GDPR will be in effect soon!

General Data Protection Regulation (GDPR) entering into force on May 25, 2018. At the moment, marketing professionals are in a difficult position because they have to adapt to change and create plan actions that will prevent them from cybercrime.

Marketing and cybersecurity - increase of security

The beginnings of marketing in the world were characterized by a high level of recklessness when it comes to protecting your data. At the time of collecting demographic information about customers, determining a return on investments, conducting consumer behaviour surveys, or collecting user responses, there was no adequate level of security and the data were therefore vulnerable to theft. At present, data management looks different and is still changing. GDPR for marketing has the particular impact because MarTech industry intensively processing personal data. Regulation will apply to any organization that intercepts, generates or makes personal data available to citizens of the European Union.

Entering the digital age is associated with the emergence of huge databases of customers or partners which are freely analyzed, modified, enlarged, or transmitted by marketing representatives as part of their activities. With databases, they can streamline business processes and plan long-term and short-term strategies. These activities may involve potential risks of data leakage, and therefore marketing representatives are becoming increasingly involved in introducing security measures in organizations.

A Chief Marketing Officer (CMO) should be aware of any risks that might jeopardize the brand when deploying new tools or software which are intended to streamline its internal/external processes. As far as information protection is concerned, it is a good idea to start from the very beginning and create a platform for collaboration between CMO and CISO (Chief Information Security Officer).

Data security - collaboration between departments

Marketing representatives are not going to abandon the use of IT infrastructure when building marketing technology systems. That is why both departments - marketing and security - should compromise on the choice of marketing technologies which are key to winning new customers. GDPR for marketing should have the effect of collaboration including implementing online/offline campaigns, effectively serving consumers, building a lasting consumer relationship, and gaining loyalty. It is important for marketers to carry out clear actions and inform the security department in a comprehensive manner about the designed strategies and plans.

There are organizations that use digitalization and thus become more accessible, and more effectively engage consumers: e.g. electronic bank accounts, virtual health centers, music listening platforms, and social networking sites. In these places, users leave plenty of personal information (even sensitive) which, when it falls into the wrong hands, can be used and thereby cause material/non-material losses. As a result, marketing departments must be sure that their IT solutions, such as company applications and websites, are fully secure. This can only be achieved through active cooperation with the security department, drawing relevant conclusions and introducing innovations.

Security training for the entire organization

An organization might be subject to staff turnover of workers of the marketing department, and this means recruitment and the onboarding process, which is to familiarize an employee with the new environment and enable them to establish contacts in a friendly atmosphere. In addition to presenting their responsibilities, it is important to make sure that everything that an employee does will be in line with the prevailing data security measures and will not cause a crisis. For this purpose, the security department should regularly check the knowledge of the marketing department in the area of information protection, and in case of an attack on the organization's resources, have a corrective procedure worked out. In a nutshell, the procedure involves:

  • securing evidence,
  • contacting law enforcement agencies,
  • performing a post-breach analysis,
  • finding and removing loopholes in the IT infrastructure,
  • recovering lost information,
  • sending messages to those whose data might have been stolen.

"To make sure that every part of your organization is prepared for a threat, it is worthwhile to formulate a coherent security strategy and not allow paralysis. It is mandatory for members of the organization to be aware of the destabilizing and destructive behavior of cybercriminals,”

- says Marcin Michalski, President of Sagiton Sp.zo.o., a company specializing in Marketing Technologies focusing on cybersecurity.

DCAP audit to ensure that data is fully secure

In order to be convinced about the compatibility of your organization with GDPR, you should perform a Data-Centric Audit and Protection (DCAP), which instead of securing software, networks, or hardware, focuses on securing data.

According to the DCAP audit, the best way to protect data is:

  • by encrypting,
  • pseudonymizing,
  • monitoring,
  • responding quickly to users’ inappropriate behavior towards data.

In addition to assessing internal data collection and retention procedures, audits help identify threats in multiple technology stacks and prevent further violations, according to the GDPR regulation. This way, you can increase the level of customer trust and give them confidence about the security measures of personal information.

GDPR for marketing need to gradually increase in employees awareness. Increasing knowledge of cybersecurity will be a key point because companies plan and invest in new marketing technology solutions every day. Their actions are not limited to selling, but also involve retaining the right level of security. To sum up, the marketers' unawareness of cybersecurity must be removed, and above all, IT departments will no longer be concerned with negative effects of their activities in customer space.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail:

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact