How to Become GDPR Compliant

what is GDPR compliance

Friday, May 25th, 2018 is a significant day for business owners and marketers alike because the European Union’s new General Data Protection Regulation (GDPR) goes into full effect. You may have seen the acronym “GDPR” floating around, and you’ve probably received a handful of policy or terms of service emails in your inbox. But do you have a clear understanding of what the GDPR is and how it will affect your business and consumer life? Many people are still unsure about this important piece of legislation. We’re here to be your guide and tell you what it all means.

A forewarning: we’re going to dive deep into the implications of GDPR, so here’s an overview to help you along.


The European Union’s new General Data Protection Regulation is going into effect.


To give European consumers greater control over their personal data on the internet


Friday, May 25th, 2018


This may affect you, your business, your clients and your clients’ clients


The European Union and any businesses affiliated with member countries

What is the GDPR?

The General Data Protection Regulation is a new law that gives citizens of the 28 European Union member countries greater control of their personal data, including personally identifiable information. This covers sensitive data like race, political affiliation, sexual orientation, religion, home addresses, zip codes and IP addresses, among others.

Through the GDPR, European internet users will have full consent rights to data acquisition, the ability to request information be corrected or deleted and a clear understanding of exactly what their data will be used for.

For companies, this reform can have sizeable impacts on business processes even if you are U.S.-based. Why? Because even if you don’t conduct primary business in Europe, you may:

  • Collect data from European users
  • Advertise in Europe
  • Employ workers in Europe

For wholly U.S.-operating businesses, you’re covered for now. But it’s pertinent that you begin transitioning to be GDPR compliance as it’s likely this law will become standard best practices in the U.S., too.

What is GDPR Compliance?

To ensure your business is compliant, GDPR requirements need to be met. First, you must figure out if your business is a data controller, a data processor or both so that you can determine when the compliance responsibility is yours. Under the GDPR, the data controller holds primary responsibility for compliance.

Your business is a data controller if:

  • It determines the purpose of personal data storage
  • It determines the process of personal data

Your business is a data processor if:

  • It stores personal data for another business
  • It processes personal data for another business

See this checklist to help you begin becoming GDPR compliant. Remember, you can be both a controller and processor depending on the situation, so it’s important to audit all of your data processes.

Although the rules have tightened, your business can still collect personal data if you can provide a lawful reason why. Per the U.K.’s Information Commissioner’s Office, there are six lawful reasons for collecting and processing personal data.

  1. Consent: the person has given clear consent for you to process their personal data for a specific purpose.
    • Note: You must explicitly state the purpose on the consent request, provide a different consent request for each purpose and have no pre-checked boxes.
  2. Contract: processing is necessary for a contract you have with the person to be completed.
  3. Legal Obligation: processing is necessary for you to comply with the law (i.e. criminal records).
  4. Vital Interests: processing is necessary to protect someone’s life (i.e. medical records).
  5. Public Task: processing is necessary for you to perform a task in the public interest or for official functions.
  6. Legitimate Interests: processing is necessary for your legitimate interests or interests of a third party.

To become GDPR-compliant your business will have to institute several functions. At any point your business is attempting to collect personal data, you must clearly state what data is being collected and what purpose that data will serve.

You will need to update your privacy or terms of service agreements to reflect this, explicitly detailing any data collection and proposed usages. Along with this, your business will have to create different consent request opt-in forms for each distinct data purpose. On the opt-in forms, people must willfully consent to data collection. Pre-checked boxes are non-compliant as people may accidentally consent. With the GDPR, consumer inaction on consent forms is no longer considered acceptance, deliberate consent is a must.

Additionally, if any data breach occurs in your business, you’re required to inform consumers within 72 hours of the issue. It’s highly suggested that you keep meticulous data records so that if consumers contact you to correct or delete information, you can easily do so.

GDPR and Marketing

Proceed with caution when marketing under the GDPR. Using outside vendors like Facebook and Google AdWords can present new challenges that need to be taken into consideration. For example, when using Facebook advertising, you’ll no longer be able to target audiences based on their newsfeed posts and likes, unless the posts are public or “friends of friends.” The same change to hyper-targeted ads affects Google AdWords as well. Non-personalized ads will work as an alternative.

For both Google and Facebook, you (as the publisher) are viewed as the data controller meaning you must have your compliance in order or risk punishment. Failure to comply can result in steep damages with fines reaching €20 million (more than $23 million) or 4% of your business’ annual global revenue, whichever is greater.

Don’t put your business in jeopardy by navigating the digital marketplace alone. To ensure you fully understand how digital advertising will work from now on, check out this helpful website which organizes the official Regulation (EU) 2016/679 (General Data Protection Regulation) into sections. When you’re ready to advertise in this new landscape, our skilled team of marketing experts will help you develop and implement effective and compliant digital marketing strategies.

Appleton Creative is one of the top advertising agencies in Orlando, Florida. As an award-winning, full-service agency, we specialize in media buying for local, national and international clients. Appleton leverages relationships with the media to craft a media strategy and plan that is constantly monitored, optimized and analyzed. Appleton delivers multimedia and multi-market campaigns for companies through meticulously placed billboards, advertisements, print publications, radio, TV and online pay-per-click services. Your digital marketing goals are worth a conversation: contact us at 407-246-0092 or

Related Articles:

Share on social media:

Subscribe to our Newsletter

* indicates required