How to prepare for the new EU data laws | DMA

Filter By

Show All

Connect to


How to prepare for the new EU data laws


New EU data legislation is set to pass this spring, giving consumers better protection and more rights regarding how businesses use their personal data.

Companies will have two years to implement the changes before they are enforced by law, so marketers need to be aware of the changes and start planning what needs to be done to comply.

Forewarned is forearmed, so here’s what should be on marketers’ to-do lists over the next two years before the legislation comes into force.

1. Make sure that opt-in is a positive action

Under the new laws, customers will have to actively give consent for you to use their data, whether it’s information gathered about the user or information they’ve explicitly provided.

For example, opt-in tick boxes can no longer be checked by default, and details of which of your outlets a customer has visited can no longer be collected without consent.

2. Explain how customers’ data will be used

When you ask for a customer’s data, you will need to clearly state why it is being collected and how it will be used. This should be in plain and accessible language and should cover all possible uses of their personal information.

Good planning is the key here, as trying to gain consent retrospectively will prove difficult and costly.

3. Think about how you store customer consent

Tightened rules around customer consent mean you’ll need to store it in such a way that you can access it easily and update records when necessary, while still keeping it secure.

In the case of dispute, it’ll be up to you to prove you obtained explicit consent from the customer.

4. Ensure continued consent from your customers

This isn’t fully clear yet, but under the new laws businesses will have to ensure that guests continue to consent to their data being used for the reasons it was collected.

This might depend on engagement, so you may need to run regular lapsed guest programmes to demonstrate recent consent and remove users whose consent has expired.

5. Provide a way for customers to get in touch

The new laws will give individuals the right to be forgotten by companies, so you’ll need to provide customers clear instructions on how to get in touch and have a clear internal process to deal with these requests.

6. Update your crisis management plans

Under the new laws, security breaches where customer data might be exposed will need to be reported to both the data regulator and the individuals whose data is at risk. You’ll need to update your current crisis management plans to reflect this.

You can find more details on what the new EU data laws mean for multi-unit businesses here, or if you have a more specific question you can always get in touch.


Hear more from the DMA

Please login to comment.