The Digital Marketing Podcast: The GDPR Interview
Hosts: Ciaran Rogers and Daniel Rowles
Guest: Mike Morrissey, Chief Commercial Officer at Cytorus
Date: October 23, 2017
Overview
This episode explores the European General Data Protection Regulation (GDPR) and its sweeping impact on digital marketing, data processing, privacy, and business operations. Ciaran Rogers interviews GDPR expert Mike Morrissey for clear explanations, practical advice, and candid insights on what businesses—especially marketers—need to know and do to prepare for GDPR’s introduction in May 2018.
Key Discussion Points & Insights
What is GDPR?
[01:59]
- GDPR is Europe’s overhaul of longstanding privacy regulations, advancing from the 1995 EU directive and 1998 UK Data Protection Act.
- "It enforces very strict controls over how [organisations] can process that data and...how they provide evidence they're operating fairly with that information..." — Mike Morrissey [02:33]
- Places the burden of proof on companies: you’re “guilty until proven innocent” regarding privacy compliance [03:03].
- The regulator (ICO) now has increased investigative, auditing, and enforcement powers.
Who Does GDPR Apply To?
[04:21 – 07:33]
- Any organisation processing the personal data of individuals in the EU/EEA, regardless of where the business is based—even if marketing from outside the EU.
- Data processors in non-EU countries (e.g. US) must comply if handling EU citizen data; frameworks like Privacy Shield are discussed.
Scope & Universality
[07:31]
- Nearly all businesses with any personal data (even sole traders with a small client list) are impacted.
- Stringency and complexity increase with the data volume and sensitivity (e.g. NHS and medical data).
- Businesses must be able to demonstrate compliance—“thorough evidence that they've accounted for privacy and security aspects” [08:33].
The Impact on Employers and Subject Access Requests
[13:07 – 17:10]
- Employees and customers can, for free, ask for a copy of all data held on them—subject access requests (SARs).
- Under GDPR: No fee for SARs, 30-day response time (vs. previous 40 days + fee).
- Operational overhead increases—especially for HR or industries in frequent disputes.
Quote:
"Anybody who's an employer, anybody who's working in a senior management role...the mechanism allows an individual to get a physical copy of all information held about them...If you fail to respond, there will be a complaint to the regulator..." — Mike Morrissey [13:33]
Practical Steps for Businesses
[13:07 – 16:53]
- Audit your data: Know what personal data you hold and where.
- Review HR and marketing: Ensure HR is minimalistic with data; get explicit marketing consent.
- Consent management: Ensure all communications (post, email, phone) are compliant.
- Security controls: Encryption for devices; work with IT to ensure retention and deletion policies.
- Supplier management: Ensure contracts with suppliers include clear data processing and security stipulations.
Rights of Individuals—Increased Significantly
[17:34 – 20:11]
- SARs for all individuals (not just employees); right to rectification, erasure (“right to be forgotten”), and data portability.
- Some industries, e.g. charities and fundraising, face major challenges in adapting business models to new consent requirements.
Quote:
"The GDPR fundamentally massively reinforces the rights of consumers and individuals in terms of how their information can be used..." — Mike Morrissey [18:25]
The Marketing Angle—Consent and Consent Management
[22:11 – 25:09]
- There’s confusion due to two overlapping legislations: GDPR and the forthcoming E-Privacy Directive.
- Email/electronic marketing will move toward explicit, opt-in consent (unticked boxes).
- Marketers should no longer use pre-ticked boxes; most people won't proactively opt in—expect a drop in marketing lists.
Quote:
"Consent for marketing...had to be explicit...an unticked box that a person has to opt in...which most people won't do." — Mike Morrissey [22:36]
- Cookies policies may be streamlined via browser management rather than clunky popups in the future.
Profiling & Data Use in Marketing
[25:09 – 28:01]
- Advanced data profiling, especially involving disparate sources and machine learning, brings heightened privacy obligations.
- Individuals can opt out of automated profiling; explicit consent required if using sensitive data (e.g., medical, ethnicity).
- Social platforms using hashed identifiers (e.g., Facebook’s Custom Audiences) can provide compliant ways of targeting.
B2B vs B2C
[28:23 – 30:40]
- B2B communications: Generally unaffected if relating to corporate roles; must allow opt-out.
- B2C communications: Heavily restricted; explicit consent required.
Quote:
"For B2B where it's very clear, there's no change in the rules of engagement from a marketing perspective." — Mike Morrissey [29:54]
Evidence and Documentation—The New Standard
[30:40 – 31:28]
- You must document all consent and data handling.
- Inability to provide logs/evidence equals non-compliance.
- Pre-ticked forms: Already forbidden, but under GDPR, more strictly enforced.
Case Studies & Notable Industry Responses
[31:38 – 35:01]
- Companies fined (eg. Flybe - £70,000 for consent solicitation emails to non-consenting contacts [34:25]).
- Wetherspoons deleted their entire email database rather than risk non-compliance.
- Regulator’s preference is for enforcement notices (change mandates), not fines, but penalties can reach £17m or 4% of annual turnover.
Quote:
"The bigger impact here is not the fines, it's the commercial impact of not being able to use data anymore..." — Mike Morrissey [34:50]
Best Practices: Consent Granularity and Transparency
[37:06 – 39:53]
- Double opt-in is advised for situations with multiple brands or data sharing.
- Disclose what data will be used and how, in plain language. Don’t hide in T&Cs.
Quote:
"It's all about being upfront, being very clear, not hiding stuff in terms of conditions. Don't be afraid of it, tell people what you're going to do." — Mike Morrissey [38:33]
- Proactive privacy can, in fact, be a brand differentiator.
A Positive Perspective for Marketers
[40:10 – 42:56]
- GDPR encourages focusing on highly engaged audiences rather than vanity metrics.
Quote:
"What would you prefer? A database of a million people...or a database of 100,000 people who have actively demonstrated they're really interested..." — Mike Morrissey [41:19]
- Cutting dead wood from lists builds trust and value.
Navigating Compliance: Where to Get Help
[44:57 – 47:33]
- Seek help from seasoned privacy practitioners and separately, dedicated information security experts.
- Use ICO resources as a starting point.
- Be wary of self-appointed GDPR experts—vet their legitimacy.
Notable Quotes & Memorable Moments
- “This is fundamentally basing a new approach where there’s an assumption that companies and organizations are guilty until they prove innocence.” — Mike Morrissey [03:03]
- “It’s not the fines, it’s the commercial impact of not being able to use data anymore…” — Mike Morrissey [34:50]
- “Avoid surprises...if you’re explaining, you’re losing.…if it’s very clear you’ve done something, then you’ve got a problem.” — Mike Morrissey [33:00]
- “Most businesses in the private sector haven’t woken up to the GDPR yet...come January there’s going to be a very significant realization…” — Mike Morrissey [43:05]
Key Segment Timestamps
- [01:01] Mike introduces himself and Cytorus
- [01:59] What is GDPR, and why does it matter?
- [03:01] Presumption of guilt—evidence-based compliance
- [04:21] Who is the ICO and its new powers?
- [05:18] GDPR’s global reach on non-EU entities
- [07:31] Who does GDPR not apply to?
- [09:33] Cultural and practical implications for marketers
- [13:07] Practical steps for HR, Marketing, IT, and suppliers
- [16:53] Subject Access Requests (SARs) and their impact
- [22:11] Consent, E-Privacy Directive, and cookie policies
- [25:09] Profiling, machine learning, and special categories
- [28:23] B2B vs B2C—what’s changing?
- [30:40] Evidence and documentation requirements
- [31:38] Pre-ticked boxes and consent documentation
- [34:25] Case study: Flybe fine for improper consent marketing
- [37:06] Double opt-in and brand-specific consent
- [41:19] Database size versus engagement quality
- [44:57] Finding quality GDPR advice and resources
Conclusion
The podcast provides actionable insights and a realistic perspective on GDPR for marketers and business leaders alike. While the new regulation brings significant work and uncertainty, it encourages best practice, genuine relationship building, and long-term business improvement. The key message: don’t panic, get practical, and prepare now—using robust, well-documented processes—to ensure you’re ready for GDPR and the evolving digital privacy landscape.
Resource tip:
Start with the ICO's website for comprehensive, up-to-date guidance.
