It’s a year today since the GDPR regulations came into operation, but it probably feels like longer to most marketers.

What’s changed? Well, according to the news, there’s been €55m of fines delivered across Europe, although this includes a chunky €50m for Google’s ad personalisation misconduct.

In the UK, there haven’t been any fines to date, although an enforcement letter has been delivered to a firm in Canada. A menagerie of fines and further letters can be seen on the ICO’s website, but most of them – including a £385,000 fine to Uber – are under the ‘new’ Data Protection Act rather than the GDPR.

Of course, GDPR has made everyone more aware of data protection regulations, whether they want to be or not. And perhaps more importantly, it’s raised awareness of how data flows around the organisation, how much of it there is and the importance of taking care of people’s data, especially within protected categories.

In the last year, we saw a vast number of vendors roll out solutions; some of which were user-friendly and many that were not. The fifty-one different comments on our blog post ‘reconsenting Mailchimp lists ahead of GDPR’ showed not only confusion around how to handle mailing lists, but also how last-minute Mailchimp’s own guidance was. One of the major things we learnt was how broad a base for data processing ‘legitimate interest’ is – and if we’d known this ahead of GDPR, our blog post would have looked a lot different!

Overall, our analysis of GDPR’s intent was ‘handle data responsibly’ and that’s a firm, fair and necessary mission. Knee-jerk deletions of consumer data were almost certainly unnecessary but completely understandable, given the size of the fines. One of our overall feelings about the handling of GDPR was that it uncomfortably straddled a few roles: many of those responsible were marketers with limited support and a limited grasp of regulations, however well they’d handled PECR in the past.

That said, the fact that no UK fines have been given out is either a sign that most British organisations handled the regulations responsibly – or that the mammoth amount of administration and organisational re-architecting is still a work in progress. Right now, no news is good news – although time will tell.

Does the new General Data Protection Regulation (GDPR) make you want to just delete all your data and start afresh? We felt that way at first – when you start grappling with an 88-page pdf written in dense legalese while taking advice from different people, you may feel more confused than when you started out.

Wetherspoons actually did decide to delete all their customer data – but we’ve found out that you don’t need to be that drastic.

We met some brilliant, plain-speaking people, and ran an event with a particular focus on what GDPR means for marketing data. Facilitated by Firefly CEO Claire Walker, our team of experts included Simon Morrissey, Head of Data and Privacy at law firm Lewis Silkin, Nicholas Dunn-McAfee, Head of Policy and Research at the PRCA and Simon Loopuit, CEO and founder of trust-hub.

The overwhelming message from this panel of experts was that there is huge opportunity for companies to become GDPR compliant. There is too much emphasis on the ‘hefty’ fines – too much stick, not enough carrot in our opinion. Even Simon Morrissey didn’t mirror the scaremongering messages you often see from other lawyers and talked about how brands who are GDPR compliant can gain competitive advantage.

From a reputation perspective, handling data in a respectful manner shows your customers that you are safe guardians of their personal information. People are wising up to how their data is used, and trust is the primary pillar in establishing a strong and lasting relationship with them.

Furthermore, better data means better engagement. With customers actively opting in to being marketed to means they’re more likely to be engaged with what you send them. No more ‘why is this company spamming me and how did they get my contact information?’. With GDPR we will see the rise of granular consent – where customers are asked for their preference on how and when they are contacted (more on this in step 5).

To become GDPR compliant requires a thorough audit of your current processes and data (see step 1 below). This first critical step may mean an overhaul of processes and how data is used, which at a minimum will make your company more efficient. But also forcing yourself to rethink and question every process and data point may prompt new and better ways of working. This discovery process could unearth some hidden gems.

It’s all well and good me telling you the benefits of getting your house in order, but how do you get to that point? Well, we have some brilliant practical steps to help you get started now. And we mean now: Simon Loopuit from trust-hub advised us that it’s a six to nine month process, so it’s time to get going.

Practical steps for marketing professionals

1. Create a data map noting all the processes and data you collect

This data map must not only incorporate internal data but also the data about you and your clients that your vendors hold. When noting down the data points, also note the purpose of the data. This is an important step as it will help inform your marketing strategy and transform your processes – maybe you don’t need this data point, or maybe there’s a better way to use this data.

2. Take ownership

Don’t think that responsibility lies with IT. Your department is responsible for the marketing data you hold and use. However, personal data cuts across all areas of the business so you must get engagement from all departments. It’s not about being scared into action, ensure you communicate the benefits of reviewing your data map.

3. Engage management and the board

All this work will take an incredible amount of time and effort. Therefore it needs to be a marketer’s number one priority between now and May 2018. To do this effectively, clearly outline the need to switch priorities and explain the benefits in the long-run – and also be ready to keep having to explain the benefits for those who may be impatient!

4. Sort supply chain

Yes, your data must be compliant, but you must ensure the vendors that handle your customers data are also compliant. Data breaches often happen due to a weakness in the supply chain. Not everyone will be as proactive as you, so ask your vendors and suppliers the right questions so you feel confident that the right measures are in place to safeguard your customers data.

5. Granularised consent

If you haven’t transitioned away from opt out (pre-ticked) consent, then do that right away. Consent also doesn’t mean ‘all on, all off’. Give your customers choice in how and when they receive information from you. It might be that some customers prefer certain channels over another, or they prefer a certain frequency? Give them options, just not too many, it has to align with your marketing strategy which can’t be too siloed.

There are three ways to react to GDPR – fight, flight or freeze. Many brands are like a deer in the headlights, freezing and taking no action at all. Some, like Wetherspoons, choose flight and ditch all their data in favour of starting over. We tell you to choose ‘fight’ which we’d actually change to ‘face head on with a positive and determined mindset’ (catchy, hey!) because rolling up your sleeves now will give you many long-term benefits for your brand.