Skip to content

7 GDPR principles applied to marketing with examples

For marketers, the General Data Privacy Regulation (GDPR) has changed the way they go about their business. This post explores the seven GDPR principles and how they apply to marketing. GDPR compliance centres around these key principles.

1. Lawful, Fair and Transparent Data Handling

The first principle of GDPR compliance is “Lawfulness, Fairness and Transparency”. Lawfulness and fairness mean complying with GDPR and doing what you say you are going to do with data for a specified period of time.

Transparency alters the marketing and sales funnel significantly, particularly with regard to direct emails and email campaigns. Data subjects must now proactively opt in before their data can be processed, and the language giving them this option must be clear and precise.

Data subjects (e.g. customers) have other “transparency” rights, like knowing the identity of the data protection officer (DPO), learning what data is being stored and knowing their right to opt out of consent. For a company to comply with these GDPR principles, efficient data mapping is essential.


To illustrate GDPR transparency, let’s say a keen reader, John Doe, wants to download an eBook sample from an online shop called “The Bookworm”. Before the download, he must provide his details, but the purpose of this data collection must be made clear and consent given. If the bookshop wants to add Mr. Doe to their emailing list, he must knowingly agree to it by opting in. Opt-out consent or a pre-checked opt-in box are no longer allowed.

2. Only Use Data for Stated Purposes

“Purpose Limitation” is the second core GDPR principle. It means data can only be collected and kept for specific purposes originally stated and consented to. If a company intends to share data with a third party for whatever reason, fresh consent must be given by the data subject. GDPR software can help define contractual liability when sharing data with other companies.


Using the same protagonists as before, let’s assume The Bookworm offers a self-publishing service that lets budding authors see their books in print. The Bookworm farms out the book printing to another company, with which it must share the customer’s data. Before John Doe can publish his book, he must give new consent to his data being shared with the printing company. This printing company can only use the data for its specified purpose.

3. Don’t Collect More Data Than You Need

“Data Minimisation” is the third GDPR core principle. It means only collecting sufficient data to achieve the intended purpose. It is a breach of GDPR to collect and store more data than is necessary. Data retention must be carefully managed, and the amount of data held should be justifiable. GDPR-compliant CRM systems and software help.


The Bookworm online shop allows customers to create a profile page where they express their taste in books. It might request consent for this information to be used in personalised marketing emails. The shop would have a legitimate use of this information. However, if it attempts to collect superfluous data about family or health, it is in breach of GDPR.

4. Keep Data Accurate and Up-to-Date

GDPR principle number four is “Accuracy”. Data controllers must ensure that stored data is accurate and fit for its purpose. Data subjects also have the right to correct or update their data. Individuals have a “right to rectification” under GDPR. To meet these ends, companies need efficient data maintenance and subject access management.


John Doe has switched internet service providers and no longer uses the ISP email address associated with his old account. He gets in touch with The Bookworm online shop to request that emails are now sent to his new email address.

5. Don’t Keep Personal Data for Longer than It’s Needed

The fifth GDPR principle is “Storage Limitation”. Companies should delete data once it is no longer needed. The GDPR states that data must be “kept in a form which permits identification of data subjects for no longer than necessary”. To comply with this, databases must be subject to regular review and cleansing.


John Doe signs up for a 12-month Bookworm writing correspondence course via email. Once the 12 months are up, the company should delete his data. For GDPR compliance, data can only be stored for the duration of the purpose it was collected for.

6. Keep Things Secure

GDPR principle number six is “Integrity and Confidentiality.” It makes companies responsible for all aspects of IT and physical security, including risk assessment and installation of appropriate security for the data being held.


With John Doe’s details stored on its database, The Bookworm must, under the GDPR, take appropriate measures to protect his data in a manner that befits its sensitivity. Some data, such as biometric data or data about children, is deemed highly sensitive.

7. Prove Compliance

The seventh GDPR principle is “Accountability”. Under GDPR, companies must demonstrate compliance at every step of their operation and ensure it is easily and quickly provable. Modern GDPR software provides invaluable help in achieving this.


To promote a new series of novels, The Bookworm plans an email campaign, inviting some of its regular customers to a reading event hosted by a third party. First, the shop must obtain its customers’ consent to use their data and share it with the third party. It also needs a contract under Article 28 of the GDPR, carefully detailing the data-handling obligations of both parties (data controller and processor).

Leave a Comment