Customer Data Compliance: Best Practices for Marketers

Written by: Alex Morgan

From big corporations to small entrepreneurs, businesses are becoming more and more data-driven. Data has entered all spheres of business, and marketing is no different.

As data becomes an integral part of marketing strategies, marketers encounter new challenges — and one of the biggest ones is data compliance.

Data compliance is an all-encompassing word that refers to the processes and industry standards in place to guarantee that customer (and corporate) data is safe — that it is secured against theft, abuse, and loss. The phrase also refers to the rules that govern how data is gathered, handled, and maintained within businesses, such as GDPR.

Data compliance issues affect organizations of all sizes and industries, and new rules and regulations are being introduced on a regular basis.

However, many marketers are still unsure where to begin. Here are 7 best practices to help marketers keep up with regulations and stay compliant.

1. Accurately Identify Data

Although marketers collect a lot of information about their customers, not all of it falls under the GDPR umbrella.

The GDPR has a strict definition of what is considered personal data. Personal data is anything that directly identifies a customer, including location data, email address, and cookie IDs.

It also covers pseudonymous data, which is information that companies collect about customers that customers don’t directly provide. For example, an IP address is pseudonymous data. The GDPR defines pseudonymous data as personal data if it can be combined with other information to identify a specific customer. 

The GDPR considers pseudonymous data to be personal data since it always allows for some sort of re-identification, no matter how improbable or indirect.

Marketers should review all the data they collect to determine where it will sit in the GDPR’s definition of personal data.

2. Encrypt All Data

The GDPR requires that all personal data be protected, and encryption is one of the easiest ways to achieve that.

Encryption transforms data into a form that is only readable by authorized parties. When data is encrypted, it’s no longer readable by anyone who doesn’t have the decryption key.

Cryptographic keys protect data at rest and in motion. Encrypting data ensures its confidentiality and integrity and is a necessary step to protecting data. Keys should be strong, long, and unique. Decryption keys used for data in use (e.g. in a database) must be stored separately from the data itself and should never leave the organization.

Organizations should review the systems they currently use for encrypting data, seeking a system that is flexible, secure, easy to use, and complies with relevant regulations.

3. Have a retention policy

Organizations should establish a retention policy for all personal data. The policy should define how long data is kept before deleting it. Organizations shouldn't hold on to personal data indefinitely, but they can't simply delete it whenever they want.

You have to create data archiving and data retention policy that will comply with regulations relevant to your business. For example, if you collect personal information such as transactional data, you must have a data retention policy and retain those records for a prescribed amount of time relevant to your particular industry.

Also, make sure you don't hold data longer than necessary. The longer you retain personal data the more opportunities there are for that information to be lost or compromised.

4. Keep Records of Data Disposal

Organizations must keep a record of all personal data that they delete.

The GDPR requires organizations (including marketers) to keep records of all the deletions they make. The record should include the date of the deletion, the name of the data controller, and the reason for the deletion.

5. Give Customers Access to Data

The GDPR gives customers more rights to their personal data, including the right to access it.

If a customer asks for their personal data, you must give it to them free of charge. If a customer wants their data erased, you must erase it (known as ’the right to be forgotten’). If a customer asks for their data to be transferred from one service provider to another, you must facilitate that transfer.

The GDPR gives you 6 months to respond to these requests.

6. Let Customers Opt-Out

The GDPR requires that customers must opt-in to receive marketing emails. You can’t simply add customers to a marketing list (or add them to your CRM) without their permission.

If a customer opts in, you must give them the option to opt out at any time.

7. Respond Fast to Data Breaches

In the past, many retailers would wait until after they realized there was a data breach to start damage control. However, the GDPR requires companies to respond quickly to data breaches, which puts a lot of pressure on marketers.

If the data you are holding on customers is breached, you must inform them within 72 hours of the breach.

You must provide customers (and authorities) with details about why the data breach occurred and what they are doing to fix it.


There are a lot of different rules and regulations surrounding customer data compliance. However, regulations aren’t the only factor that marketers should be aware of. 

Ethics are just as important. The GDPR and similar regulations exist for an important reason: to protect customers. 

As marketers, you have a responsibility to treat data ethically and responsibly. You must always respect our customers’ privacy and never abuse the power of data.

Related: Use Relationship Data to Build Stronger Connections

Alex is a passionate tech blogger, internet nerd, and data enthusiast. He is interested in topics that cover data regulation, compliance, eDiscovery, information governance and business communication