memos, here’s a quick summary from the GDPR Europe website:

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.

What GDPR Means for Consumers Online

GDPR is largely seen as a good thing, especially for consumers as data protection is increased, and they have more freedom over how their personal information is used. And while many business owners may agree with this sentiment, GDPR can prove to be a headache in terms of putting in place new procedures.

Advertising, as one example, should become more relevant. As consumers should theoretically be targeted by companies they are more in-line with, rather than every business they have ever interacted with.

What happens if I don’t comply?

If you are found to fail to comply with GDPR, you can be fined up to 4% of your annual turnover or up to €20 million – whichever is greater.

This is large enough to topple even the bigger businesses, so GDPR is something to take very seriously.

Key Changes

What are the key changes GDPR enforces? From the website:

​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.

  • Increased Territorial Scope (extra-territorial applicability)

The GDPR applies to all companies processing personal data of EU data subjects

  • Penalties

Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)

  • Consent

Conditions for consent have been heightened, with companies no longer able to use terms and conditions full of legalese

  • Breach Notification

Breach notification will become mandatory

  • Right to Access

Data subjects can obtain confirmation as to whether or not their personal data is being processed

  • Right to be Forgotten

The right to be forgotten entitles data subjects to have the data controller erase their personal data, cease further dissemination of data, and have third parties halt data processing

  • Data Portability

The right for a data subject to receive their own personal data

  • Privacy by Design

Privacy by design calls for data protection to be included from the onset of designing systems, rather than retrospectively.

  • Data Protection Officers

GDPR introduces new internal record keeping requirements


The Biggest GDPR Changes that Impact Digital Marketing for SMBs


As far as digital marketing goes, GDPR completely changes how we handle and store data. And we need data in order to perform digital marketing.

While the techniques of digital marketing may not change, the way we have to collect, handle and store data will change radically.

If your organisation can’t meet the conditions regarding how data is collected and stored, you could be in for a fine when anything happens to it.


While consent already plays a fairly large role in digital marketing now, GDPR will require explicit consent. Consent must be given, not assumed.

Consent of the data subject means that in order to use and store their data, you need explicit consent by a clear affirmative action, which signifies agreement to processing their personal data.

You must be able to demonstrate how they have consented. So the language on your website should be altered to reflect this. You should clarify the exact purpose of the collection of their data.

For instance, silent consent or pre-ticked checkboxes are not considered proper consent. If you are processing data for multiple purposes, you need to outline these purposes and gain consent for each one individually.

The purpose needs to be clear and unambiguous, and detail exactly what is included.

The definition of personal data

Personal data covers a much wider spectrum of data now.

Any form of name, number, location, or other form of identifier that can be used to identify someone or their personal information is considered Personal Data which must be protected.

This includes anything that identifies the physical, cultural, economic or social identity of the person in question.

This includes such things as cookies, device IDs, IP addresses (both mobile and stationary) as well as search engines.


Spray and pay retargeting campaigns should become less relevant and less frequent. And GDPR may remove some of the more targeted advertising that currently takes place. Ads that follow you around relentlessly, for instance, will probably decline fairly sharply.

As consent will be more explicit, this should mean customers are more inclined to be interested. Which also means any retargeting campaigns should be more effective, as even now when consumers are most likely interested in something they’ve previously looked at or engaged with, it will be refined down to a more effective audience.

At the end of the day, you need to comply with GDPR. So you will need to assess how your business collects and processes data.

As for digital marketing, tools and platforms such as Facebook and AdWords should be compliant in May 2018, so you needn’t worry too much about this side of things.

While remarketing and the like falls directly under what GDPR outlines, this is essentially Google and Facebook’s problem. Whether they see dropouts from consumers is the next challenge they will face. However, it seems likely many people will agree with terms laid out by such giants as Google, as they are a trusted brand. However, this poses a fairly large challenge for SMBs, as consumers may feel less likely to hit consent boxes for brands they are less familiar with.

But outside of these problems, if you collect email addresses or buy lists, you will need to readdress how you build and store your databases. This goes on to include other forms of customer data.

For more information, you can read up on the GDPR Europe website.