Descubre más acerca de nuestro trabajo, clientes y proyectos en este blog.
GDPR Marketing

What is and what was the impact of GDPR in marketing?

Relaciones Públicas Jimena Alarcón

Throughout this century, there have been few cases in which huge and relevant companies have been involved in international scandals that have had to do with hacking and stealing personal data from their customers. In the most recent incident, Facebook didn't suffer a hacking or theft of information per se, but one of its partners, the Cambridge Analytica intelligence company, used users personal data (from the Mark Zuckerberg company) to influence in the 2016 United States elections and the departure of Great Britain from the European Union.

Whether by cyber theft or carelessness, what is certain is that the digital era is facing a dilemma that nobody had anticipated: the treatment and value of personal data that every day and at all times millions of people give, sometimes unconsciously, to hundreds of companies, some of which do not pay enough attention to protect them and make good use of them.

That is why GDPR emerged in Europe. In this article, we will explain what it is and how it will influence your next digital marketing campaigns.

What is GDPR and what are its implications?

Marketing vs GDPR

It is a fact that much of the reason for these scandals has also to do with the legal gaps and the lack of understanding that the authorities and judges have on the subject (for that reason it is that Zuckerberg wasn't called to testify in a court, but the US Congress, because before acting, its members wanted to understand what was going on).

The European Union "act properly" and in April 2016 adopted the General Data Protection Regulation (GDPR), entering into force on May 25, 2018. This regulation puts personal data at the highest level of legal compliance and protection and applies to all companies that work with personal data of European residents, even when these companies don't have their headquarters in Europe.

GDPR takes the individual as the data protection axis, that is why it gives the right to know and decide how your personal data is used, stored, transferred, protected and eliminated. But it goes further because now people can request detailed reports on such use and even they can request to delete all their data.

Likewise, GDPR grants the right of portability to the user. This means that the data must be in a structured format, commonly used and mechanically read (an excel, for example), so that people can easily export them and transfer them to another responsible party.

For brands, this implies that they must change certain processes in such a way that they transparently collect, use and protect personal data, which will undoubtedly influence the way digital marketing will be performed in the short term.

"My brand is Mexican and my company is based in Mexico, how does this affect me?"

According to PwC's Global State of Information Security Survey 2017, in Mexico, it is estimated that 87% of companies have had an incident of information protection. Likewise, in 2014 the expenses due to cyber crimes were 3 billion dollars.

If your brand is marketed in European territories or has its headquarters in that continent, and collects personal data, you must comply fully with GDPR, as well as take measures to securely protect and store the data of your customers.

Another reason why GDPR is relevant is that it expose the concept of the data controller, which must take responsibility and create and implement measures so no one violates their security and can be safeguarded correctly.

What happens with the General Data Protection Regulation Federal Law in Possession of Individuals?

GDPR Marketing

Since July 2010 the General Data Protection Regulation Federal Law in Possession of Individuals is in force in Mexico, which has some differences and coincidences with GDPR, such as:

  • Both contemplate the figure of the data controller, but the GDPR leaves more open cases in which the entire brand have total responsibility or what measures to take to fulfill its function.
  • Mexican law does not contemplate the elaboration of a plan for the privacy impact due to the use of new technologies, but GDPR does.
  • Both the Mexican law and GDPR contemplate that the data controller must implement measures to ensure the safety, but the first goes further and details some of them.
  • Both regulations include protocols, self-regulation of companies and security certifications.

In addition to the above, we will mention separately one of the biggest differences between GDPR and Mexican law: the legitimate interest, this means, the reasons why the company collects personal information. The GDPR does contemplate this data controller interest as one of the conditions for the legitimate processing of personal information, but Mexican law does not. In the Mexican law, there is a tacit consent, except for the processing of sensitive information such as racial origins, present, and future health, as well as genetic, religious, philosophical and financial data.

It should be noted that outside of the European Union, Mexico is one of the most advanced countries in terms of data usage regulation.

"And what happens if I do not comply?"

The GDPR fines for non-compliance are approximately 23,440 million dollars or 4% of the company's annual revenues, depending on the infractions committed. Furthermore, if a European citizen demonstrates that a brand is misusing their personal data or breaches the privacy terms, it will be exposed to public humiliation by European authorities, which results in a loss of reputation and income loss.

"How can I make sure that I comply with these regulations?"

To do this, the first thing you should do is to have a document in which it is detailed the following:

  • The data you collect will be used for which purposes?
  • What security measures do you apply for this data
  • How long will you store the data
  • Constant evaluations of security measure

Likewise, you must:

  • Have an inventory of data and record all the internal and third-party processing of European personal data.
  • Notify your clients if you have suffered a security breach or if the data was compromised.
  • Guarantee the right of your clients to access, correct, port, erase and oppose the processing of their data.
  • Periodically evaluate data security protocols.

GDPR benefits for brands

With so much regulation, obligations and changes, the outlook is not very encouraging for brands, but not everything is negative.

If you comply with the regulations, you can get benefits such as:

  • Analyze impartially your brand's security level.
  • Ensure the continuity of the business.
  • Detect security risks that could lead to a hack, theft or cyber-terrorist act.
  • Apply improvements in your company.
  • Avoid monetary losses and damage to your brand image.
  • Stimulate your investors and customers.
  • Prevent illegal data commerce.

Will GDPR change the way you do business?

Marketing vs GDPR

According to all the above, it is a fact that if you do digital marketing and collect data from your customers you must implement several changes to avoid incurring a crime, according to European regulations, but the consequences of GDPR go further, for example:

  • Cloud information: since much of the personal data is processed with this type of services, they are vulnerable to attacks, theft or leaks from anywhere in the world. Companies should invest in training their employees to ensure their protection. Be careful, because we are not only talking about sensitive customer data but also about the employees.

  • Hardware: taking into account that your brand is responsible for data management of your customers, if you use or sell any hardware or gadget that connects to the internet or with other gadgets via WiFi or Bluetooth, you must guarantee 100% that these devices will not be vulnerable to hacks, thefts, and other security problems.

  • Cryptocurrencies: If you plan to use this way of making economic transactions on the net, it is very important that you bear in mind that you will surely be the target of attacks or attempted attacks in the near future.

  • Blockchain: same case as cryptocurrencies, because although this method of transactions is safe to date, this is not a guarantee that it will remain that way forever, so you must protect yourself by complying with the regulations in case of facing any vulnerability.


International regulations, from Mexico, from Europe or wherever they are, are aspects that you should consider as they could affect your brand, especially if you do business outside the country. Take into account that data marketing is one of the most important branches of digital marketing to predict the behavior of your consumers and guide them to a particular action, but if you perform data processing carelessly, you can incur crimes, loss of reputation and other critical drawbacks.

Remember that you can always approach us for advice, we will help you create the personal data protection strategy of your customers, talk about your crisis management and implement together the mandatory changes in digital marketing.

How to build a PR Strategy in 10 Steps