New EU data laws approved

New EU data laws approved

Marketers need to act on the General Data Protection Regulation now, if they are to avoid putting business continuity at risk. 

On 14 April, the European Commission approved tough new data laws – the General Data Protection Regulation (GDPR) – which will come into force in 2018.

It’s a major shake-up: more than 200 pages of major reforms will introduce concepts such as the consumer’s ‘right to be forgotten’, raise levels of verification for opt-in consent, demand that companies store consent permissions, and make unapproved data unusable. Companies that don’t comply could be fined up to 4% of their global turnover, or €20m.

According to Henley Business School, the new statutes are “a huge threat to business continuity for the marketing sector in the UK”.

Maybe, but the laws should not be a surprise for marketers. It has taken four years of discussions to reach this point, but even if businesses have remained unaware of the path towards legislation, few can have missed the fact that the uses and abuses of customer data have been a hot topic for years.

Something was always going to be done, at some point, especially as the EU data protection directive, which the new laws will replace, was written in 1995 – it is essentially a relic of a pre-internet age, and certainly not fit for purpose in this time of social media, cloud computing and the Internet of Things.

The GDPR will bring definition, clarity and accountability to data practice. Much more than bringing in a code of ethics, it will enforce transparency and create a legal framework around the ‘Single Digital Market’.

For many marketers, it is likely to signal upheaval. All private and public organisations operating within the Eurozone that hold 5,000 or more customer records will have to assess and change their approach to the data they hold. GDPR will also affect global supply chains – for example, companies in India that hold data about EU citizens must also conform to the new laws.

For some companies, it could mean a laborious and expensive appraisal of data they – or their outsourced suppliers – already hold. For others, it will necessitate a radical overhaul of the way they do business.

It’s also likely that the demand for data protection officers – whether in-house or independent – will increase dramatically. Research by the data protection recruitment agency GO DPO EU estimates that in the financial services sector alone, around 33,000 companies might require a data protection officer in order to meet some of the new regulations.

Marketers will recognise that the new regulations reflect a growing demand for reform among consumers, and the hope of putting an end to headlines about data breaches by household-name brands. But knowledge isn’t enough. Compliance advice from the Information Commissioner’s Office needs to be acted upon now.

Data protection is no longer a talking point, it’s the new reality.

For more information about the new regulations, visit

Steve Woolley Head of External Affairs CIM
Back to all