How Will Data Collection Strategies Change With GDPR?

Marina Brocca

May 18, 201813 min read
How Will Data Collection Strategies Change With GDPR?

The countdown for the implementation of the New European General Data Protection Regulation (GDPR) has begun. 

You may not be fully aware of how this regulation will affect your work, but if you work in marketing and you manage lead generation campaigns, you should certainly take the new procedures and measures seriously. You will need to implement these procedures in all of your strategies for them to be successful and to avoid any damage to your reputation and economic success caused by infringing the GDPR.

The GDPR will introduce significant and lasting changes in the way we manage people’s data and will transform marketing and lead generation strategies.

What is the GDPR and what does it do?

The GDPR is a European Commission regulation that aims to enforce and unify data privacy for every person in the European Union (EU).

The GDPR sets new game rules for the management of people’s information in the EU and for this reason it not only affects EU professionals and companies but also anyone that processes European citizens’ data.

What changes will the GDPR bring?

One significant change is the shift in approach towards data privacy.

This regulation gives citizens more power over their personal information, more control over their data, and allows them to make informed choices before giving personal information to a company or professional.

Respect for privacy is a central theme of the GDPR and must be present in every process, every strategy, and every tool.

Many decisions that we make in our businesses must consider privacy issues, thus, before choosing a tool or strategy, we should ask ourselves:

  • Does it respect the GDPR?
  • Does it meet my demands/requirements?
  • Will it facilitate or create an obstacle to compliance?

This reinforcement of the protection of privacy requires those responsible to take greater measures to manage data in a transparent way, strengthening the mechanisms of collecting consented data and applying security measures according to the risk posed by each action.

Unlike the LOPD that has been in place in Spain since 1999, the GDPR eliminates the formal requirements that do not directly affect data protection and instead proposes a much more active compliance, based on risk management and the implementation of proactive measures.

Some of the more significant changes that should be taken on board include:

More Commitment

You cannot collect, process or store other people’s information if you do not declare a clear commitment to the rights of those who entrust their information to you.

Those of us who work with other people’s information must take on the responsibility that comes with handling that information and take greater measures to protect the data and to respect the rights of each citizen.

We must assume a work culture allied to the protection of data, consciously changing our approach and recognizing the value of that information and the impact of its treatment on people.

We also have to understand that the information in our databases does not belong to us and that we can only use it according to the permission granted to us by its owners.

More Knowledge

Complying with the GDPR requires an in-depth knowledge of the entire life cycle of data and protecting it at all times, from its initial collection to its deletion.

Therefore, you should analyze and document every category of data that you manage, how you got the information, who you share it with, what you use it for, which security measures you have applied to manage it, and report all of this to the legitimate holders of the data.

You must also document all the legal regulations for processing personal data and communicate it both in the form of legal communication and in the handling record.

With the GDPR, a marketing professional must be a data protection professional and know and know how best to manage the information as required by the regulation.

It is no longer enough to know the bare minimum, register a file and send out a security document that nobody reads.

Now professionals and companies must treat the protection of data as a standard requirement to be applied in all the data they process, from the moment they get a lead until that data is destroyed or deleted.

More Transparency

The GDPR requires much more transparency in the management of information, and as a result, all the legal notices, information clauses, and lead generation mechanisms we work within our campaigns must be reviewed and updated.

To facilitate communicating this information to citizens, we must inform them in a clear, unequivocal and direct way. The correct way to satisfy this requirement is to keep people informed at all stages. 

More Rights for Citizens

You must create procedures that allow you to inform and comply with these new rights easily and quickly since the deadlines for doing so are shorter.

For marketing campaigns, there are two basic rights you should incorporate into your procedures:

1. Access rights for users

When it comes to users’ personal information, you must report what data you store, how you have obtained it, for what purposes you intend to use it, and with whom you share it.

2. The right to block or delete this information.

In this case, you must have systems that allow you to directly block or delete information to avoid it being used in the future.

Nowadays most email marketing tools have a link that automatically unsubscribes users, so this should not be a problem.

More Requirements for Permission

There is a significant change in the way we obtain consent since consent based on omission or silence is no longer valid. Unambiguous, free, specific and verifiable communication is required; in other words, you must prove that you have explicit consent to use all the data you store in your database, with ‘all’ meaning that the GDPR applies to all data, not just data from March 2018.

With marketing campaigns, that is, when the information is going to be used for promotional purposes, we must specifically and separately tell people how we intend to use this data and ask specifically for consent.

What are the implications for marketers?

From a marketing point of view, it is the most monumental change.

We will have to change the strategies we use to collect data, obtain explicit consent based on the given information, and register that consent so we can prove it at any time.

There are more requirements in the data management of minors.

  • We must implement systems to prove the age of users and obtain consent from a parent or guardian for data processing.
  • More requirements in the declaration of violations.

The GDPR introduces new requirements when reporting security violations.

If regulations regarding users’ information have been violated, we are obliged to report that violation, which means implementing mechanisms that allow you to detect violations and notify authorities and users.

More requirements for managing privacy.

A new focus emerges: protecting privacy by design and default. This requires us to create a product or campaign with privacy in mind and to keep information collected to a minimum.

It also demands more clarity when creating policies that can be easily understood by the majority of people.

More evidence of compliance.

The GDPR requires more concrete evidence of compliance rather than simply the appearance of compliance, therefore eliminating, at a practical level, any requirements that do not clearly demonstrate compliance.

You must create processes that allow you to record and register every action you carry out.

Delegating data protection.

In certain cases, the presence of a data protection delegate is required. For example, if you work in a public organization, and your main activities consist of the large-scale management of special personal data categories and data relating to convictions and criminal offenses.

How does the GDPR affect my data collection strategies?

Marketing is possibly the business that handles the most personal data.

The raw material of any lead generation campaign is personal data.

The objective of all lead generation strategies is to transform as many leads as possible into customers. To achieve this, different strategies and tools must adapt to the new rules.

Those who engage in marketing should be able to ensure maximum security in terms of the protection of their databases, maximum security in dealing with third parties, and maximum transparency when it comes to informing the user about everything related to the treatment of that information.

Some urgent changes that you will have to undertake “right now”.

Regularize your relationships with collaborators.

All the technology partners and tools that will be used in a lead generation campaign should be analyzed and require evidence of compliance.

A contract is no longer enough, undisputed evidence of compliance is required.

Clean and debug your databases.

Do not keep records where you cannot justify their preservation or demonstrate consent for their use.

Prepare all your lead generation systems.

This is done with a view to adapting them to the GDPR.

  • Reconfirm the consent of those records that you are unsure about
  • Minimize
  • Do not store more information than is strictly necessary for your campaign.

Encrypt all the information.

All the information you encrypt will be protected from security breaches or violations that you will have to report.


Collect evidence of all of the above, keep reports, contracts or screenshots, which will be useful in proving effective compliance.

Types of Lead Generation Campaigns and Activities

There are different types of campaigns, but all of them have a common denominator: the collection of personal information through a form.

You must analyze and adapt this process from beginning to end in each strategy you use, and for this, it will be important to have processes that allow you to track and map the personal data that you store and manage within your tools and systems.

In each case, you must ensure that users are informed of the process and include mechanisms to obtain and report their consent.

An effective way to do this is to index all the lead generation systems that you use, identify the tools you use in each case and the purposes of each form, as subscription forms and contact forms are different.

All platforms, applications or other media, where there is personal data, in cloud or physical, has to be identified.

Email marketing campaigns.

This is the classic lead generation strategy.

We cannot conduct email marketing campaigns if we don’t have the verified consent of each of the leads on our list.

We must also inform people of the main aspects of the treatment of their data and create an automatic mechanism that allows them to revoke their consent.

If we also do segmentation, we work with affiliates or share the data with certain tools; we must ensure that those tools also comply with the GDPR and that we inform people about them in our correspondence.

What must not be done at any stage is to send advertising content by email without the user’s consent, unless it is a customer and the information that is sent is directly related to their contract.

Imagine that you own a gym. If you are offering a promotion, for example, 50% off a sauna treatment, you would not need the consent to send this promotion to your gym customers since you have a legal basis that justifies this — the legitimate interest of the receiver.

What you cannot do, however, is what the people in the following example did:

correo-spam.pngTranslation: "Attached I include a screenshot of your website where appears the email and the link to the page.
Thank you very much and apologies for any inconvenience."

To comply with GDPR, a company sends me an advertising email about a messaging application (what a paradox). In the email, there does not appear to be any information about who is responsible for this campaign nor about my rights, only the commercial information.

When I asked them how they obtained my data, this was their answer.

That is, they justified the use of my data because my email appears in the legal notice of my website, so if an email appears on the internet, they can use it as they please.

It seems to be obvious that this should not be done but, judging by the evidence, many still seem to see it as acceptable.

This type of practice is what the GDPR wants to eradicate, the random use in any way of personal data, without order or agreement.

If you analyze the situation and the response, we can see that there is a major flaw, they are selling a tool to improve GDPR-compliant communication, but they are overlooking all the basic rules of commercial communication.

It’s important to remember that nowadays all commercial communications that are not expressly requested or consented by the sender are also prohibited by the LSSI.

Therefore, the internet is not a public access source, and you should never obtain addresses or personal data and include them on your list in this way.

Display Advertising and Search Engine Marketing

These are ads where we capture leads by inserting the ads in search engines. In this case, the ads are triggered for certain profiles based on their browsing habits.

Adsense and AdWords routinely download cookies in the users’ browsers that track their browsing and show ads selectively.

These ads will only refer to websites that have all the required legal elements.

We must inform people about the use of these cookies on our website and request consent for their installation in a transparent manner.

We must also offer people a mechanism to block them in cases where the user is opposed to downloading them. It is important that you choose a plugin that allows you to complete this action.

Our privacy policy should also inform people about the use of this tool.

In the case of obtaining a lead, the lead generation mechanisms must be suitably GDPR compliant so that the data collected is legitimate and we could use it for commercial purposes.

What would a GDPR-compliant lead generation form look like?

Here is one below:


Another adapted lead generation form would look like this:

formulario-lexblogger.pngAs you can see, there is a mechanism to obtain consent, a first informative layer (form footnote) and a second informative layer (privacy policy link).

Social Media and Social Selling

Remember that a social network is not directly a hunting ground for leads.

We can insert promotions, competitions, or advertisements but must keep in mind that it is not legal to carry out email marketing through private social network messaging systems and we cannot import followers to a list either.

Lead generation must be carried out through a campaign where each user or follower provides their information voluntarily through a form.

This form must be fully GDPR compliant, as shown in the previous image.

You should also be aware that if you own a fan page on a social network, you are responsible for the data treatment of its followers and therefore you are required to inform them as the Spanish data protection agency does on its Twitter profile.


As you can see, the right thing to do is to inform people on the fan page itself through a link that takes the user to very clear and simple legal statement:


Video advertising

This is a technique widely used when capturing leads. Users are asked in the video (through embedded banners) whether they want to receive additional information by email, a catalog or a special offer.

In this case, banners must be GDPR compliant to obtain that information in a legitimate way, as is shown through the LEXblogger form example.


One of the most common and essential steps in creating good conversations is to develop profiles to segment advertising based on the interests and features of the user, and also to define the ad targets.

What does the GDPR say about this?

If you are going to perform profiling, you must inform those affected by the profiling of its purpose and its consequences.

You must also inform the user about their right to refuse permission for their data to be used for profiling linked to direct marketing, without the need to give a reason.

This right to deny permission must be expressed directly and must be stated clearly and separately from any other information, that is, in the first stage of contact with the interested party.

What happens to the databases obtained prior to the GDPR?

A key point of the GDPR is that the regulation requires that all the records stored in a database or a list must be regulated, that is, that they must go through a consent requirement and registration process.

In this post, I explain how can you perform this process.

Why is adapting lead generation strategies to the GDPR so important?

Let’s start with the basics, that is, respecting legal standards is an essential step in any marketing campaign. Omitting them sends a message that conflicts with the interests of any brand.

What does it say about your brand if you position yourself as an infringer of rights?

Remember that these rules have the objective of protecting consumers against abusive or fraudulent commercial practices that are contrary to their right to privacy.

Complying with these rules implies commitment and commitment translates to reliability, competitiveness, differentiation and notable improvements to your image.

It will also help you to improve the integrity of your reputation and avoid economic sanctions that would undermine it, as well as your profit margin.

GDPR sanctions are something to be feared since they are significantly higher than the LOPD sanctions; combined with the high probability of damage to your reputation, it is something that no professional or company should underestimate. 


Author Photo
Marina: Consultora especializada en marketing legal y protección de datos, acreditada en área jurídica. Especialista en RGPD. Autora del blog -Ponente y formadora.