4 min readEU Data Protection Reform: It’s as Easy as A, B, C


New EU Data Protection law: a blow-by-blow guide to dealing with it

Data Protection Law is something every CRM marketer comes up against, and in 2016 another tranche of bills will pass into law – affecting all 28 EU member states, including the UK.

While perhaps needlessly complex (like much European Union legislation!) it’s not as hard as you think. Here’s how it matters to you… with some of the good outcomes at the end.

First, the big one:

1. User consent must be explicit, not implied

Many EU businesses follow an American model where data protection is involved: consumers will be sent marketing communications unless they specifically opt out.

For EU businesses (and those doing business in the EU) that will be illegal.

In the next 12-18 months (the legislation is being introduced gradually – but not that gradually!) all EU businesses will be required to collect, record, and retain explicit proof that everyone on their mailing lists explicitly opted-in to receive marketing communications outside the topic of immediate interest.

(In other words, “ham” emails – essential stuff like transaction confirmations and billing – are allowed, but following on the next day with an up-sell or cross-sell offer is not, unless that customer explicitly said Yes to it.)

This is a fundamental difference between US and EU law. Since much CRM software hails from the US, this can create problems. Your CRM professional can advise on the right policies to adopt to stay the right side of the law.

2. Opening an account does not grant consent

You might think opening a user account is an explicit opt-in. Think again. According to the DMA, simply providing an email address or other data does not confer any right on the marketer to make further use of it.

As a case from retailer John Lewis shows, even a pre-selected “Yes, I’d like to receive emails” in your signup process doesn’t satisfy all requirements for openness and transparency. Your customer must explicitly select (no pre-ticks!) from a clear choice, without having to deal with long-winded T’s and C’s.

3. Penalties become much more defined

While there have been a few big cases, most EU Data Protection violations have been small-scale and settled without recourse to the courts. The new laws, however, allow for fines of up to 100 million Euros – and passed with overwhelming support in the EU Parliament.

Furthermore, there’s no get-out clause for honest mistakes. An individual consumer will be able to sue for privacy violations: that single email your marketing department sent in error could carry consequential risk running into the millions.

4. To avoid a repeat, you’ve got to delete

The “right to be forgotten” you’ve heard about in the news is at heart simple: if a consumer wants his/her data deleted from your servers and you have no legitimate reason to retain it, it’s time to say goodbye.

For many CRM marketers, deleting user data is anathema – in fact, some CRM applications don’t even allow it! Ask your CRM partner where your stand: they’ll be able to find a legally valid solution.

5. Being based outside the EU is no excuse!

Just as a great many EU companies have to satisfy American reporting requirements as a cost of doing business in the USA, any non-EU business that touches EU citizens falls within the scope of the new EU data laws.

It’s unclear how enforceable this will be, but pay attention if you outsource customer data (particularly security in the cloud) to countries with different legal regimes to the EU. They may be applying policies that don’t fit the new requirements.

But there’s some good news…

It’s not all red tape – particularly if you have under 250 employees. Savvy CRM marketers may even be able to turn the new EU data laws to their advantage! Are you one of them?

For instance, the requirement to appoint a named individual as your data protection czar (what SME can afford that?) is going away across all 28 states. Same goes for the impact assessments and notification fees some countries demand. And the long arm of the law, if it knocks at your door, applies EU-wide: you won’t have to deal with 28 investigations for a single alleged offence.

Overall, the new legislation does what it says on the tin: makes life harder for spammers, and smoothes the playing field across the EU’s single market of 350m people. And for many CRM-using businesses, that’ll be a good thing.


  • Check for consent: it must be explicit, not implied
  • The right to be forgotten applies to your database as much as Google’s
  • Fines start with a single offence and go up to 100 million Euros
  • The good news: EU Data Protection Law is now the same EU-wide

EU Data Protection Laws start with securing your customer data – and there’s no better way to start than with The ultimate guide to: security in the cloud