GDPR for Marketers and Web Analysts

DISCLAIMER: I am not a lawyer and this blog post is based on my own extensive research and interpretation of GDPR. This article is for informational purpose only and is not a substitute of a professional legal advice. Use your own discretion.

In order to fully understand this article, you may need to read it from start to finish at least 2 times.

Because they are lot of jargons, which you may encounter earlier in this article but which I have explained later.

What is GDPR?

GDPR stands for General Data Protection Regulation.

It is Europe’s new privacy law. This new law came into force on May 25, 2018

GDPR gives data subjects more rights and control over their personal data and how it is used.

Why you as a marketer should care about GDPR?

If you are processing personal data of ‘data subjects’ then you have to comply with GDPR regardless of where you live on this planet.

There are two levels of administrative fines that can be levied (on a case by case basis) for not complying with GDPR:

1) Up to €10 million ($12.5 million), or 2% annual global turnover (whichever is higher).

2) Up to €20 million ($24.73 million), or 4% annual global turnover (whichever is higher).

Besides the power to impose fines, a supervisory authority like ‘Information Commissioner’s Office (ICO) can:

  • Issue warnings and reprimands.
  • Impose a temporary or permanent ban on your data processing.
  • Order the rectification, restriction or erasure of your data
  • Suspend data transfers to third countries.

If you are a business entity (corporation, partnership, limited liability company, sole proprietor) based in EU then you should not ignore GDPR compliance, as your business is going to be directly and heavily affected by it.

Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.

The individual is entitled to bring a compensation claim in the courts.

This could open the floodgates for compensation claims to both data controllers and data processors.

In order to understand GDPR and enforce it across your organization, you would first need to understand the meaning of key terms used in GDPR.

What is considered as Personal data in the context of GDPR?

In the context of GDPR, personal data is any information that relates to you and/or that can be used to uniquely identify you either directly or indirectly.

It can include (but is not limited to): your name, email address, IP address, house address, phone number, credit card information, ZIP/PIN code, your photos, videos, recorded voice, genetic data, biometric data etc.

What is considered as Sensitive Personal Data in the context of GDPR?

Sensitive Personal Data includes genetic data and biometric data.

What that means, if you are processing data related to a person’s skin color (black, white, brown etc), race (asian, caucasian), sexual orientation (gay, lesbian, transexual etc), data related to health etc then that is all considered as sensitive personal data.

Political opinion and religious beliefs are also considered as sensitive personal data.

Under GDPR, processing of sensitive personal data is prohibited.

Only in specific cases the processing is allowed.

What is Data processing?

Any operation or set of operations (whether manual or automatic) which is performed on personal data is data processing.

Anything that you do with personal data is data processing.

Data processing can include (but is not limited to):

  • Collecting data
  • Storing data
  • Modifying data
  • Structuring data
  • Sending data
  • Using data
  • Accessing data
  • Deleting data

Note: The GDPR does not apply to data processing carried out by law enforcement agencies or data processing carried out by individuals purely for personal/household activities.

Who is Data controller?

If you decide, why and how personal data is processed then you are a data controller.

If you determine the purposes and means of processing personal data then you are a data controller.

Any individual or business entity (corporation, partnership, limited liability company) can be a data controller.

For example, if you use email addresses to send newsletters to your subscribers/customers then you are a data controller.

If you use cookies to re-market to your websites visitors or customers then you are a data controller.

Similarly, if you use your website users’ behavioural data or browsing history to provide personalised user experience then you are a data controller.

Long story short, if you own a website and/or mobile app then under GDPR, you are most likely a ‘data controller’.

Who is Data processor?

If you process personal data on behalf of a controller then you are a data processor.

Any individual or business entity (corporation, partnership, limited liability company, sole proprietor) can be a data processor.

For example, if you process personal data on behalf of your client(s) then you are a data processor.

What that means, under GDPR, all consultants, agencies and freelancers are most likely a data processor, as they process personal data, on behalf of their clients, in some shape or form,

When you use an analytics tool like ‘Google Analytics’ to track & manage website usage data then Google Analytics become your data processor, as it processes website usage data on your behalf.

When you use an advertising platform like ‘Google Adwords’ or ‘Facebook’ to market or re-market to your website visitors/customers then ‘Google Adwords’ & ‘Facebook become your data processor as they process marketing data on your behalf.

When you use a A/B testing tool to show different variations of a page to your website visitors then your A/B testing tool becomes your data processor, as it processes website usage data on your behalf.

Similarly, when you use an email marketing and automation tool like ‘Get Response’, it becomes your data processor, as it processes email addresses on your behalf.

Most data processors, if not all, can also be considered as data controllers in their own right, for the processing they do, for their own administrative purposes.

GDPR can apply to both data controllers and data processors

Under GDPR, both data controllers and data processors must make a greater effort to process personal data, must make it clear how data will be processed and ask for users’ consent wherever applicable.  

Under GDPR, whenever there is a personal data breach, the data processors must notify the data controllers and the data controllers must notify supervisory authorities and data subjects as soon as possible.

You as a data controller has legal obligation to ensure that your data processors comply with GDPR.

What is EU (European Union)?

GDPR is a EU privacy law.

The European Union (or EU) is a political and economic union of 28 member states that are located primarily in Europe.

The members states are: United Kingdom, Germany, Poland, Italy, Sweden, Romania, Netherlands, Bulgaria, Greece, Hungary, Czech Republic, Croatia, Republic of Ireland, Austria, Finland, Kingdom of Denmark, Belgium…

Source: https://en.m.wikipedia.org/wiki/European_Union

What are third countries under GDPR?

If your country is not a member state of European Union then you are referred to as ‘third country’ under GDPR.

GDPR imposes restrictions on the transfer of personal data to third countries or international organisations.

UK will no longer be part of EU after March 2019. As such, she will become a third country.

Who are Data Subjects?

In the context of GDPR, a data subject is the person, whom personal data is about.

A data subject can be any person within the border of EU (European Union) at the time of processing of their personal data.

All though Data subjects are primarily EU citizens but you don’t have to be an EU citizen in order to be considered a data subject.

The citizens of the countries, which are member of the European Union are called EU citizens.

What that means, non-EU citizens of any nationality (including but not limited to: temporary residents, tourists, international students, migrant workers, refugees etc) who are within the border of EU (European Union) at the time of processing of their personal data are considered as data subjects.

So if you are an American and you go to any EU member state (like Germany), say for travel, then under GDPR, you automatically become a data subject.

Once you move out of the EU border, you are no longer considered a data subject (unless your personal data is still processed by an organisation “established” in the EU).

Same goes for EU citizens.

If you are a EU citizen and you move out of the EU border, say for travel or business purpose or temporary/permanent stay, you are no longer considered a data subject (unless your personal data is still processed by an organisation “established” in the EU).

In other words, if a Data Subject, moves out of the EU border then his personal data processed under these circumstances is not covered by the GDPR and he is no longer a Data Subject in the context of the GDPR (unless his data is still processed by an organisation “established” in the EU).

GDPR gives data subjects more rights and control over their personal data and how it is used.

It is important to remember that GDPR does not give more rights and control over your personal data, if you are not a data subject.

What does the GDPR mean for marketers?

GDPR has taken users’ consent to a whole new level.

GDPR expects that you ask for ‘explicit consent’ from ‘data subjects’ instead of ‘implicit consent’ wherever possible.

Explicit consent needs to be very clear, concise and specific statement.

It should clearly specify, why you want the consent and what you are going to do with it.

The consent need to be in plain english (or whatever language you use).

It should not be vague, full of jargons, which a regular person can not understand.

Following is an example of ‘explicit consent’:

“When you sign up on our website, we assign you, a unique ID. Through this ID we track your usage of our website, across different devices and browsers. This help us in maintaining certain website functionality and providing you better user experience. Please click the checkbox below, if you are fine with this”

Following is not an ‘explicit consent’, as it is not clear, and it does not tell, why you are asking for the consent and what you are going to do with it:

“We do User ID tracking. Please click the checkbox below, if you are fine with this”

Default consent is not a ‘valid consent’.

A default consent can be in the form of pre-ticked boxes on a form, or consents mentioned somewhere in terms and conditions.

So under GDPR, you should not use pre-ticked boxes as a form of user consent.

All consent requests must be clearly presented to data subjects, regardless of them, being already mentioned in your terms and conditions.

For example, if a user is automatically subscribed to your newsletter, as soon as he made a purchase on your website, even when he did not explicitly opt in, for your newsletter then that is not ‘valid consent’.

Under GDPR, you should make it easy for ‘data subjects’ to withdraw consent and tell them how.

For example, if you are sending out newsletters to ‘data subjects’, there needs to be an ‘unsubscribe’ link somewhere in the email, which is clearly visible and which works, in just one click.

Under GDPR, you should avoid making consent a precondition of a service. 

You should avoid penalizing ‘data subjects’ for withdrawing consent.

So if a data subject refuse to give you a particular consent, you should not kick him/her out of the website (by redirecting him to say ‘Google Home page).

GDPR also require you to record each consent (like what, when and how the consent was given) and maintain records of them.

You may need to obtain fresh consent from ‘data subjects’ if you consent requests have always been buried in your terms and conditions and data subjects’ are not aware of them.

Rights of data subjects under GDPR

Under GDPR, a data subject has got certain rights. 

When you as a business entity, provide following rights to ‘data subjects’, you are considered to comply with GDPR:

#1 The right of notification of data breach

Under GDPR, whenever there is a personal data breach, the data processors must notify the data controllers and the data controllers must notify supervisory authorities and data subjects as soon as possible.

This must be done within 72 hours of first having become aware of the breach.

#2 The right to access

All data subjects have the right to know:

  • If their personal data is being used
  • How they can access it
  • How they can change or delete it
  • Why it’s being used or who it’s shared with
  • How long it will be stored

#3 Right to be forgotten

If a data subject asks you to erase his personal data, you must comply ASAP (provided you have no legal grounds to keep processing it).

You should delete data subjects’ data, in following events: you no longer need it, the data was used unlawfully, or if a data subject exercised their right to object.

#4 The right to object

A data subject has the right to object at any time about using their personal data for direct marketing purpose or for any other legitimate purpose.

For example, if a data subject ask you, to stop retargeting them then you must do so.

Although, how this can be technically implemented, remains a question.

#5 The right to rectification

A data subject has the right to ask you to update their personal data, if it’s incorrect or incomplete.

And you should do it ASAP.

#6 Privacy by design

Privacy by design is an approach to designing projects, processes, products or systems that promotes privacy and data protection compliance from the start.

Article 23 of GDPR expect data controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Basically, if you have got a website, you may need to redesign/redevelop it, in such a way that it collects personally identifiable information of data subjects, to bare minimum.

‘Privacy by design’ is a huge topic on its own and explaining it further, is beyond the scope of this article.

What is Supervisory Authority?

A supervisory authority is a governing body which is going to enforce GDPR.

Each EU member state will appoint a ‘Supervisory authority’ which will work with other member states ‘Supervisory authorities’.

Supervisory authorities have power to:

  • conduct audits
  • order a data controller/processor to comply with GDPR
  • Issue warnings, fines or ban on data processing.

In case of UK, the ’Information Commissioner’s Office’ (ICO) will act as supervisory authority.

Who is a Data protection officer?

Under GDPR, certain organizations (usually the one which do large scale processing of personal data) are required to appoint ‘Data Protection Officer (DPO).

The organization that instantly comes to my mind is ‘Facebook’.

But if you are ‘Apple’, ‘Amazon’, ‘Netflix’, ‘Uber’ or some other big company, then most likely you would be required to appoint a DPO and not just one but most likely a whole team of DPO.

A DPO is basically a ‘data privacy and protection’ expert and thanks to GDPR, they are suddenly in great demand. as companies esp. big one, want to avoid lawsuits as much as possible.

A job of a DPO is to enforce, maintain and monitor GDPR compliance in your organization.  

He is incharge of all personal data processing activities in your company.

A DPO is the first point of contact for supervisory authorities and/or data subjects.

You as a business can and should appoint a DPO, even when it is not required by law, just to be on the safe side.

Do you have to comply with GDPR?

You would have to comply with GDPR, if you’re a data controller and/or data processor, who is:

#1 based in a country which is a member of the European Union, even if you only process data outside the EU.

#2 You are based outside the EU, but process personal data of EU citizens.

Following is a short video on GDPR compliance:

How do you know, if you are processing personal data of EU citizens?

In following cases (but not limited to) you are knowingly/unknowingly/accidentally processing personal data of data subjects esp. EU citizens:

#1 You sell products/services to EU citizens.

#2 EU citizens buy products/services from your website even when they are not your target market and/or you are not specifically targeting them.

#3  A EU citizen attempt to buy a product/service from your website even when you do not sell to them.

For example, if you are a business based in US and you get an order from a person in EU, you won’t fulfil the order because you don’t sell outside of US. But you are now required to comply with GDPR. Why?… Because you now hold personal details (billing and shipping address) of a EU citizen in your database.

#4 You ask for personal data from EU citizens like ’email address’ in exchange for anything like a free ebook.

#5 A EU citizen uses the contact form embedded on your website. As soon the form is submitted, you are now required to comply with GDPR. This is because your website has processed personal data (name, email address) of a EU citizen.

#6 You track online activities of your website users via analytics tool like ‘Google Analytics’, ‘Google Tag Manager’, ‘Kissmetrics’, ‘Hotjar’, ‘Optimizely’ etc. As soon as a EU citizen lands on your website, you will immediately come under GDPR rule. You now must comply with GDPR as you have tracked online activities of EU citizens.

#7 You directly market or re-market to EU citizens.

#8 A EU citizen is exposed to your marketing campaign which uses personalization of some sort (like dynamic remarketing). Since personalization is not possible without tracking the online activities of EU citizens, you are knowingly/unknowingly processing personal data of EU citizens and as such much comply with GDPR.

#9 You collect users feedback via online surveys and someone from EU participated in the survey. Since you now hold personal data of a EU citizen, you must comply with GDPR.

#10 You provide personalised user experience to your website users. Since providing personalized user experience (like geo targeting) is not possible without tracking the online activities of EU citizens, you are knowingly/unknowingly processing personal data of EU citizens and as such much comply with GDPR.

#11 If someone sends an email to your company mail server from the EU, all the information in the header of that email would put your company under GDPR, whether you solicited the email or not. So as soon as you get an email from a EU citizen, you are immediately under GDPR rule.

In theory, any person in the EU can go to a website hosted/operated in any country, order something or subscribe to a newsletter or use the contact form and suddenly that company is now under GDPR rule.

Long story short, if your websites is accessible to EU citizens then there is always a high possibility that you are knowingly/unknowingly/accidentally processing personal data of EU citizens in some shape or form and therefore must comply with GDPR.

Can GDPR be realistically enforced?

Not all the guidelines set in GDPR are easy to understand, some of them are pretty vague and open to interpretation.

Understanding GDPR is one thing but enforcing it, is a whole new game.

Enforcing GDPR can become very technically challenging and nobody (including me) knows exactly, how you can become 100% GDPR compliant and/or what 100% GDPR compliance looks like.

Since there is no official definition of, what a full GDPR compliance looks like, so in theory, your company can always be fined, no matter what you do, to become compliant.

There is no step by step guide out there, which you can just download, easily follow and become 100% GDPR compliant overnight.

In addition to that, supervisory authorities have got limited resources.

So they can not realistically monitor data protection and privacy practices of millions of businesses all over the world.

So most small and medium size businesses are safe, unless they are exposed by media, for GDPR non-compliance.

What Supervisory authorities can realistically do and will most likely do, is target big companies esp the one based in the US, yes those cash cows they are always after: ‘Facebook’, ‘Google’, ‘Apple’ etc.

Ramifications of GDPR

In extreme case, a hospital may refuse to take care of a EU citizen, if it is not GDPR compliant.

In order to take a EU citizen, as a patient, the hospital would need to process their sensitive personal data.

And a supervisory authority can fine the hospital, for holding sensitive personal data of a EU citizen, in the event there wasn’t a data protection officer listed for the hospital.

Many companies may just stop doing business with EU, as they can’t afford GDPR compliance and/or can’t risk the hefty fines which comes with non-compliance.

And since nobody knows, what a full GDPR compliance looks like, the possibility of paying a hefty fine is always hanging over the head, like a sword of Damocles.

We have got ‘privacy by design‘ (one of the data subject rights and which is going to bite business of any size) which will push businesses to build/modify systems which promote privacy and data protection by default.

Systems which are proactive not reactive, preventative not remedial, when it comes to privacy.

Building and maintaining such systems will cost money.

Data protection offices won’t work for free.

So organisations who have to appoint them will have to bear the cost. 

GDPR can increase the cost of all imported & exported goods & services throughout EU.

I can already foresee the rise in premium of business insurance.

24/7 compliance of GDPR is a significant expense & businesses will most likely pass this cost to consumers.

In addition to that, GDPR can severely restrict your ability to track users’ behavior and carry out day to day conversion optimization and online marketing activities (like remarketing).

Without effective tracking, your cost of acquiring customers is going to increase over time.

So as a EU based business, you would become less profitable over time.

Is there a way to avoid or minimize GDPR Compliance?

As long as your website is accessible to EU citizens, there is always a good chance that you are knowingly or unknowingly or accidentally tracking their online activities via analytics tool like ‘Google Analytics’.

What I have discovered through my own extensive research on GDPR is that, if EU is not your target market, you are not based in EU, your data processors are not based in EU and you do not want the headache of GDPR compliance, then simply block all EU countries from accessing your website.

That way your website will never be able to process any data from EU citizens and you have little to worry about GDPR compliance.

GDPR consider IP address as personal data but not IP blocks.

So you can block an entire country from accessing your website by blocking all the IP blocks used by that country.

There are many tools available  (like wordfence) through which you can block entire country from accessing your website.

My understanding is that, by blocking all EU member countries from accessing a website, will greatly reduce the chance of even accidentally processing personal data of data subjects.

There is no directive under GDPR which prohibits blocking EU member states from accessing a website.

Eventually ‘enhanced privacy’ can come with a heavy price for data subjects, with many companies blocking all of europe, just to be on the safe side.

But what about EU citizens accessing your website from outside the EU?

Once a EU citizen leaves the EU border, he/she is no longer considered a data subject (unless his personal data is still being processed by an organisation “established” in the EU).

So it is safe to conclude that, as long you are not based in EU, your data processors are not based in EU and you block your website from being accessed by any EU member country, you have little to worry about GDPR compliance.

What if you want to retain EU customers?

If you are a business based outside of EU and you don’t want to lose EU customers, and at the same time, you don’t want GDPR compliance to negatively impact your online tracking and internet marketing activities, across all international markets, then consider creating a seperate ‘EU business unit’, the one which is GDPR compliant, with its own separate website and data controllers and processors, which are all EU based.

Quick Recap of the Scope of GDPR Compliance

#1 If your company/business is based in EU then you have to comply with GDPR. Period.

#2 If your company/business is based in EU but you do not process personal data of data subjects then also you have to comply with GDPR. Why? Because you are based in EU and GDPR is a EU law.

#3 If your company/business is based outside of EU but you process personal data of data subjects then you have to comply with GDPR.

#4 If your company/business is based outside of EU and your data processors are also based outside of EU, and you do not process personal data of data subjects then you do not need to comply with GDPR.

#5 If your company/business is based outside of EU but some/all of your data processors are based in EU then you should comply with GDPR even when you are not actively processing personal data of data subjects.

This is because, if a EU citizen/resident access your website from outside the EU and uses the service of one of your data processors, which is based in EU then he/she is automatically considered as data subject, under GDPR.

Finally get a legal advice and use your own discretion.

This article is for information purpose only.

Related Articles:

Resources for further reading:

Learn about the Google Analytics Usage Trends Tool

The Google Analytics usage trend is a new tool which is used to visualise trends in your Google Analytics data and to perform trend analysis.


Do you want to Learn Web Analytics in 8 Weeks?

  • Learn and Master Web Analytics, Conversion Optimization & Google Analytics from Industry Expert in 8 weeks.
  • Lifetime access to the course + Lifelong FREE course updates.
  • New study material added every few months (lifelong learning).
  • Up to date training material.
  • Most exhaustive course on Google Analytics on the internet.
  • Hundreds of Assessments to test your learning.
  • Your 24/7, 365 days a year reference source.
  • Learn at your own pace and from any place.

Take your Analytics knowledge to the next level. Checkout my Best Selling Books on Amazon

Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.

Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.

Attribution Modelling in Google Analytics and Beyond
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.

Himanshu Sharma

Certified web analyst and founder of OptimizeSmart.com

My name is Himanshu Sharma and I help businesses find and fix their Google Analytics and conversion issues. If you have any questions or comments please contact me.

  • Over eleven years' experience in SEO, PPC and web analytics
  • Google Analytics certified
  • Google AdWords certified
  • Nominated for Digital Analytics Association Award for Excellence
  • Bachelors degree in Internet Science
  • Founder of OptimizeSmart.com and EventEducation.com

I am also the author of three books:

error: Alert: Content is protected !!