Preparing your website for GDPR

David Rushton

Head of Digital

Posted on March 31, 2017

In September we wrote a blog ‘The impact of the GDPR on Financial B2B Marketing’, which gave an overview of the impending legislation and what it could mean for financial marketers. There has been some debate as to whether the GDPR will impact B2B marketing and how it affects website (and content marketing) activities. In this blog we examine some of the issues faced by B2B financial marketers in relation to their website and content marketing activities.

The cornerstone of GDPR – a recap

The GDPR is all about giving European citizens control over their data and how it is used. At the heart of this is the concept of explicit consent. As a business you need to prove that a contact has explicitly agreed to you collecting, storing, using or sharing their data. Contrary to some reports, this applies in a B2B context and to all contacts, regardless of whether they are existing customers or you have a prior relationship with them.

A note on ‘legitimate interest’ / R47

Some B2B marketers have referred to the ‘legitimate interest’ model (also known as R47) as a way of avoiding the majority of the hurdles associated with compliance. Under this model a business could potentially argue that a contact (that has not given explicit consent) has an interest in receiving a communication. Whilst this may be valid, we recommend steering away from this grey area – which may be proved invalid when the ICO confirm the UK implementation of GDPR.

The basics

Before we delve into further detail regarding the collection of data or the use of cookies, it is important to lay the foundations first. As a minimum you will need to:

  • Create appropriate privacy and cookie policies
  • Store contact data securely and only for the period of time that it is actually needed
  • Communicate your registered name, address, company number and VAT across all communications
  • Appoint a member of staff who can respond to data and removal requests from contacts

Larger organisations who have a core business activity related to the processing of data may need to appoint a Chief Data Officer, who will hold additional responsibilities.

Collecting data

Content marketing is playing an increasing role in financial marketing and this often involves providing content in exchange for a visitor completing a form. To become compliant, at the point of capture, you must as a minimum:

  • Provide a statement explaining how you will use the contact’s data, if you will communicate with them, how often you will communicate, how you will share their data and how they can opt-out
  • Provide a link to a privacy policy and a cookie policy (if you are using cookies)
  • Be able to prove that the contact is who they say they are and is giving consent. The most effective way of doing this is by implementing a ‘double opt-in’ policy – sending a contact an email to confirm their consent. You must implement a method of recording this, as you may be asked to give evidence of consent

It is no longer acceptable to assume consent through the use of pre-ticked boxes, or hiding privacy statements in long blocks of text. You must be clear, upfront and transparent regarding the use of data.

Website personalisation and profiling

At Talisman we’ve often talked about the opportunity for financial marketers to profile website visitors and personalise their experience. However this does introduce some complications with GDPR compliance.

By implementing website personalisation or profiling, you are in-effect mapping anonymous tracking data to individuals. As soon as a contact completes a form, you are pairing their personal data with their website behaviour data.

You must be clear and transparent about this process and include a reference to it in your privacy and cookie policies. Visitors to your website should be able to opt-out of this process by opting out of cookies (see below).

Use of cookies

Cookies form the cornerstone of web analytics and the majority of websites use cookies in some form. However, the guidance within this area is still unclear and subject to change. Currently:

  • You must provide a cookie policy that is easily accessible and details how cookies are used. This is of particular importance if you use forms to map anonymous browsing data to individuals, or you use visitor profiling (see above)
  • Provide a way for a website visitor to opt-out of cookies. At the time of writing there is no requirement to require a visitor to opt-in to cookies, although this may change in the future

Sending emails

It should go without saying that you shouldn’t send emails (or other communications) to those who have not explicitly opted-in! For those that have opted-in, you must provide an easily accessible method of opting-out, or specifying the types of communications that they are willing to receive. All communications should also include your company’s details as previously mentioned above.


GDPR has had many marketers worried for some time. Website, content and email marketing have all become prevalent and rely on the ability to collect, analyse and process data. Many marketers are concerned about their lists shrinking and unfortunately, that is unavoidable.

However some would argue that having a list of engaged contacts, who actually want to be communicated with is far more valuable. So maybe it’s not all bad news!

It is important to note that the steps needed to achieve compliance will differ between businesses and you should seek professional advice, we can’t claim that this blog is a complete description of everything you will need to do.