The GDPR concerns project managers

What marketers need to know about the GDPR

The topic of data protection is a long-running topic in public discourse and in the news, most recently with high-profile controversies such as the data protection scandal over Facebook and the Cambridge Analytics company and the hacking attack on the US financial services provider Equifax. There is increasing scrutiny of how companies collect, store and use personal data.

The European Union has long been active in giving EU consumers more power over their personal data. On April 14, 2016, the EU Parliament voted for the General Data Protection Regulation (GDPR), which serves to define a single Europe-wide regulation for data protection, which will come into force on May 25, 2018.

What does that mean for companies?

The GDPR has implications for companies in the EU and for any company that does business with EU consumers or companies. Failure to do so will result in hefty fines of up to $ 20 million ($ 24.7 million) or four percent of global annual revenue for the previous year, whichever is greater. More importantly, companies that fail to meet these obligations could lose their customers' trust.

What does this mean for marketers?

Although the GDPR affects the whole company and all departments, increasingly stringent restrictions on the collection and storage of personal information have a significant impact on marketing teams in particular.

We've rounded up a few highlights that marketers should know. You can find an overview of the complete regulation on this GDPR page.

letter of acceptance

Consumers must give companies a clear and explicit declaration of consent that their data may be recorded. This can be done using a consent check box when signing up on a landing page form, but many companies choose a dual consent system. This means that a consumer, for example, subscribes to the online newsletter and immediately receives an email asking them to confirm their email address before being added to the email recipient list.

Legitimate interest

Under the GDPR, consent may not be required if marketers can demonstrate that certain individuals have a “legitimate interest” in receiving direct marketing. This is one of the less straightforward guidelines of the GDPR, so it may be worth consulting your legal team about any marketing campaigns that you may want to send out to your current customers in the assumption of a legitimate interest. For direct marketing campaigns that are based on legitimate interest, you must give the individual an opportunity to remove themselves from the mailing list - either through a link to unsubscribe or through a way to contact your company.


The GDPR requires that companies give consumers the opportunity to access, correct and delete your data. Marketers should become familiar with their company's data retention policies and procedures, and identify where in the company someone will need to contact in order to access their data.

Data storage

The GDPR introduces the concept of data economy, which obliges companies to store only essential personal data. Data that has little or no value must either be removed, anonymized, or encrypted.

Obligation to notify data breaches

The GDPR gives consumers the right to be notified when personal information has been compromised. In the event of a data breach, companies must notify the office of the data protection officer within 72 hours.

GDPR measures

The new policy can seem overwhelming at first, but it's important to prepare for it sooner rather than later. Here are four things you can do to make sure your team qualifies:

1. Audit

In order to understand what needs to be changed, you must first examine the current status of your data processing. Ask yourself the following questions:

  • How are you currently collecting data? Does this require the clear consent of the consumer?
  • Do your direct marketing emails provide an option to withdraw consent?
  • What data do you already have, what is it used for and how did you collect it?
  • Are you able to provide evidence of individual steps in the consent sequence, if necessary?

2. Check and update data protection communication

Proactively communicating your current and future data practices and privacy policies will increase your customers' trust in your company and your brand. Update your policies and explain how you collect, store, transfer and process data. Consider emailing your current customers and prospects explaining what changes you are making.

3. Define processes and discuss them with the most important stakeholders

It varies from company to company who the key stakeholders are, but it's important to get them involved as early as possible:

  • your CEO may want to know exactly how the GDPR will affect business processes, expenses or income. Help him / her understand the potential fines, risks, challenges, and opportunities associated with this transition.
  • Compliance, risk management and data security teams will need to put in place a company-wide data protection plan and policies against breaches.
  • Obtain the Legal Department to check the changes before officially launching anything.
  • Companies need one Data Protection Officer (DPO) as the central point of contact for all GDPR-related questions and problems. DPOs should keep themselves up to date on data protection laws and practices.
  • If landing pages or forms need to be recreated to comply with the new legal regulations, you should use the Developer and design teams communicate these requirements as soon as possible.
  • By using the distribution also keeps you up to date, you help build trust from current and potential customers. Make sure sales know what steps you are taking to be GDPR compliant; then your colleagues will also pass this information on to interested parties.

4. Third Party Compliance

Take a look at the companies you work with and check that these third parties also comply with the requirements of the GDPR. Learn more about what we at Wrike are doing to be GDPR compliant.

How you can use Wrike to collaborate around GDPR

By using a single source of truth, you stay organized, remove hurdles and create clarity in complex projects with multiple stakeholders and dynamic components.

We'll show you how our own Marketing Operations team uses Wrike to make sure everyone is GDPR compliant:

Sharing knowledge

“The GDPR affects many people on many different teams. Being able to have a single source where we can document our research and best practices is very helpful, ”said Mariam Vanyan, Email, Website & Automation Team Lead at Wrike. "Everyone involved knows they can always access Wrike to add notes or ask questions."

Identify changes

"Based on the GDPR, we identify landing pages and emails that may need updating and take screenshots of them to attach to individual Wrike tasks," says Vanyan. “We want to make sure that everything we need to update is here in one place. For us, if something isn't in Wrike, it doesn't exist. "

Assign to key stakeholders

“We make sure that everyone who sees or needs to approve these updates is assigned the appropriate folders, projects, and tasks,” says Vanyan. “When everything is in one place, all teams involved can come right here and see what needs to be done. Because everything is in one place, we don't need to send e-mails for every change that is required, which would inevitably lead to chaos. Everything is clearly listed in Wrike so that all teams know exactly what to do. "

Create dependencies

“There are so many tasks that so many teams have to do, but not all of the tasks can be done at the same time. Some tasks cannot be started until others are done, ”says Vanyan. "We rely on the timeline in Wrike and the ability to create dependencies from one task to another to streamline that process."

Have it checked

"After we've made all the changes, we use Wrike to assign everything to the legal department, which then does a final review," says Vanyan. "Because the entire history of the project is shown in this task, our legal department can see the original landing page or email, as well as the steps we took to be GDPR compliant and how things are now."

GDPR and all of its implications may seem overwhelming, but being GDPR compliant will ultimately help customers and prospects build trust in your brand. By breaking the initiative down into smaller tasks (as described in this blog post), the whole thing can be done better.

How are you and your team coping with GDPR compliance? Let us know your experience in the comments below.