Data Management and GDPR

Data Management and GDPR

“There is a delicate balance between having enough data about your customers to be an effective and proactive marketer and keeping within the law and GDPR compliance.”

  • Moving from third party to first data by 2023
  • The onus on quality and compliance
  • Knowing what you can and cannot do with the data
  • What to collect and how best to store it
  • Data for preparing marketing strategy and plans for the coming years

Why is First Party Data So Important in 2022

2020 – Apple began removing trackable data in iOS14

2021 – Google announced removal of tracking cookies in Chrome by mid 2023 

2022 – Meta begins removing tracking options for sensitive topics (race, ethnicity…)

What Next

“While all these changes are happening, customers are clamoring for more personalized and customized omni-channel experiences. To deliver, exceed expectations, and stay ahead of the competition, organizations need to pivot. This will mean a new data collection strategy and likely new technology that can help organize, sort and manage that data.”

Welcome CDP (Customer Data Platforms)

“CDP is the tool to manage 360 degree profiles of customers. CRM on steroids. Where customer persona profiles meets customer journey mapping meets obsessive tracking and intelligence to inform deep decision making. The ultimate goal is optimum customer experience and the next step… metaverse marketing?”

Seismic Data Shift 

“Because users are generally unaware of how their data is used and are unlikely to consent to sharing their data, the $152 billion US digital advertising industry will lose access to most third-party data, which has powered programmatic advertising.”

“Advertisers and publishers will now need to depend primarily on their own first-party data, or on data from walled gardens, contextual targeting, and greater support from data platforms. 2 Industry participants’ preparedness to take on this task varies widely, but advertisers, publishers, and data platform companies all have the opportunity—and an imperative—to redesign their data solutions. The right path for each stakeholder will be different, but the cornerstone effort should be to create and sustain consumer relationships that produce a value exchange, meaning content from or access to publishers and platforms in exchange for personal data, that is based on trust. Advertisers will need to build new data strategies that rely on first-party data or cooperate with walled gardens.”

Where To Begin? 

Create Customer Personas

Plot Customer Journeys

Quantify Data At Every Step

Create Data Visualisations 


GDPR Accountability Principle

“GDPR requires data handlers to show how they comply with the principles – for example by documenting the decisions they take about a processing activity.”

Maximum Fine for breach UK GDPR is £17.5m (or 4% annual global turnover, whichever is greater)

In 2021 Amazon was fined 746 million Euros

Top 5 GDPR Principles (Andrew Gallie, Senior Associate, VWV)

1. Understand what personal data your organisation holds, to ensure nothing “falls between the cracks” of GDPR compliance.

2. Focus on information security as the majority of data protection fines are due to security breaches.

3. Be prepared. Individuals are becoming ever more aware of their rights.

4. If you use a third party to handle personal data on your behalf then you should check the contract contains the data protection provisions mandated by the GDPR.

5. View the GDPR as an opportunity; a good excuse to interact with your customers, employees and other stakeholders. J Cromack

– Before selecting any technology solutions, ensure you audit and understand the lawful reason you are applying to the processing of that data

– Ensure your employees, data processors and any third parties are fully trained

– Know whether you are a data controller or processor. Understand your obligations in each capacity and review vendor contracts to ensure they meet requirements

– Transparency is key. Ensure your privacy notices and statements reflect your practices around data processing. Do not hide behind the jargon.

Lawful Basis for Data Holding

Consent, Contract, Legal Obligation, Vital Interests, Public Task, Legitimate Interests, etc. 

Data Minimisation

You must ensure the personal data you are processing is:

1. adequate – sufficient to properly fulfil your stated purpose;

2. relevant – has a rational link to that purpose; and

3. limited to what is necessary – you do not hold more than you need for that purpose.

Legitimate Interest Data Capture and Usage

“If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

You must include details of your legitimate interests in your privacy information.”

For more help with data management and GDPR, visit