You have data that is not compliant? What needs to be done?

Do you have data that is not compliant? What to do about it?

It seems that since the entry into force of the GDPR, a veritable flood of articles and guides on the correct & compliant behaviors, as well as threatened fines for misconduct, has descended upon us.

Tips & tricks were discussed everywhere to ensure that globally-active companies can continue to operate in compliance with the law in the future.

The main focus of the GDPR – both in terms of communication around the regulation, as well as the legislation itself – is on one aspect in particular: data. More specifically, how data is released, collected, retained, accessed, anonymized, and deleted.

A 2017 report by W8 Data provides us with a somewhat disturbing statistic: the requirements of the GDPR will render about 75% of all currently existing customer data useless.

Marketing teams operating internationally have been preparing for this for weeks and months, and the result has been record numbers of re-permissioning campaigns across any and all industries.

But going back to the above study, if only a quarter of all existing customer data can be used thanks to the GDPR, this raises some crucial questions:

► How can you find out which data is still usable and how can you sort out those?

► How should you deal with the enormous amount of data that has supposedly become unusable?

► How can you ensure 100% of your data is compliant in the future?

We need to collectively rethink and get rid of the idea that all data collected prior to the GDPR that may be non-compliant would be unusable as of now. This is not the case. In fact, already existing data ARE still usable – just in a different way & manner.

How do you know which data – in accordance with the GDPR – may continue to be used and which may not??

If you're concerned about whether some, most, or even all of your important customer data has been collected in non-DPR-compliant ways in the past, you're not alone in that concern.

Before the GDPR, most countries had different regulations and laws on data protection. Hungary, for example, enforced very strict laws and guidelines even before the GDPR came into effect. Meanwhile, here's what's happening: No matter where you are in the world, the most important thing is that you have clear consent from consumers to use their data.

As my colleague Alex Timlin put it, "There are bad practices [for data use] all over the world. What we need are better regulations and laws against the 'bad boys'.'"

Some methods of data collection that may have been acceptable in the past are now no longer acceptable. The situation is similar for some types of data usage – here, too, things will have to change in the future. As of now, z.B. the following is no longer allowed:

  • Use email addresses that were collected for a specific use / reason for another use (z.B. Send unsolicited marketing emails to contacts who have signed up for a magazine)
  • Communications with customers for which clear consent / assent (on the part of the customer) cannot be demonstrated
  • Using pre-checked boxes to consent to receive further messages – obtaining this consent must be "clear & conspicuous" and requires an unambiguous action (z.B. by putting a check mark) by the customer

If you have the ability to isolate individual (already sent) campaigns in your CRM and find out how the op-in took place, you can sort out which data was collected via non-compliant methods and which data is still compliant and can still be used.

This approach is very helpful in some cases, but does not provide a 100% guarantee. The better option is: take action now and make sure your contacts want to continue receiving messages from you.

How to do it? It's easy: With re-permission campaigns

Re-permission campaigns can make the most of data that has already been collected

Data that has already been collected – even email addresses that you are sure were collected in non-DPSR compliant ways, or. unsolicited messages received – are not useless.

You can (and should!), we still use it for re-permissioning campaigns.

Back in March, we published a comprehensive guide on the topic: the ultimate guide to EU General Data Protection Regulation (GDPR) re-permissioning campaigns. The guide explains all the important steps you should follow for these types of marketing campaigns.

In general, re-permissioning campaigns are recommended for ALL contacts (especially in the context of the GDPR). However, they are particularly useful for those of your contacts who have been inactive for a long time (approx. 6 months), or that triggered hard bounces for you, or. Have your messages marked as spam. These are all signs that these contacts are not interested in further communication with your brand. The reasons for this can be many – general disinterest in further updates, inconsistent ideas about what communication with your brand should look like, etc.

Ensure data compliance and …continue with the program

Apart from the high fines (max. 4% of annual revenue, or 20Mio. €) that companies face for not complying with the GDPR directive…what else can happen if you continue to use contact data that was not collected legally?

If you continue to send messages to contacts who are not interested in communicating (anymore), you risk the following:

  • Less high engagement – lower open rates, click-through rates, and click-to-open rates
  • Negative impact on your deliverability rate and your sender reputation/score
  • Negative impact on your brand reputation
  • Reducing conversions in future campaigns
  • Fewer orders/purchases and stagnant sales

"Dirty data" is a problem that many companies are currently facing. According to a 2016 Harvard Business Review article, unclean data costs the U.S. about $3 billion per year. It's important to note that not all dubious or unusable data is due to a marketer's individual practices. (See our article on dirty data and database hygiene).

Nevertheless, it is essential that you regularly update your customer database and keep it free of addresses that are no longer usable – To do this, you can take various measures: using sign-up forms, obtaining clear consent from the contact, credibility & transparency on the company's side, etc. Ensuring that you only keep contacts in your database who are interested in communicating with your company. This is the ideal state for all parties involved.


Transparency and immediacy are the name of the game when it comes to data collection and processing. The same should apply to your efforts to obtain consent/consent from potential contacts. In your communication, focus primarily on the added value of each interaction for the consumer.

If you still have non-DSGVO compliant data in your database, this is not yet a cause for alarm – many companies feel the same way.

What matters now is to take the right steps to establish compliance and optimal database hygiene as quickly as possible. As of now, you should only be DSGVO compliant and also align all of your data collection with the new guidelines. The goal here is to ensure 100% compliance with the regulations of the european. Achieving privacy baseline. A side effect that should not be underestimated: more satisfied customers and better customer loyalty in the long term. ◾

Levente Otti has been serving as Head of Data at Emarsys since 2015. In his role, he is accountable for heading the Data team and addressing data-related projects like data storage, how to query and collect data from a variety of sources, evaluating data mining models and performance, and implementation and deployment of machine learning solutions in large-scale scenarios.