GDPR: Best Practices for Your Marketing

12 steps to prepare for GDP
You can click on this graphic from the ICO to get their full PDF. And here’s a link specific to Legitimate Interests in case you want to jump right to that.

Marketing Best Practices – Kokoro Looks at GDPR

The EU’s GDPR (General Data Protection Regulation) applies to those of us who market to, email to, or sell to people in the EU. Here’s a look at some of the key GDPR (General Data Protection Regulation) topics for our industry.  There’s a lot to GDPR and we’re not lawyers – we just wanted to highlight these key points in order to help fellow marketers and business people. So, to my way of thinking, things pretty much fit into three main categories:

  • Refreshing Consents
  • Internal Procedures and Documentation
  • External Documentation (including Privacy policy)

Read on for details…

1. Consent
Review and document how you get, record, and manage consent. For your marketing, consider these two areas:

  • Documenting consent for existing contacts
  • Documenting consent for new contacts

Trade Shows
Prior to exhibiting at a trade show you’ll want to verify that the trade show gets explicit consent from attendees when they register for the show.  If they do not, you would want to get explicit consent from prospects who give you their contact info at your booth – you may want to do that in any case.

Existing Lists
Most of us have existing lists and databases of prospects and customers. The way we read the GDPR standard is that the company needs to have a record of how and when the person gave consent to be entered into the database and when they agreed to receive marketing emails. If your current consents don’t comply with the GDPR standard then you would need to refresh existing consents and document accordingly. You may need to contact people by email or phone and document that they want to receive marketing emails from you. There is also documentation that talks about how legitimate interests can be considered a lawful basis for processing data and if you think that may apply to you, read more about that here.

Opt-in / Sign-up Forms
When someone signs up for a white paper, for example, the form should have a country field and a checkbox for the person to tick to indicate if they want to receive marketing emails from you.  All existing forms should be updated with country field and opt-in tick box. Consent must be explicit, it can’t be implied.

As ever, there needs to be a way for people to opt-out of marketing emails.

Here is how Consent is defined by the ICO (Information Commissioner’s Office)

2. Privacy Policy
Update your privacy policy if needed. It should be clear and easy to understand, explaining what data you collect and what you do with it. It should include your lawful basis for processing data. (E.g. they purchased a product from you, they asked you for marketing info by email.) See good and bad privacy policy examples from ICO here.  Consider using a service such as Iubenda ($27/year) to generate privacy and cookie policies, and more, that are specific to your company. (Thanks to Winterstreet Design for telling us about Iubenda!)

3. Person at Your Company in Charge of Data
Name a data lead or data officer for your company. This can be a person who works at your company or it could be an outside firm or attorney. Your data lead or data officer needs to know how data flows at your company and should have that documented, too. Check with your attorney if you have questions about GDPR compliance for your company.

4. What Else Should I Know?

Check out the links below for GDRP details, there’s a lot of info.  GDPR pertains to all data collection, retention, and use for all areas of your company, not just the top marketing topics we covered here. You need to comply with GDPR if you have customers, prospects, or offices in the EU. Ask your attorney if you have questions about your GDPR compliance.


Watch the replay of our GDPR webinar here


GDPR Webinar from Kokoro Marketing and NAB Show

ICO’s Guide to the General Data Protection Regulation (GDPR)

ICO’s Preparing for the GDPR: 12 Steps (includes the above infographic and more)

Consent – ICO’s Detailed Definition and Checklist

And specific to Infusionsoft users, here is some info just for you

You can use your own campaigns to set up GDPR compliance or you can use Infusionsoft’s new, free GDPR compliance campaign. To install it into your Infusionsoft app, go to the black bar and navigate to the Marketplace drop-down menu, choose Products and Services. In the search box type in GDPR. Select the GDPR Helper Campaign and install if to your app. Here are the campaign instructions.





Steps to take:

  1. Put a link to your newly updated privacy policy on every webform and every landing page.
  2. Track the lawful basis for having each contact in your database.  You could, for example, use tags for this.
  3. Know about your contacts’ data rights:
    • Right to be informed (link to your privacy policy)
    • Right to object, rectify, erasure, and restrict processing
    • Right to data access and portability – a person can ask you what data you have on them and ask to see it in a readable format (e.g. PDF)

And here is a link to Infusionsoft’s new GDPR Readiness Guide.


About refreshing consents

• At the most basic, you could simply send the Infusionsoft double opt-in (email confirmation) email to everyone.  The system won’t send it if the person has already opted-in. The email text can be customized a little bit.

• If you want to be more granular, you can set up an email preferences center with checkboxes or tickboxes for the various types of emails you send out (e.g newsletter, promotions, software updates)  You can keep track of a person’s preferences with tags or custom fields and you can document this with a note in the contact record.

• Another approach is to analyze the data and note: 0) Contacts who have already double opted-in/clicked through an email confirmation, 1) contacts in the EU, 2) contacts not in the EU, and 3) contacts where we don’t know their country. Klean13 has a service that can segment your list like this. In the case of 1 and possibly 3, you could create a campaign with a series of email asking to get them to opt-in, either using the Infusionsoft double opt-in email or using your own email and/or form with tags and custom fields.

As a company, you’ll need to decide how to proceed with contacts who don’t confirm their opt-in.  You will also need to deal with data from customers who have purchased from you and document that, too.


• Infusionsoft will be rolling out some new GDRP compliance settings in our apps in mid-May. We are continuing to update this post as new info is available. Ask your attorney if you have questions about your GDPR compliance.

Here are links to Infusionsoft’s new GDPR DPA (data protection agreement) details:


Need a little help?  Want to know how the Kokoro GDPR Package can help you? Book a meeting here or email us.


Leave a Reply