We are less than a year away; by 25th May 2018, organisations will have to comply with the General Data Protection Regulation (GDPR), the EU’s new legal framework on data protection.

However, according to a survey by the Direct Marketing Association, one in four (26%) of marketers believe their businesses are currently unprepared for its arrival, and only 68% are confident they will be compliant by the deadline. With the possibility for fines to reach up to 4% of a company’s global revenue, it is becoming an increasing concern for businesses. There is a real need to get up to speed with the new regulations quickly.

The GDPR rules prevent brands from using any personal data unless they have explicit permission to do so. No more of those lengthy and convoluted forms that users skip through and sign off on without reading; instead the responsibility is on brands to make it clear to the user what they are agreeing to.

Collecting users’ data is a major part of many marketing campaigns – including relying on that information to determine strategy, direct retargeting, and build look-a-like audiences. Given that the definition of ‘personal data’ now includes a user’s IP address and cookies, the typical ways user databases have been built now need to be re-examined and potentially overhauled.

Marketers will need to take any risk to privacy very seriously; it will require them to reconnect with their CRM databases to ensure that any data they collect, or already have, is compliant.

The big ones to look out for in terms of privacy in CRM data collection are names, addresses, ID numbers, and location data. Advertisers spend a lot of time trying to link online behaviour to individuals via user IDs/cookies; this has now been made much more difficult, but not impossible.

A clear change to the media supply chain is needed, clearly stating whose responsibility it is to obtain consent – typically the first party publisher who will outline how the data will be used. Although it might make brands have to work harder, and potentially re-develop targeting strategies in the short run, a new approach to data collection was needed and the new rules put consumers first and trust back in the system.