Published
19th May 2026
Read time
12 min read

When GDPR came into force in May 2018, it felt like the marketing world had been turned upside down.

For many marketers, GDPR was first experienced as a compliance project rather than a strategic shift.

Eight years on, the picture is more nuanced.

GDPR did change how marketers collect, use and store personal data. It also made brands more accountable for the way they communicate with people. But it did not kill email marketing, stop personalisation or make data-led marketing impossible.

Instead, it forced marketing teams to ask better questions.

When working with teams both agency-side and client-side, I would ask:

  1. Do people expect to hear from us or our client?

  2. Have we been clear about what we will send?

  3. Are we collecting data because it adds value, or because we can?

  4. Are we building long term trust, or chasing short term reach?

For B2B brands, the answers can look very different to B2C brands. The principles are the same, but the practical reality of applying GDPR and PECR (Privacy and Electronic Communications Regulations) across customer journeys, sales funnels, CRM systems and digital campaigns has shaped two very different marketing landscapes.

GDPR was never just a legal change

The UK’s data protection framework is now governed by the UK GDPR and the Data Protection Act 2018, both of which control how organisations use personal information. GOV.UK makes it clear that data protection applies when businesses store or use personal information, including when they market products or services.

That last point matters.

Marketing is not separate from data protection. It is one of the most visible ways people experience it.

Every email, retargeting campaign, lead capture form, customer survey, loyalty programme, social media audience and CRM workflow can involve personal data. GDPR brought that reality into focus.

Before 2018, many brands treated data as an asset they could keep adding to. GDPR reframed it as a responsibility. If a brand collects data, it must know why. If it uses data, it must have a lawful basis. If someone asks to opt out, object or understand how their data is being used, the business must be able to respond properly.

People are more aware of how their data is used than ever before. They notice poor consent journeys. They recognise irrelevant emails. They question why they are being followed around the internet by an advert for something they looked at once.

Marketing that ignores this feels clumsy. Marketing that respects it feels sharper, more intentional and more useful.

The B2B impact: still personal, but with different expectations

B2B marketers sometimes assume GDPR is less relevant because they are contacting businesses rather than consumers.

That is only partly true.

The ICO states that:

“UK GDPR still applies to B2B marketing when personal data is being processed.”

For example, if a business stores the name or contact details of an individual who represents another business, that is personal data.

PECR rules may differ for B2B communications, but data protection rights still apply, including the absolute right to stop personal data being used for direct marketing.

Side note: PECR stands for The Privacy and Electronic Communications Regulations.

This distinction is important for B2B marketers.

Sending an email to a generic address such as info@ or sales@ may not involve personal data in the same way. But emailing a named decision maker, using LinkedIn data, enriching a CRM record or building an account-based marketing audience usually does.

GDPR has made B2B marketing teams more disciplined. It has forced them to think carefully about legitimate interests, transparency and reasonable expectations.

In B2B, there may be a stronger case for relevant outreach where the recipient is being contacted in a professional capacity. But that does not mean anything goes. The message still needs to be proportionate, relevant and easy to opt out of.

A marketing manager receiving a useful invite to a marketing specific webinar may reasonably expect that kind of communication. The same person receiving repeated generic sales emails from a company they have never engaged with is likely to feel differently.

The best B2B marketers have used GDPR as a reason to improve targeting rather than dilute it.

That means fewer blanket campaigns and more considered outreach. It means building campaigns around sector, pain point, job role and buying stage. It also means making sure sales and marketing teams are aligned on what data they use, where it came from and how it should be handled.

GDPR did not end data led marketing

One of the biggest myths around GDPR was that it would stop businesses using data in marketing.

It did not.

It made the use of data more accountable.

Marketers can still analyse customer behaviour, segment audiences, measure campaign performance, personalise journeys and optimise spend. But they need to do this with a clear understanding of the data being used and the rules that apply.

The ICO identifies consent and legitimate interests as the two lawful bases most likely to apply when sending direct marketing messages.

That gives marketers options, but not shortcuts.

Consent must be specific, informed and freely given. Legitimate interests must be balanced against the rights and expectations of the individual. PECR must also be considered for electronic marketing, cookies and similar technologies.

This is where many marketing teams still struggle. They treat GDPR as one rule, when in practice it sits alongside PECR, cookie guidance, platform policies and internal governance.

For example, a paid social campaign may involve uploaded customer lists, website tracking, lookalike audiences, pixel data and conversion measurement. Each part of that journey could involve different responsibilities.

That does not mean marketers should avoid these tactics. It means they need to understand them.

The strongest marketing strategies now involve closer collaboration between marketing, legal, IT and leadership teams. GDPR has made data governance part of marketing effectiveness.

Further viewing: GDPR, PECR and email marketing in practice

For marketers who want a more practical explanation of how GDPR and PECR apply to email marketing, the Digital Culture Network has a useful webinar on how regulation affects contact data collection, email list growth and compliant campaign planning.

It is worth watching because it reinforces one of the biggest lessons from the last eight years. Compliance should not be treated as a blocker to effective marketing. When it is handled properly, it can support stronger lists, better audience trust and more sustainable campaign performance.

This is particularly relevant for brands reviewing how they collect email addresses, manage consent, use soft opt ins and build long term value from their CRM.

The rise of privacy first measurement

One of the most significant changes since GDPR has been the wider move towards privacy first measurement.

Cookie consent, browser changes, platform restrictions and rising consumer expectations have made it harder to rely on the same tracking methods marketers used a decade ago.

The ICO’s guidance on cookies and similar technologies says consent must be freely given, specific and informed, and must involve an unambiguous positive action. It also warns that hiding cookie information in a hard-to-find privacy policy is not enough.

This has had a direct impact on digital marketing.

Brands cannot assume every website visitor can be tracked in the same way. Analytics data may be less complete. Attribution may be less precise. Retargeting audiences may be smaller. Some conversion journeys may be harder to see.

But this has also encouraged healthier measurement habits.

Instead of obsessing over last click attribution, marketers are having to look at broader signals. These include:

  1. Search visibility

  2. Brand demand

  3. Direct traffic

  4. Engagement quality

  5. Customer lifetime value

  6. Lead quality

  7. Sales conversion rates

  8. Incremental growth

In many ways, GDPR has helped expose a flaw that was already there. Digital marketing has always been measurable, but it has not always been meaningful.

Privacy first measurement asks marketers to connect activity to commercial outcomes, not just platform metrics.

Strong marketing needs strong operations behind it.

What GDPR has improved

GDPR has not been perfect, and not every outcome has been easy. Some businesses found the transition confusing. Some marketers became overly cautious. Some consent journeys became more complicated than they needed to be.

But 8 years on, there are clear positives.

GDPR has improved the quality of marketing databases. It has made unsubscribe processes more visible. It has encouraged better privacy notices. It has forced brands to think more carefully about audience expectations. It has made data protection a board level conversation, not just an admin task.

It has also helped shift marketing away from interruption and towards permission.

That shift is important.

A person who actively chooses to hear from a brand is more valuable than someone who has been added to a list without much thought. A prospect who understands why they are being contacted is more likely to engage than someone who feels targeted without context. A customer who trusts how their data is used is more likely to share more of it over time.

Trust is not a soft metric. It influences conversion, retention and reputation.

What marketers still need to get right

Despite the progress, there are still areas where many businesses fall short.

The first is documentation

Marketers often know what they are doing but cannot always evidence why. If a campaign relies on legitimate interests, has that assessment been documented? If data was collected through a form, what privacy wording was shown at the time? If a list was imported into a CRM, where did it come from?

The second is data retention

Marketing databases can become crowded with old contacts, inactive subscribers and outdated records. Keeping data forever is rarely necessary and can create unnecessary risk.

The third is supplier management

Most marketing teams use multiple platforms, from email software and analytics tools to CRM systems and advertising platforms. Each supplier relationship needs to be understood.

The fourth is internal training

GDPR is not just for the person who manages compliance. Anyone running campaigns, building landing pages, exporting data or contacting prospects needs to understand the basics.

The fifth is customer experience

Compliance should not make marketing journeys confusing. Consent forms, cookie banners and privacy information should be clear, simple and easy to act on.

Good compliance and good user experience should support each other.

The next chapter of data protection

The UK’s data protection landscape is still evolving.

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025.

GOV.UK explains that it will not replace UK GDPR, the Data Protection Act 2018 or PECR, but will make changes intended to simplify rules, encourage innovation and maintain high data protection standards.

For marketers, this is a reminder that data protection is not a one-off project.

The rules, guidance and expectations will continue to change, particularly around cookies, automated decision making, legitimate interests and digital tracking. Marketing teams need to keep reviewing their practices, not just rely on decisions made in 2018.

The bigger direction of travel is clear. People want more transparency; more control and more relevance. Regulators want better accountability. Brands want better performance from their data.

The opportunity sits where those three things meet.

Need support building a smarter marketing strategy?

Data protection should not stop ambitious marketing. It should help shape better campaigns, stronger customer journeys and more trusted brand communications.

If you want to build marketing that is creative, commercially focused and considered from the first touchpoint to long term loyalty, get in touch with the Leopard Co team.