Are you being



The General Data Protection Regulation is the most critical change in data privacy regulation in 20 years. After four years of debate, the GDPR was finally approved by the EU Parliament in 2016 and was enforced by May 25th, 2018. One year later we see the full impact of the changes.

What Does GDPR Really Mean for Marketers?

In May 2018 the European Union’s new General Data Protection Regulation (GDPR) law will become effective. The regulation is intended to strengthen and unify data protection for all individuals within the European Union (EU). It will have an impact on all marketers who do business with people in these countries. Therefore, if you have at least one EU contact within your databases, you need to pay close attention to the GDPR and your revised compliance obligations.


GDPR Checklist


General Data Protection Regulation

Preparation Checklist

Here’s a checklist of steps (drawn from the United Kingdom’s Information Commissioner’s Office) you can take now to prepare.

GDPR Webinar


Webinar: Maximizing Success in the Era of GDPR

Watch the on-demand webinar to learn the crucial role your digital demand gen engine will play in meeting the regulations.

GDPR Infographic


What GDPR Means for Marketers

The new GDPR impacts all marketers who do business with residents of the European Union. Even if you have only one EU contact within your databases, you need to pay close attention to the GDPR and your revised compliance obligations.

Rethink Podcast GDPR cover


What GDPR Means for Your Business

In this episode of the Rethink Podcast, we spoke with David Fowler, who is Act-On’s head of privacy, compliance, and deliverability. As David says, GDPR marks the biggest change to EU data protection law in a generation. And it applies to the EU’s 510 million citizens, as well as any business doing business with them, regardless of where they are based.

Check out these webinar questions and their answers, which address important issues that many marketers are wondering about as GDPR takes shape.


This law will affect any client who markets to a EU citizen, regardless of where your organization is located- or where that citizen is located. Therefore, if you have at least one EU contact within your databases, you need to pay close attention to the GDPR and your revised compliance obligations.


Meeting compliance standards is an important part of any marketing campaign. These rules are meant to protect consumers from fraudulent business practices, false promotional information, and infringements on privacy rights.


GDPR becomes effective on May 2018, and Act-On is focused diligently on our GDPR compliance efforts. Prior to the implementation period for the Regulation, we’re evaluating and assessing the new requirements and restrictions imposed by the GDPR and will take proactive action to ensure that we handle customer data in compliance with applicable law by the 2018 deadline. You’ll will receive updates and notifications of any new functionality and changes to our Terms of services within your Act-On portal in the usual way. We’ll be also updating this page regularly and sharing additional information over the coming months, so please visit this page often. You can also send us an email at with any additional questions or inquiries.

Need more information on the GDPR?


What is GDPR?

GDPR is a comprehensive law which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This law replaces the current EU Data Protection Directive (95/46/EC) with additional requirements that you need to adopt in your marketing and data management objectives in order to be fully compliant. The new EU data protection laws extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents.

About GDPR for B2B and B2C

GDPR compliance and adoption makes no distinction between B2B and B2C organizations. . Even though PECR (Privacy and Electronic Communications Regulations (UK ) allowed soft opt-out approach in email marketing, the new ePrivacy Directive is under review and is going to align with the GDPR.

More on the PECR:

When will GDPR be enforced?

GDPR will officially apply from 25th May 2018, at which time those companies or organisations in non-compliance may be subject to fines and other additional consent requirements.

Important to note: There has been communication that there will be no grace period for compliance actions to begin.

Who does GDPR apply to?

GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based. These regulations apply to both data controllers and data processors, including third parties such as cloud providers. Under the GDPR Act-On is a processor and our clients are Controllers.

Where does GDPR apply?

It applies to all EU member states and to entities and organizations outside the EU when processing the data of citizens within it. If you have EU data citizens on your files and they reside outside of the EU you are still obligated to comply.

Does Brexit affect the ruling of GDPR?

No. GDPR comes into effect before the UK officially leaves the European Union on March, 29th 2019. The UK has communicated that they will adopt the GDPR prior to the Brexit being finalized.

What are the penalties for non compliance with the GDPR?

The maximum penalty for organizations in non-compliance with GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

What is Act-On’s responsibility in complying with the GDPR?

Under the GDPR, we serve as the Data Processor and you are the Data Controller. We process the data based on your instructions. While we are not in a position to legally advise your on your GDPR obligations, we will provide you insight on how to adopt your approach to GDPR compliance using our services.

In order to appropriately adopt the legislative requirements, you must understand the obligations your business faces. This education portal can help.

What is Act-On doing to help me be GDPR compliant?

Providing Best Practices
We will share our expertise in protecting your data, adopting privacy principles, and complying with many complex international regulations. We will also communicate to you all information we gather  from any respective Data Protection Authority or other organization.

It’s important to note that GDPR compliance is ultimately a shared responsibility. In order to appropriately adopt the legislative requirements, you must understand the obligations your business faces. This education portal can help.

Act-On’s Capabilities
You can leverage Act-On to meet your GDPR requirements for managing consent, including:

  • Capturing consent for web tracking
  • Capturing consent through double opt-in
  • Managing withdrawals from your database

For more details, see Using Act-On to Manage Consent for the GDPR.

Contractual Commitments
Act-On requires all vendors we do business with to be contractually compliant with the GDPR. We also provide our customers with standard data protection clauses (model clauses) if requested.

Account Provisioning
All European based clients are provisioned in our European data centers (Dublin or Frankfurt) ensuring your account remains within the EU.

Privacy Shield
Act-On Software (and its UK subsidiary company Actonsoftware Limited) complies with the EU-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries to the Framework’s applicable Principles.

Learn more about the Privacy Shield program and view Act-On’s certification.  

How can I get more information on GDPR and Act-On?

If you have additional questions or need additional information please email: and we will be happy to help.

How are Act-On’s GDPR preparations progressing?

As we enter 2018 we are well under way for GDPR adoption. Many areas of GDPR requirements have been addressed, with specific notation guidance from the UK ICO, which includes:

  • An extensive third-party review of our business operations and GDPR obligations via TrustArc.
  • Implementation of our interdepartmental GDPR Working group encompassing all functional areas of our business
  • Comprehensive employee awareness training of GDPR and the implications of non-compliance
  • Ongoing commitment to global privacy laws including EU-US Privacy Shield certification and the opportunity to provide Model Contract Clauses if requested for our EU clients.
  • Third party contract reviews and written vender acknowledgement for compliance obligations pertaining to processing activities that support our operational business activates.
  • Evaluation of possible GDPR vendors to automate specific GDPR requirements, including but not limited to Article 30 and also Data Subject rights.
  • Continued client communication outreach and industry thought leadership.

As we move forward towards the May 26th adoption date I will continue to update you on our progress. Please don’t hesitate to contact us should you have and GDPR or compliance related question.