Knowing your audience is at the centre of sales and marketing and so collecting data on customers and prospects is critical to the sales and marketing game. The more you know about your customers and prospective customers, the easier it is to target them for advertisements, and the more you can tailor your product to suit their needs. This customer information or customer data is personal and is widely referred to as personal data. Personal data has often been described as “the world’s most valuable resource”, ahead of oil. Since personal data is valuable, it is subject to misuse and theft. It must be handled with care to prevent data breaches. Data breaches are a company’s worst nightmare and according to a 2021 report from IBM, the average cost of data breaches worldwide is $3.86 million. For this same reason, tough privacy laws such as the European GDPR, the UK Data Protection Act and California’s Customers’ Privacy Act have changed the way that companies market and communicate with existing and prospective customers. Unfortunately for companies and marketing departments, it is not just business as usual; now they are forced to be more careful and creative in how they try to reach their intended audience.

How Personal Data is used In Marketing and Sales

Companies usually capture, store, and analyse copious amounts of quantitative and qualitative data on their consumers on a daily basis. Some companies even build their entire business models around buying and selling personal information to third parties and creating targeted ads. The GDPR, in particular, targets this very practice and lays out only six legal bases for processing personal data. Personal data, according to the GDPR Article 4 (1), is any information which is related to an identified or identifiable natural person. The six legal bases GDPR provides for processing data are as follows:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Marketers operate under the first basis, which is consent. Article 4 (11) states that consent is freely given when it is a specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The consent must be freely given, which means that you have not coerced the data subject into agreeing to use of their data. For one thing, this means that you cannot require consent to the data processing as a condition of using the service. Data subjects need to be able to say no. Google recently learned, by way of a €50 million fine, that you cannot cut corners with consent. The French data protection authorities said that the company’s method of obtaining consent was neither “informed” nor “unambiguous” and “specific.”

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment, according to recital 42 of the GDPR. The one exception is if you need some piece of data from someone to provide them with your service. For example, you may need their credit card information to process a transaction or their mailing address to ship a product.

If personal data is being sought for the purpose of marketing, consent will be required. In the company’s privacy policy, you will need to note the need for the use of consent as a legal basis in your Privacy Policy.

There are some guidelines on gaining consent. The guidelines are as follows:

  • You must be able to demonstrate how the data subject has consented to the processing, which means your marketing department must record how and who gave consent.
  • The data subject must be able to withdraw consent at any time (the right to object) and it shall be as easy to withdraw consent as it is to give it. Policy and process need to demonstrate how to withdraw consent.
  • Consent should cover all processing activities carried out for the same purposes.
  • If processing for multiple purposes, consent should be given for all those purposes.
  • Consent should not be considered freely given if the data subject has no genuine or free choice.
  • Silent consent, pre-ticked boxes or inactivity should not constitute consent.

Tips on Gaining Consent

There are several methods of gaining “explicit consent”, including electronic forms, emails or the upload of scanned documents with the data subject’s signature/electronic signature. Whatever medium is used to obtain consent, it should be possible to prove that consent was legitimately obtained. This is best achieved through using a two-step verification process because it is traceable and can provide proof of consent.

It is important to separate the written request for consent and other terms and conditions, so the written request for consent should not be hidden in the terms and conditions. If it is, it does not meet the requirement of clear and unambiguous consent. The request for consent should be clearly visible to the data subject; user-friendly, and written in plain language, free from jargon. In other words, it should be informed, affirmative, and distinguishable.

Digital Marketing and Data Privacy: How Can Marketers Adopt Privacy?

The privacy laws do not appear to be going anywhere, so how can marketers adapt? According to Google, the best way to collect data responsibly is to be resourceful in how you reach your customers and hire and train for privacy. It is of paramount importance to become au fait with privacy to avoid data breaches, as they can spell doom for a company.

If you want to discuss this topic, or anything else data protection and privacy-related, please contact us at