This new piece of EU data protection law – the General Data Protection Regulation – represents a significant change to the way businesses are required to collect, process and secure the personal data of the individuals they do business with. It came into force on 25 May 2018 with no transition period.


The GDPR imposes new regulations for organisations to protect consumers around data control, access and security, in addition to tougher enforcement for breaches of the rules. The EU hopes the regulation will clarify obligations, make them more consistent across Europe and improve trust among consumers in the way their data is handled. The EU claims simplified rules for businesses will save €2.3 billion a year.

A major change introduced by the GDPR is the potential sanction if an organisation fails to comply with the law. If an organisation breaches the GDPR, fines could reach €20 million or up to 4% of global annual turnover of the previous year, whichever is highest.

Below, you’ll find the six principles of the GDPR which are at the core of the new regulation. This list does not address all the notions of the new regulation, but it lays a solid foundation to understand the basics of what changed.




Benefits and opportunities of GDPR


Besides the hefty fines and more rigid rules on personal data collection and processing, the GDPR presents opportunities as well. The most important ones are listed below.

Databases will be leaner, and marketing more targeted

Under the GDPR, individuals will need to opt in to your marketing and you’ll need to be able to prove they have done so. This will probably mean the loss of much of databases out there, but in most cases this would mean the disengaged part of the list anyway. A list of individuals who have opted in to your communications should result in higher click-through, open and engagement rates in campaigns of any sort.

Accountability could provide a competitive advantage

The information commissioner has stated that those organisations that can prove that they handle customer data sensitively and respect an individual’s privacy will have a competitive advantage over those who are not.

It will raise the profile of marketing within the organisation

If marketing steps up to the challenge presented by GDPR and takes the lead in developing the culture of privacy demanded by the information commissioner, it should highlight the importance of marketing among senior leaders and increase the credibility of the function.

Examples of legitimate interests

The Data Protection Network from the UK has produced a guide to legitimate interests which includes examples of scenarios in which legitimate interests would be a legal basis for processing personal data, including:

  • Direct marketing
    A charity sends a postal mailshot out to existing supporters, providing an update on its activities and details of upcoming events.
  • Personal data transferred in an acquisition
    A publisher acquires circulation data of several magazine titles in the course of a business acquisition and wishes to use the data for similar purposes to those for which it was originally acquired.
  • Postal marketing from third parties
    A catalogue company adds details to its online order forms which indicate that it shares data with other cataloguers. The purchaser can opt-out of this sharing, and the other cataloguers are listed in the privacy statement.
  • Personalisation
    A travel company relies on consent for its marketing communications, but may rely on legitimate interests to justify analytics to inform its marketing strategy, and to enable it to enhance and personalise the “consumer experience” it offers its customers.