GDPR and Consent: Rules for the marketing and sales teams

Due to come into force in May 2018, the General Data Protection Regulation (GDPR) will place additional demands on businesses across all sectors. Designed to protect the personal data of EU citizens, most companies will have to modify the way they process data in order to comply with GDPR.

Although there is existing data protection legislation in place, GDPR will codify current laws and extend the regulation of data quite considerably. Applicable to any organisation which handles the data of EU citizens, businesses will need to ensure that they have a strategic framework in place so that they’re able to adhere to the relevant legislative guidelines.

How will sales and marketing teams be affected?

Some of GDPR’s changes will be focused on how companies store data and what type of personal data is retained. If in-house processes are to be modified in accordance with the new law, companies may need to introduce new software or CRM systems. In addition to this, specific personnel, such as a Data Controller, may need to be appointed so that there is clear accountability for data processing within the organisation.

Whilst many new requirements will require decision-making at higher levels and in HR departments, sales and marketing staff must be made aware of the upcoming changes and the impact that GDPR could have on their roles.

When obtaining consent from a data subject, the regulations have become much stricter. For example, this could affect how an employee interacts with a customer or client. If a company wishes to collect personal data from an individual, they will be required to seek consent, but the individual will retain the right to withdraw this consent, known as the ‘Right to be Forgotten’. In addition, consent must be sought for different processing activities if the data is to be used in various ways.

When a member of a sales team is liaising with a potential customer, for example, they may want to obtain personal data so that they can contact them with follow-up information. Obviously, the subject will need to provide consent in order for this to take place. If the data is to be used for any other reasons, such as additional and unrelated marketing, additional consent must be gained in order to be compliant with the GDPR.

Recognising sensitive data

Sales and marketing personnel should already be familiar with the term ‘sensitive data’, but GDPR has extended the definition to include any type of data which could identify the subject. Whilst some organisations may not routinely process this type of information, it is more common than you might imagine.

Biometric data or personal information is easily identifiable as sensitive, but data regarding an individual’s internet usage or digital footprint could also be deemed to be sensitive if it enables them to be tracked or identified.

As this type of data is generally subject to more rigorous processing rules, sensitive data will need to be handled separately and identified by both staff and in-house systems when it is gathered.

Data breach notification requirements

Perhaps one of the most important issues for sales and marketing staff to be aware of is what to do if a data breach occurs. Whilst this may refer to a member of staff accessing data without authority, it could also occur when data is accidentally accessed, deleted or changed.

According to the GDPR, such data breaches must be reported to both supervisory bodies and the data subject. Whilst it’s unlikely that sales and marketing staff will need to carry out these reporting duties themselves, they will need to adhere to appropriate in-house procedures.

By training marketing and sales staff to recognise a data breach and ensuring they report it to the Data Controller, or alternative personnel, immediately, organisations can ensure that they’re operating in accordance with the new data regulation legislation.

Incorporating the GDPR into marketing activities

When organisations brainstorm new ideas for marketing campaigns, products or services, they are now required to include data protection issues. While companies have traditionally dealt with data protection requirements after the design of a new campaign or service, they are now required to incorporate the idea of ‘data protection by design’.

Marketing staff will, therefore, need to be familiar with the requirements of the new law so that they can be addressed and fulfilled during the conception of new marketing strategies, rather than immediately prior to launch.

Satisfying the new GDPR requirements

Whilst most companies will need to make in-house changes in order to comply with the new law, there are ways to reduce the legislative burden. By outsourcing certain company processes, businesses can rely on external providers to carry out the relevant due diligence required by GDPR.

With many outsourced HR services already acting in accordance with GDPR, this can be the easiest way for businesses to ensure they are operating to the appropriate standard. By outsourcing payroll services, for example, companies can ensure that sensitive staff data is held securely and processed appropriately.


By Cindy Berichon, ‎International Marketing Manager (Global), SD Worx

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.