What Is GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, process, and store personal data of EU residents. It requires explicit consent, data minimization, and the right to erasure.

GDPR went into effect in May 2018 and fundamentally changed how marketing teams handle data for anyone in the European Union or European Economic Area. It applies to any organization that processes data of EU residents, regardless of where the organization is based. If you have EU contacts in your database, GDPR applies to you.

The key principles for marketing operations include lawful basis for processing (you need a legal reason to hold and use someone's data, typically consent or legitimate interest), data minimization (collect only what you need), purpose limitation (use data only for the purpose you collected it), and data subject rights (individuals can request access to, correction of, or deletion of their data).

For MOps teams, GDPR compliance requires several operational capabilities: a mechanism to capture and record consent (usually through opt-in forms), the ability to segment your database by consent status, a process to handle data subject access requests (DSARs) within the required 30-day window, and the ability to delete a person's data across all systems when requested.

The practical impact on email marketing is significant. In GDPR jurisdictions, you need explicit opt-in consent before sending marketing emails. Pre-checked boxes do not count. Purchased lists are effectively off-limits. And you need to maintain records of when and how consent was obtained.

Fines for non-compliance can reach 4% of global annual revenue or 20 million euros, whichever is higher. While most enforcement has targeted large tech companies, the risk is real for any organization processing EU data at scale. Treat GDPR compliance as a business requirement, not a checkbox exercise.

Frequently Asked Questions

Does GDPR apply to US companies?

Yes, if you process personal data of EU residents. If you have EU contacts in your marketing database, EU visitors on your website, or EU customers, GDPR applies regardless of where your company is headquartered.

What is the difference between consent and legitimate interest under GDPR?

Consent requires an explicit opt-in from the individual. Legitimate interest allows processing without consent if you have a valid business reason and it does not override the individual's rights. Marketing emails generally require consent. B2B relationship-based communications may qualify under legitimate interest, but the bar is high.

How do you handle GDPR data deletion requests?

You must delete the individual's personal data from all systems within 30 days of the request. This includes your CRM, MAP, analytics tools, data warehouse, and any third-party systems. Build a documented process and test it before you receive your first request.

Related Terms

Data Governance Opt-In Double Opt-In CAN-SPAM Suppression List

Get the Weekly Brief

Salary shifts, tool intel, and job market data for marketing operations professionals. Get weekly MOps insights, salary data, and tool reviews.