Skip to content

What You Need to Know About GDPR and Marketing Automation

There have always been discussions around human privacy. It‘s no exaggeration to say privacy and security is as old as humanity. Once it was about self or home protection but now it has broader and more complicated aspects. In the modern age, along with the evolution of technology, especially the internet, concerns over privacy and cyber security have risen.

Since the emergence of the internet, storing users’ personal data to use later in ads and marketing activities has become common. To understand the importance of personal data to companies it’s just enough to quote The Economist, which called personal data “the world’s most valuable resource ahead of oil”! So the concerns over how this vast network of personal user data is collected, stored and governed have ultimately led to the implementation of GDPR to regulate the protection of personal data across EU member states. 

In this article, we will dig into the details of GDPR and see what this regulation means for businesses in general and marketing in particular. And finally, as automating marketing activities have become unquestionably common, we will see how GDPR and marketing automation coexist.

What is GDPR?

General Data Protection Regulation or GDPR is a new digital privacy regulation that protects users’ personal data in EU member states and requires companies to be transparent about what data they collect and how they and their partners are going to use that data. As of May 25, 2018, not only the companies in the EU states but also every company that has even one single customer from EU countries should comply with the GDPR rules. This means that GDPR actually has an impact on businesses globally.

How does GDPR impact businesses?

As we mentioned above, all companies operating in EU member states and all those offering goods and services to EU member state residents will be affected by GDPR regulations. So all companies inside and outside the EU that are collecting and storing personal data such as names, photos, email addresses, bank details and such should take responsibility for keeping these data safe and secure.

Companies should ensure all the principles mentioned above are met and clearly addressed in their data processing. It’s recommended that companies prepare an overview of how their business collects and stores data and to make sure proper consent has been given, and it’s even better if businesses hire a Data Protection Officer or Data Controller to ensure the business is fully GDPR-compliant.

How does GDPR impact consumers?

GDPR gives consumers more control over what data they share with companies and how their personal information is going to be used. Another change that GDPR brings is that it allows consumers to know when their data has been hacked and leaked as the companies need to notify respective organizations to ensure EU citizens take proper actions to prevent their data from being hacked.

GDPR gives the consumers these so called “privacy rights” and makes companies understand and facilitate these rights. Here are those rights:

  • The right to be informed how the personal data are being used in a transparent way
  • The right of access to personal data that the companies store
  • The right to rectification or to correct inaccurate or incomplete data
  • The right to erasure (or the right to be forgotten) that allows an individual to request removal of personal data when there is not enough reason for its processing
  • The right to restrict processing of data, which will let the data controller store the data but prevent them from further processing it.
  • The right to data portability, which allows individuals to re-use their personal data as they please and for their own purposes across different services.
  • The right to object to data processing and the use of their personal data for marketing purposes.
  • The right to protection from automated decision-making processes and profiling

What are GDPR’s key principles and how do they affect marketing?

With data storing and processing at the core of today’s marketing, the impacts of GDPR on your marketing activities are inevitable. Data processing under GDPR regulations should be done according to these principles. Let’s review what they are briefly and how each principle affects your marketing efforts:

Lawfulness, fairness and transparency

You must ensure that the personal data processing is lawful, provides fair processing information and is transparent enough concerning how you use the data. Let’s clear this up with an example: if a user signs up to your newsletter, you as a company should make sure that the user knows how you’re going to use her/his data in a clear and transparent way in all stages of your interaction with the user. If you will share the data with any partners, if you are going to track the user’s behavior on your website to send marketing emails or even if you’re going to use the data for a new purpose, the user needs to give consent to use her/his data and be able to opt-out when she/he wants.

Purpose limitation

You must process data for legitimate purposes and must not use the data for any other purposes than those initially specified when you collected it. Let’s say the user who subscribed to your newsletter now wants to download an ebook from a partner company that is in collaboration with your company. You should make sure that the partner company receives the needed consent separately from the user and does not use the data for any other purpose than what the user initially intended.

Data minimization

You must limit the data collection and processing to what is absolutely necessary to reach your intended purpose and not more. If the user is subscribing to your newsletter, you can ask for her/his name, email address or even some extra information about the user’s job in order to send related marketing emails, but collecting data about the user’s bank account information is completely unnecessary.


You must always keep data up to date and avoid using inaccurate or outdated data. If the user in any stage of her/his relationship with your company decides to change the email address, he/she should be able to ask to change the data easily to be able to receive emails at the new email address.

Storage limitation

You must not store data for longer periods than necessary. If the user decides to terminate the relationship with your company for any reason, you should make sure that he/she knows for how long you will keep the data after termination. If any bank account information needs to be stored for a possible refund, it should be communicated to the user in a transparent way.

Integrity and confidentiality

The usage of personal data should be secure and ensure the data processing is done with proper security, integrity and confidentiality, cannot be accessed by hackers and will never be leaked. So it’s the company’s responsibility to keep the user’s data secure and take any needed action to ensure the data security meets the principles of GDPR depending on data sensitivity.


You should be accountable for how you control data and be able to document all the necessary information regarding GDPR compliance and demonstrate that you fully comply with all the other principles.

How does GDPR change marketing activities?

With data storing and processing being at the core of today’s marketing, the impact of GDPR on your marketing activities is inevitable. Marketing in general should be refined with GDPR coming into force, but clearly, email marketing and marketing automation have been particularly affected by the new GDPR rules the most because of the importance of personal data for them to function properly. Let’s see how GDPR and marketing automation and email marketing go along:

Email marketing

GDPR’s emergence marks the end of mass email marketing. That means you can’t send a single marketing email unless you have each recipient’s consent. You need to refine your email marketing strategies to fit into the “permission-based” model to demonstrate your GDPR compliance. There are some steps you need to take to make this happen:

As previously mentioned, user consent is the basis of GDPR. You need to facilitate getting consent from both your existing and potential users either by releasing an official legal notice about your GDPR compliance policies to your existing users to inform them and offer them an option to opt-out if desired, or by refining your newsletter forms with a clear opt-in action.

GDPR and marketing automation
Image courtesy: Iubenda

Have a comprehensive privacy policy

GDPR requires you to have an updated privacy policy about your data storage and usage policies that’s easily accessible to all users on your website. You should add a link to your privacy policy on your lead generation forms. Adding a link in the email footer is also a good practice.

GDPR and marketing automation - privacy policy

As one of GDPR’s main principles, you are responsible for how you control personal data and should always be able to show all the documents and proof that you have the necessary consent. You must store the necessary records that show the identity of the user that gave the consent, the date and what the user consented to.

Make it easy to unsubscribe!

Add an unsubscribe link to your newsletter and make it as easy as possible for the user to opt out and withdraw consent whenever he/she wishes.

There are definitely more points to consider when refining your email marketing strategies to follow GDPR guidelines, but the ones above can be considered the main ones to show you’re GDPR-compliant. Remember, abiding by the GDPR guidelines creates a win-win situation both for your company and your customers. You as a company get to demonstrate a lawful and reliable image of your business to the public and your customers enjoy a healthy and transparent relationship with your business.

GDPR and marketing automation

It’s relatively recent that automating marketing activities came into play to save time and legwork and cut costs for marketers. With GDPR in place, marketing automation is inevitably affected as it functions mainly with the use of personal data. The difference here is that with marketing automation all the to-do tasks listed above can be accomplished faster and easier. That’s the beauty of how GDPR and marketing automation can work together!

Just collect the necessary data

As explained in the data minimization section above, you should only store the data that is necessary to achieve your intended purposes and not more than that. Previously, marketers collected all the data they could get from users just in case it might come in handy someday, but those practices are gone now under GDPR rules. With marketing automation, you can use analytics technology to review the information you have of your customers and decide on which data is worth keeping and which should be removed for good. This will help you save a lot on your data storage and make your marketing efforts more efficient and effective.

Give users control over their data

With marketing automation, users have more control over their personal data, as data is stored in one single location on a proper marketing automation tool, so it’s easier to track, change and remove user data upon request. This will help customers to easily opt out if they don’t wish to receive any more marketing emails and ensure your marketing campaigns are targeted to the right people who really requested the information.

Are you GrowthManiac?

How Growmatik complies with GDPR?

There is no doubt that GDPR changed many things in the world of marketing and automation and it requires businesses and especially marketers to work harder to achieve a compliant and business-effective approach to both GDPR and marketing automation. With all the points discussed above we can now say that finding a proper marketing automation tool that fully complies to GDPR regulations is not easy but is truly essential.

But how do you find out if a marketing automation tool is GDPR-compliant? We’ll review how Growmatik, our cross-channel marketing automation tool, complies with GDPR regulations to help you along in the process of choosing the right tool for you.

Growmatik takes user information and behavior on your website and breaks it into segments that can later be used to create a unified customer experience across all channels and to send a personalized message to each targeted segment with specific interests. As the first and the most important rule of GDPR, Growmatik requires customer consent to be able to store and use its customers personal data, and offers two options to gain the needed consent, EU consent and marketing email consent.

Growmatik streamlines the process of getting consent in a few simple steps. You need to show and manage your terms and conditions agreement when collecting data and to achieve this, you should add a marketing email consent statement to your subscription forms that users need to checkmark if they wish to receive further marketing materials from you. To include a marketing email consent statement, navigate to your WordPress dashboard and select Settings and then Growmatik from the left sidebar. Here you can define your statement and choose where to show it:

  • In the WordPress native signup form
  • In the WooCommerce signup form
  • On the WooCommerce Checkout page
  • On the Easy Digital Downloads Checkout page

You can also use {{sitename}} as a dynamic keyword in your statement. Activating these boxes allows you to easily ask for consent whenever you want.

GDPR and marketing automation - WordPress settings

You can also add EU consent and marketing email consent statements to popups and any other integrated forms. To do this, navigate to the popup builder and insert a form element. Then, click the gear icon on the top right hand corner to show the options available. Mark the two options you see above to enable an input box for each where you can add in your terms statement. Toggling the related front buttons will also mark these as required.

What You Need to Know About GDPR and Marketing Automation popup EU email marketing consent GDPR and marketing automation

You can later use the data store in the Growmatik servers to filter your audience in the Growmatik People page and create segments of those who have accepted and those who have denied your terms or of those whose status is unknown (anyone who hasn’t seen your terms agreement request will have an unknown status).

To do this, select leads or customers in the People page of Growmatik and click the +Add filter. Next, click Subscription and choose Marketing email consent or EU consent as your filter.


In addition to the right to know what data Growmatik has about you, how the data is used and how to revoke the consent you initially gave, Growmatik gives you full control over what happens to your data as you are the sole owner of that data. So holding the full data ownership, you as a customer can ask us to delete the entire data we have from you or your users anytime you wish. For more details on how Growmatik handles and protects your personal data, please visit the Growmatik privacy policy and terms of use pages.

Wrapping up

GDPR has dramatically changed the way businesses interact with their customers and how they handle data privacy. Marketing also received its fair share of changes after GDPR came into force, but this change does not necessarily mean it’s going to weaken your relationship with your customers. On the contrary, GDPR should be considered a great opportunity to build a strong, healthy and trusting relationship with your customer base and to help you value the importance of people sharing their personal data with you, which enables your business to boom. Abiding by the GDPR regulations equals more transparency, lawful business, trust-based relationship with customers and an efficient data economy.
Are your marketing activities GDPR-compliant? How do you think GDPR and marketing automation can go hand in hand?

Automate your marketing with 100% GDPR Compliance

Sign up for updates