Implications of GDPR for your Sales & Marketing Org

First, read a brief GDPR overview.

General Requirements for Businesses

The most alarming part of the GDPR isn’t necessarily the 4% of global turnover fines that have been bruited about. In addition, the country-specific privacy data protection authorities order remediations such as data deletion orders.

Imagine the impact of having to delete all your marketing lists.

Under the GDPR, the requirements of fairness and accountability require data controllers to always consider the reasonable expectations of data subjects, the effect that the processing may present, and their ability to exercise their rights in relation to that processing.


  • Decide whether your business requires you to hire a DPO (Data Protection Officer).
  • Assign each collection and use of personal data a legal basis.
  • Support data subjects’ rights by
    • Creating an access request dashboard.
    • Create a consent withdrawal dashboard.
    • Supporting deletion requests.
  • Track the lineage of all personal data and consent. Where did you get this piece of information and what entitles you to use it for each purpose?
  • Create a process so that consent withdrawal, deletion, and access propagates throughout all third party systems: MPAs (Marketo, Hubspot, Eloqua), Salesforce, marketing mailers, transactional mailers, billing systems, support systems, etc.
  • Do not share any personal data with a third party without explicit user consent.
    • Make absolutely sure your sales people don’t share contact data.
  • Sign up for a GDPR updates service.
    • The implementation and enforcement details are still a work in progress.
  • Understand your risk tolerance around the edges of the GDPR, and consider letting someone else be the test case.


The Inbound process is principally governed by Article 13, covering the information to be provided to subjects at the time of collection.


  • Create GDPR compliant consents and privacy policies. The details – and there are many – are far beyond the scope of this document.
  • One more time for emphasis: make marketing consents opt-in, not opt-out.
  • Track the lineage of all collected personal data.
  • Carefully consider the use of all data enrichment vendors.
  • Carefully consider the use of all visitor identification vendors.


The outbound process is principally governed by Article 14, covering the information to be provided when personal data has not been obtained from the data subject. This requires you to inform data subjects of a series of details, notably including where you got their data and of their rights enumerated above.


  • Before running outbound, execute a legitimate interest balancing test.
  • On the first call, explain where you collected the contact data.
  • On each call, be ready to:
    • answer how you received the info (Article 14.2(f))
    • delete or correct contact info
    • the no harm, no foul principle: if you don’t irritate people, they are unlikely to complain
  • Carefully consider your contact data vendor.
    • You will be a co-controller, so if they didn’t obey the GDPR during their contact collection, you are not in compliance. It is highly unlikely you will be able to use your contract with them to separate yourself from resulting legal implications.

In the UK specifically

Don’t forget to obey the PECR. (Very) roughly:

  • screen against TPS/CTPS
  • maintain in-house do not call
  • do not use purchased lists for recorded calls
  • be careful: individuals can include sole proprietorships