GDPR Anniversary: What Happened, What’s to Come, and What you Should do Now

Share this article...

GDPR celebrated its first anniversary last week. What have we learned since then, especially in a Salesforce Marketing context? What could our American friends learn from Europe’s pioneering in privacy?



Can you believe it? A whole year has flown by since doomsday, 25th May 2018. What’s more, we haven’t been shamed by customers, bankrupted by the authorities, or our marketing efforts compromised.

GDPR was bought in to put individuals in control of their own personal data – how it’s captured, stored, used and shared. The regulation prompted marketers to ask questions about their marketing database/s, and for the most part, pointed them in the direction of marketing best practice.

Let’s not forget that GDPR is an ambiguous legislation, with plenty of ‘grey areas’ open to interpretation. Without straight answers and actionable advice, imaginations were allowed to run wild with dystopian post-GDPR visions – not helped by unnerving with Salesforce/Pardot last-minute product updates!

This post pulls together the facts so far, followed by topics observed or heard over the past year.

Penalties So Far: The Facts

Headlines about GDPR fines sent multiple departments across the organisation into a flurry, at risk of fines up to €20 million or 4% of annual turnover.

What did happen?

Over 200,000 cases were reported in the first nine months, according to the European Data Protection Board (EDPB).
Around a half (48%) were sourced from individuals, whereas a third (32%) were reported by data controllers.

Although fines from infringements totalled €56 million, this figure comes with a caveat – a majority portion (€50) was dished out to Google alone! So, in reality, GDPR hasn’t come down on us like an iron fist – but, as you will read later in this post, there’s sinister warnings of harsher enforcement to come.

Let’s wind this post back down to pointers for going forward, observed or heard over the past year.

Data Privacy is your Responsibility (not Salesforce’s!)

Salesforce, as a platform, has world-class security and privacy, holding a collection of every security certification desirable. How Salesforce protects Customer Data is defined in the Master Subscription Agreement your organisation agreed to when onboard as a customer; however, there’s a dangerous assumption that if using Salesforce, then your data management is compliant.

“Compliance does not end here”, says Malte, founder of Simpliant, a Salesforce partner specialised in data privacy consulting, “protecting your customer data from breaches is just one of many requirements organizations have to adhere to. Unfortunately, you are not off the hook just yet.”

Salesforce processes data on behalf of your organisation – it is up to you and your colleagues, internally, to define the way data is processed within and beyond the Salesforce platform. This has meant stepping up to the mark to new accountabilities – even if we initially thought we could par off that responsibility to our CRM provider.

If you are interested more in ‘Privacy by Design’, I recommend reading “Is Your Salesforce GDPR-compliant? 5 Areas You Should Target In Your Org“.

Data Privacy for Marketers

Marketers are often put on the spot when it comes to data privacy and safe handling; after all, it is marketing’s efforts that capture personal data in mass, profile individuals for segmentation, and send promotional information out.

If you endured writing and revising your Privacy Policy, it’s likely you don’t want to again; however, it is worth refreshing your Privacy Policy, and take into account any new tools you use to process data, additional website cookies, or suppliers you have joined forces with since last summer.

Permission Pass: Remedy for Suffering Metrics?

A ‘Permission Pass’ is an email sent by an organisation asking an individual for consent to continue marketing to them, through the communication channels of their choosing.

The rudimentary idea was to purge your database that didn’t opt in by the GDPR date; some organisations did, and anecdotal evidence is that this was beneficial. Emailing a smaller database, that actually care about your brand, improves email engagement metrics. Take the prized ‘Click-through rate’ (CTR):

A lower number of bounces, and higher number of clicks, balances out to a higher CTR.

Let’s not forget that the Permission Pass is a tried and tested method that has been around for years! Has everyone entering your database in the past year been given the opportunity to opt-in? Chances are some key contacts, like those added by sales, have slipped through the marketing net!

Refresh Your Email Address Database

You may have started H2 2018 with a fresh list, but have you validated that email address data since?

Having a clean email database isn’t a requirement of GDPR, but it was a beneficial exercise for many marketers. Incorrect, old or dummy email addresses are all examples of bad data which can cause havoc with your Pardot account. Bad data is the source of high email bounce rates, leading directly to poor deliverability and skewed email reporting.

There are many email address verification providers on the market that will sift through email addresses and pinpoint which are valid or invalid. You’ll find a few providers I recommend for Pardot users here – and also, it’s a good time to mention that this will be a big topic covered on the blog over the next few months!

Data Retention into Action

Data validation is a nice segway into data retention. What are your data retention guidelines? GDPR, in many cases, led organisations to shorten their data retention periods. Is data retention managed centrally in your organisation, or do you need to speak up about your outdated data? Keeping only necessary and up to date data is known as ‘data minimization’, which sparks up images of marketers going all Marie Kondo on their marketing database!

What’s Next for GDPR?

Call it media scare (once again), but a sinister thread is running through the latest news articles. Headlines from TechRadar: “GDPR one year on: measured enforcement is just the beginning”, and the Wall Street Journal: “Large GDPR Fines Are Imminent, EU Privacy Regulators Say”, hint that there are interesting times ahead as GDPR grows up from its infancy.

Over the other side of ‘the pond’, the California Consumer Privacy Act, nicknamed ‘GDPR-Lite’, will come into effect on 1st January 2020 – and tech giants are continuing to fight to change this looming ‘strict’ privacy law.

A fascinating debate has arisen regarding marketing data retention and AI:

“If data is removed upon request but has already been used to train an AI, has it truly been deleted?”, a question posed on the site, Marketing Land, “AI is both a black box and endlessly iterative, meaning that data can live on in some form forever, but exactly how it’s all but impossible to ascertain.” As marketing data collected permeates tools beyond our understanding, this could become a significant challenge in the future.


One year on since GDPR was enforced, overall, I believe that the regulation was beneficial, prompting marketers to ask questions about their marketing database/s, and for the most part, pointed them in the direction of marketing best practice.

Despite dystopian visions of a post-GDPR reality, penalities have been light and concentrated with big fines to a small number of organisations.

Let’s not forget what data privacy and compliance looks like, and not lose sight of the good habits GDPR prompted us to start.


Add Comment