August 17, 2018

What does GDPR mean for Print Marketing?

The new GDPR legislation doesn’t only affect digital marketing, it also has an impact on traditional print channels. We have taken a little look at what GDPR means for print marketing communications. Let’s dive in.


You may need to update some of your print collateral

The first thing to remember is that GDPR applies to all forms of personal data collection and processing. So, businesses that use traditional print marketing still have to:



If, for example, you’re gathering phone numbers and email addresses via print material, you still need active consent. You won’t be able to assume they’ve opted in simply because they’ve filled in a form. To allow for gaining consent all your print material should be updated, and the copy will have to make it clear exactly what the data will be used for. Your direct mail should provide details on how people can opt out or access their personal data in the future.


So this may mean additional expense because old material has to be discontinued and new material printed up. However, it’ll be worth it because not only will you still benefit from the power of print marketing, but you’ll also be doing it in a lawful way.


Good news for postal marketing: ICO say you won’t need consent

According to the ICO, you won’t need consent for postal marketing if it’s aimed at existing or past customers, or people who have previously shown an interest. This is because you may have a lawful basis under ‘legitimate interest’.


As a lawful basis, legitimate interest has no strict definition and is therefore quite flexible. Essentially it boils down to whether there is any negative impact on a person’s privacy and/or wellbeing. If you can reasonably say that the recipient wouldn’t be surprised or annoyed by communications from you, and indeed they might find it beneficial and it won’t lead them into harmful situations, then you may have a case for legitimate interest. You just need to make sure the recipients can opt out, to respect their right to object.


In addition to this, you won’t need to gain consent if the print material is part of the service you provide i.e. what the recipient expects from you. For example, if you’re running a membership programme that sends out seasonal catalogues, you won’t need to regain consent because this is part of what the members signed up for.


In fact, if you send out consent requests to all your members or mailing lists, you could be causing a nuisance.


The ICO has plenty of helpful information on their website; it’s worth diving into their resource centre and familiarising yourself with best practices. 


Print marketing


GDPR could force print marketers into being more efficient

There have been a lot of concerns about GDPR limiting the marketing scope. However, GDPR could actually make the print marketing process more efficient and therefore boost ROIs.


Regularly auditing and cleaning your lists could mean lower print costs. In other words you won’t be wasting resources on sending material to people who are unlikely to be interested.


So, you could end up getting the same results with a lower outlay.


A trend towards door-drop media

Print marketers will be looking for ways to minimize GDPR liabilities. So we’ll probably see a rise in door drop media, a marketing channel that has GDPR compliance baked into it. You won’t even need to use ‘legitimate interest’.


So, what is door-drop media and how does it work?

It’s a direct marketing action that allows you to target households based on postcodes grouped according to their demographic profiles. Use special software to organise postcodes into categories and make well-targeted campaigns. GDPR legislation doesn’t apply because you won’t be processing any personal data.


The ICO has made it quite clear:

“If an organisation is sending mail or leaflets to every address in an area and does not know the identity of the people at those addresses, it is not processing personal data for direct marketing, and the GDPR rules will not apply.”


This makes door-drop media an attractive option for print marketers looking to reduce GDPR risk while maintaining a positive strategic advantage.


April 9, 2018

[Webinar] GDPR for Marketing Professionals – APRIL

Webinar GDPR for Marketing Professionals

———– Download the presentation and watch the recording here ———–

Continuing our highly successful series of LIVE webinars, Romax Marketing will be offering Marketing Professionals the opportunity to get a full and practical insight into what GDPR means to the future of marketing.

The LIVE Webinar will cover:

  • The 5 Key principles of marketing
  • Why GDPR is being introduced and its scope
  • Accountability and Data Security
  • Legitimate Interest
  • What constitutes ‘Consent’
  • What is a Data Breach and what must be done following a breach
  • The data subjects rights
  • Profiling and the GDPR
  • Live Q&A.

———– Download the presentation and watch the recording here ———–

GDPR as a topic can leave you at best feeling drained so our Webinar Content will be presented in an easy to absorb format, specifically focussed on GDPR in a marketing role.

Who should attend:

  • Any Marketing Professional
  • Directors needing reassurance that their organisation is ready for GDPR
  • Data Professionals.


Webinar:  GDPR for Marketing Professionals
When: Wednesday 11th April Download the presentation and watch the recording here
Time: 1 pm BTS
Host: Robin Sumner, Managing Director Romax Marketing & Distribution.


March 20, 2018

GDPR Glossary

The GDPR uses terminology that marketers may not be familiar with. In order to provide clarity, the DMA has translated these legal terms so that marketers, not just legal professionals can understand the language used.


  1. Anonymous data: the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.
  2. Consent: According to the GDPR, consent, “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she. By statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  3. Controller: the organisation or individual that determines how the personal data is processed.
  4. Legitimate interest (LI): A legal ground that can be used to process personal data for direct marketing in certain circumstances. As well as providing the right of individuals to object to the processing of personal data based on LI. The GDPR sets our strict criteria for organisations that seek to rely on LI. These include establishing that the processing is necessary and that a balancing test has been conducted.
  5. Personal data: Any information that can be used to identify a person is personal data. For example, names and email addresses are personal data because they reveal someone’s identity. The GDPR expands the definition of personal data to include IP addresses and online identifiers, like cookies.
  6. Personal data breach: A breach of security that means authorised individuals or groups are able to access personal data. This could be the result of hacking by outside groups or because an employee made a mistake.
  7. Data-protection-by-design: is a new concept introduced by the GDPR, whereby an organisation considers what impact a particular campaign or product may have on privacy from the very start. In a marketing context, this means identifying a campaign’s risk for privacy and/or data protection, recording them and taking appropriate steps to mitigate them., thinking about privacy from the start and nor as an afterthought.
  8. Data-protection-by-default: Similar to Data-protection-by-design, this phrase refers to privacy setting on goods or service. For example, when a phone app goes to market it should have its privacy settings set to the highest level possible as the default setting. The user could then decide to lower the privacy settings if they so wished.
  9. Processing: Any operation conducted on personal data, which may include collecting, recording, storing, structuring, organising, transmission or dissemination of personal data.
  10. Processor: The organisation that only processes personal data according to the instruction of the data controller. For example, an email services organisation only processes personal data in line with what their client tells them and this means they’re a data processor.
  11. Profiling: Any type of automated processing of personal data that evaluates the characteristics of someone in order to make a decision. Marketing segmentation or targeting is a type of profiling.
  12. Pseudonymisation: A method of making personal data no longer attributable to an individual, without further information, meaning someone could not be identified from the data. It is a process that reduces the privacy risks for people as they can no longer be identified.
  13. Special categories of personal data: Criteria of personal data that are subject to stricter requirements because of its sensitive nature. The GDPR lists the following as special categories of personal data: “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of generic data, biometric data for the purpose of uniquely identifying a natural persona, data concerning health or data concerning a natural person’s sexual orientation.”
  14. Supervisory authority: An independent public authority responsible for enforcing the GDPR. The Information Commissioner’s Office (ICO) is the supervisory authority in the UK.
  15. Third party: Any organisation or individual that is nor the data controller or processor that is authorised by either the controller or processor to process personal data. For example, if an organisation sold personal data to another organisation, the organisation purchasing the personal data would be classed as a third party.





Romax Marketing & Distribution, a Greenwich-London based company, provides a wide range of services in Direct Marketing for B2B and B2CDirect Mail, Data Management, Printing, Discount Postage, Membership Communication Services and Marketing Consultancy.

 Contact us: +44 (0) 20 8293 8550


Contact Us


December 19, 2017

What impact will GDPR have on SMEs

General Data Protection Regulation (GDPR) is nearly upon us, and SMEs need to be prepared. So let’s take a look at what it is, the way it’ll affect businesses and what you can do to mitigate the risks.


What is GDPR?

Essentially it is a complete update of existing EU data protection laws. The updates are needed because the way data is gathered, stored and used has changed dramatically since the 1995 EU Data Protection Directive. The new legislation aims to make personal data more secure in the face of rising cyber-crime. It also gives people more power to control their own data.

What impact will it have on SMEs?

Small businesses that gather, process and store personal data will need to audit their existing framework and make changes where necessary. For instance, if a business relies on computer networks and digital storage, it will need to make sure it has taken strong measures to prevent data breaches; this could mean investing in better cyber-security solutions, training staff to be more web-savvy, and implementing policies that aim to stop leaks from within the organisation. Because of the right to access subject – which gives consumers greater power to access their stored data – SMEs may face additional costs.

What are the consequences of not adhering to GDPR?

Businesses, regardless of their size, face fines of 2-4% of their annual turnover or €10-20 million (whichever is greater). It’s been reported, however, that regulators have more discretion when punishing SMEs. So depending on the severity of the situation, SMEs may be treated more leniently. However, it’s not yet clear how much discretion they really have. Besides monetary penalisation, businesses face huge reputational damage for falling foul of GDPR.


What can SMEs do in preparation for GDPR?

The most important thing is to read through all GDPR chapters, articles and recitals and familiarise yourself with the law. Once you have a clear idea of GDPR requirements, you can then audit your business and make changes as per the directives. Document each and every step you take – so if a breach does happen, you’ll have evidence that demonstrates your compliance. To help you get started, the Information Commissioner’s Office (ICO) has put together a useful 12 Step Fact Sheet. If there’s anything you’re unsure about, always seek professional advice.
How will it affect consumers?

Because of active consent, consumers won’t be tricked into giving permission to share personal data. The right to access subject gives consumers more power to request their data without incurring costs. Similarly, GDPR means that businesses will have to clearly inform consumers about their right to object, which is the right to prevent organisations collecting a consumer’s personal data. Overall, it gives consumers a clearer picture of where they stand and gives them more control over their personal data.

What impact will it have on SME marketing?

Small businesses will need to make sure they collect and process data in the right way. This means being clear about consent and the consumer’s rights.

Robin Sumner, Managing director at Romax Marketing, advice: ‘From the beginning, you need to get it spot on – so the first step is to audit your data processing policy and get it in line. You need to create a process that factors in the new requirements so that it flows out from the strategic level into every aspect of your marketing communication. In other words, it needs to be baked into your organisation so that it becomes integral to operations.’





Romax Marketing & Distribution, a Greenwich-London based company, provides a wide range of services in Direct Marketing for B2B and B2CDirect Mail, Data Management, Printing, Discount Postage and Membership Communication Services and Consultancy. Contact us: +44 (0) 20 8293 8550


Contact Us

April 21, 2017

GDPR General Data Protection Regulations


 What is GDPR?

GDPR stands for General Data Protection Regulation and is set to replace the existing Data Protection Directive in May 2018. This framework was first put forth by the European Commission in 2012 and was finally agreed upon by the European Parliament and Council. GDPR contains several new protections for data and is due to be enforced in the spring of 2018.

The main aim of the GDPR is:

“to provide individuals with better control over their personal data, in a way that will help businesses to get the most out of the digital single market; through providing them with various business opportunities.”

As the digital economy grows, it is important for laws to be clear with an individual’s rights to be safeguarded and for there to be consistent international data protection regulations. Particularly with the increase in businesses/services operating across borders. It is believed that the introduction of this framework will ultimately contribute to an increase in consumer trust.

How will it affect your Direct Marketing?

The GDPR regulation will change the way you manage, protect, and administer the data under your control. One of the main effects will be how your organisation communicates with your members or customers via email, SMS, telephone, and direct mail.

You will have to provide clear opt in and opt out option for consumers.

Additionally, the recording of consent and improved privacy policies will be a requirement for when personal data is collected.

Data Categories (There are 4)

The GDPR widens the personal data net and clearly defines personal data into four categories which are as follows:

1 – Personal data and unique identifiers – includes online identifiers and location data

2 – Pseudonymous data – that has been through technological measure i.e. hashing or encrypting

3 – Genetic data – to do with an individual’s gene sequence)

4 – Biometric data – such as facial recognition, fingerprints, etc.

What are the Practical Implications?

Crumbling Cookies  – online and unique identifiers such as cookies used to gather data and further target potential consumers Non-EU advertising, analytics and social media platforms will most likely find themselves in a position where they will be legally required to treat these identifiers (cookies) as personal data under the protection of European law and will need to update their policies, procedures and systems as required.

Increased Costs – to carry out processes to organise your data sets and reduce any potential data breach will require system adaptation and human resource. Is your finance director aware of this and have they allocated your department a budget?

Organisational Compliance  – with data subject access, correction, deletion, and transferability being under close scrutiny.

Penalty for GDPR non-compliance

Penalties for not adhering to GDPR

You could face a fine of up to 4% of your organisation’s annual turnover.

Reputational Damage –  portraying a negative image which will ultimately damage your brand

Further Fines – If a company receives high amounts of complaints they could be liable to pay additional fines from the Information Commissioner’s Office (ICO)

To ensure that sensitive data is protected, your organisation will need to identify the risks that exist and then put in place procedures and policies to help mitigate these risks and prevent any problems that may occur.

Ensure that your IT meets GDPR regulations – Areas to consider:

  • Get up to speed with the proposed legalisation.
  • Research anything that you are unsure about.
  • Check your organisation’s  current internal data and IT processes.
  • Look at how to protect all data and whether you can provide evidence that will satisfy any inspection of it.
  • Find a reputable ADISA registered asset disposal expert that will be able to provide useful support and advice on the organisation’s IT lifecycle and provide robust solutions to limit the risk of data non-compliance.
  • Efficient and secure disposal of hardware.
  • Consider the use of personal devices by employees.
  • Be aware of all access to data and limit this beyond systems owned externally to the business so that it is under the sole control of the operating organisation.

6 Helpful Tips

  1. Develop a clear and concise privacy policy
  2. Enable an Opt-in requirement for data sharing
  3. Start implementing privacy through design
  4. Prepare for new data breach reporting requirements
  5. Implement controls to track and manage data
  6. Be prepared for data protection impact assessment


Test your GDPR knowledge – 6 quick questions – Get your result instantly

If you get 6/6 you may well be an expert – if not – come back, download the GDPR Fact Sheet and read on and get up to speed! – Then take it again.


Blog is written by Robin Sumner with research and contribution from Chenyse Taylor

Further Reading and References: FieldFisherDataIq,

Romax_tagRomax Marketing & Distribution provides a wide range of services in Direct Marketing for B2B and B2C, including Direct Mail, Data Management, Printing, Discount Postage, Membership Communication Services, and Consultancy. 

Contact us, either by phone +44 (0) 20 8293 8550, email, or filling the form: