Share this:

EU Data Protection Regulations are changing

EU Data Protection Regulations
are changing. Comply or get ready to pay HUGE fines!

March 6, 2017 - Intelligence

“A business that is not GDPR compliant could face a fine of €20m or 4% of its annual turnover.”
GDPR Conference Website

On 15 December 2015, The European Parliament, the Council and the Commission reached a new agreement on the data protection rules, that the Council adopted and published on May 4th 2016. With this new General Data Protection Regulation (GDPR) a deadline has been put forward for which every organization that processes EU residents’ personally identifiable information (PII) has to abide by from May 25th 2018 onwards. After that, GDPR will financially penalise all non-compliant companies based in, or operating from the EU.
Now is the time to get up to speed, if you haven’t started already!

Firstly, let’s refresh your memory on previous EU regulatory changes that impacted marketing processes, then we can look at today’s challenges and what the new regulations mean for your organisation. The changes in EU regulation are expected to have a significant impact on businesses, it is up to the marketers to ensure they are prepared and legally compliant.



The Timeline of Data Protection Changes:

  • 2009, OctoberEuropean Telecom Act: Commercial information may not be delivered via email without the individual’s consent. The Internet continues to grow with data being rapidly dispersed – new, bigger challenges around data privacy emerge
  • 2012, January – The European Commission puts forward the first directive to make Europe fit for the new digital age. This attempt to shape the European Data Protection Framework left many grey areas and highlighted the need for clarity through deeper discussions
  • 2015, December – The European Parliament, the Council and the Commission finally reach an agreement on the new data protection rules
  • 2016, May – Publication in the Official Journal of the European Union of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR)
  • 2018, MayCompliance Deadline! Every single organization that processes EU residents’ personally identifiable information (PII) must comply with the new directive, or face extremely severe penalties.

“Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.”
Elizabeth Denham, during her speech on GDPR and accountability

The General Data Protection Regulation (GDPR), what does it do?1 2

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. These include the right of access, rights to restrict processing, be informed and object, rights to rectification, erasure and data portability. The most important is rights in relation to automated decision making and profiling.

Icon money

Key areas for organisations to consider regarding GDPR

  • For processing of personal data to be lawful under the GDPR, you need to identify and document a legal basis for your processing and management of PI data within your company
  • PI data now includes an IP address or any pseudonymised data that can be tied to an individual
  • Consent requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent
  • Consent must be verifiable. This means that some form of record must be kept of how and when consent was given
  • Implementation of the GDPR will require a review of consent mechanisms to ensure they meet the standards required under the new legislation. As long as you have collected consent previously using the same requirements detailed in the GDPR then you don’t have to go back and ask for consent from your contacts again
  • Parental/guardian consent is required for children aged 16 and under, to access online services – the issue of children’s personal data protection is currently under review.
  • If you are a data processor, the GDPR places specific legal obligations on you and you will have significantly more liability if you are responsible for a data breach

Am I responsible? - Accountability and Governance

The new accountability principle requires you to demonstrate that you comply with the principles, and states explicitly that this is your responsibility. To do this, you must:

  • Implement appropriate technical and organisational measures to ensure and demonstrate that you comply
  • Maintain relevant documentation on processing activities
  • Appoint a Data Protection Officer, where applicable
  • Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
    - Data minimisation
    - Pseudonymisation
    - Transparency
    - Allowing individuals to monitor processing
    - Creating and improving security features on an ongoing basis.
  • Use data protection impact assessments.

(1) ec.europa.eu/justice/data-protection/reform/index_en.html
(2) https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Icon piggybank

What are the benefits of the data protection regulation?

Business in the EU must currently deal with 28 different data protection laws, which presents a large administrative burden and cost to access new markets. Simplification of the regulatory environment through introduction of the GDPR will save an estimated 2.3 billion euros per year. Companies can build trust by offering customers complete control over their personal online data along with enhanced security methods to protect their interests.




At Engagement Factory, we see many opportunities on the horizon, especially when it comes to big data. As an advocate for marketing automation, the best advice we can give you is to make sure you have data governance in place, but we can also help you to identify areas that might be at risk within your Marketing Automation system. As further proof of our commitment to (big) data, Engagement Factory is setting up a Data Management Platform Solution, which you can facilitate (even temporarily) without the hassle of purchasing or subscribing to it yourself.

If you would like to find out more, or need help identifying and implementing changes within your marketing Automation systems to comply with the GDPR, please contact us.

Contact us

Jalke Kennis

Senior Consultant

Thank you for reaching out to us, we will be in touch.

Share this: