November 13, 2018

What is the ePrivacy Regulation? And what does it mean for my business?

Over the last few decades the internet, combined with the development of electronic communications, has revolutionised the way we go about our business.

Interconnectivity has become an integral part of our lives. But with it comes a host of ethical and practical problems: How can society safeguard people’s online privacy? We unpick ePrivacy, so you don’t have to.

The proposed ePrivacy Regulation (ePR) aims to answer that question. It will replace the already existing ePrivacy Directive (2002) with a stronger law that must be adhered to by all EU member states.


Why does the ePrivacy Directive need replacing?

Although the directive is a legal act that aims to uphold Article 7 of the EU charter (respect for private and family life), it doesn’t require all member states to implement it in the same way. Essentially member states can be selective about what parts of the directive to adopt and enforce, and this creates an uneven playing field.

In 2002 the directive was adequate. But the digital culture has, since then, become more intrinsic to people’s lives. Gathering and processing personal data via electronic communications is now a huge part of society. Not only that, but the interconnectivity of electronic devices means there are more digital entry points into people’s private lives, meaning there’s a greater risk of privacy violation.

So, the new proposal aims to bring the legislation up-to-date and create a level playing field for all EU citizens.


How does it relate to GDPR?

GDPR is about general data protection, which covers a broad range of elements; however, it doesn’t go into detail about electronic communications.

ePR, on the other hand, focuses specifically on electronic communications. In legal parlance, this is known as lex specialis. So, although the ePR will use the same definitions as GDPR, it will actually override GDPR on matters of data-privacy in the context of electronic communications.

Both the GDPR and ePR are part of a movement to reform the EU data protection framework.

What will change when the ePR comes into force?

It’s difficult to say as the proposal is still being developed. We won’t know the exact stipulations until the finalisation. However, based on what’s in the proposal now, it seems that the following areas will be of particular interest:

  • unsolicited marketing,
  • cookies,
  • and bringing OTTs into the regulatory scope.


Unsolicited Marketing

There will be stricter rules on sending out unsolicited marketing material via electronic communications, including email and SMS. It will also cover telephone-based cold calling; cold callers may have to adopt transparency tactics such as displaying their number or using a prefix that identifies it as being a marketing call.

There’ll also be stricter rules on gaining permissions and respecting people’s right to object.



One of the aims is to simplify the cookie process so as to reduce all the irritating cookie consent requests. The idea is to ‘streamline’ the consent process by shifting the onus onto web browsers as opposed to individual websites. This means people will be able to set their cookie preferences at the browser level.

In a press release, the European Commission said:

“The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rules will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers”

There’ll also be a clear distinction between non-intrusive and intrusive cookies.

Non-intrusive cookies won’t require consent because they’re essential for providing services and improving user experiences. These could be things like shopping carts, remembering previous purchases, or non-identifying analytics.

Intrusive cookies, on the other hand, are those that use data (such as IP addresses) to identify and track users around the internet e.g. third-party cookies for tracking advertising clicks. These will require explicit consent.



The digital revolution has seen the rise of Over the Top (OTT) service providers such as Google, WhatsApp and Skype. Millions of people now use these communication services, meaning there is greater potential for invasion of privacy (think of all the private online conversations happening at any one time).

So ePR aims to make strict confidentiality rules applicable to the big internet communication companies and make them more accountable whenever they fall foul of the law.


So, what does ePR mean for my business?

It all depends on your strategies. If electronic communication is an integral part of your business model, then you’ll need to audit your current setup and ensure it adheres to the regulation. You may also need to anticipate threats. For example, if you’re a publisher that relies on third-party advertising cookies, you may see a drop in revenue because people have set their browsers to block certain identifiers. So you’ll need to come up with creative solutions for persuading users to enable cookies for your site.

ePR is definitely something you don’t want to ignore as, like GPDR, the fines for non-compliance will be pretty hefty, and you also face reputational damage i.e. you may gain a reputation for violating people’s privacy. The good news is that you still have plenty of time to prepare. You can get yourself up-to-speed by perusing the current draft proposal. However, it’s worth noting that the current proposal is not set in stone and there are likely to be amendments between now and when it comes into force. So, do keep track of all the latest developments.


That brings us onto our final question: When will ePR come into force?

At present, the exact date is unknown. It is, however, expected to come into force sometime in 2019.

August 17, 2018

What does GDPR mean for Print Marketing?

The new GDPR legislation doesn’t only affect digital marketing, it also has an impact on traditional print channels. We have taken a little look at what GDPR means for print marketing communications. Let’s dive in.


You may need to update some of your print collateral

The first thing to remember is that GDPR applies to all forms of personal data collection and processing. So, businesses that use traditional print marketing still have to:



If, for example, you’re gathering phone numbers and email addresses via print material, you still need active consent. You won’t be able to assume they’ve opted in simply because they’ve filled in a form. To allow for gaining consent all your print material should be updated, and the copy will have to make it clear exactly what the data will be used for. Your direct mail should provide details on how people can opt out or access their personal data in the future.


So this may mean additional expense because old material has to be discontinued and new material printed up. However, it’ll be worth it because not only will you still benefit from the power of print marketing, but you’ll also be doing it in a lawful way.


Good news for postal marketing: ICO say you won’t need consent

According to the ICO, you won’t need consent for postal marketing if it’s aimed at existing or past customers, or people who have previously shown an interest. This is because you may have a lawful basis under ‘legitimate interest’.


As a lawful basis, legitimate interest has no strict definition and is therefore quite flexible. Essentially it boils down to whether there is any negative impact on a person’s privacy and/or wellbeing. If you can reasonably say that the recipient wouldn’t be surprised or annoyed by communications from you, and indeed they might find it beneficial and it won’t lead them into harmful situations, then you may have a case for legitimate interest. You just need to make sure the recipients can opt out, to respect their right to object.


In addition to this, you won’t need to gain consent if the print material is part of the service you provide i.e. what the recipient expects from you. For example, if you’re running a membership programme that sends out seasonal catalogues, you won’t need to regain consent because this is part of what the members signed up for.


In fact, if you send out consent requests to all your members or mailing lists, you could be causing a nuisance.


The ICO has plenty of helpful information on their website; it’s worth diving into their resource centre and familiarising yourself with best practices. 


Print marketing


GDPR could force print marketers into being more efficient

There have been a lot of concerns about GDPR limiting the marketing scope. However, GDPR could actually make the print marketing process more efficient and therefore boost ROIs.


Regularly auditing and cleaning your lists could mean lower print costs. In other words you won’t be wasting resources on sending material to people who are unlikely to be interested.


So, you could end up getting the same results with a lower outlay.


A trend towards door-drop media

Print marketers will be looking for ways to minimize GDPR liabilities. So we’ll probably see a rise in door drop media, a marketing channel that has GDPR compliance baked into it. You won’t even need to use ‘legitimate interest’.


So, what is door-drop media and how does it work?

It’s a direct marketing action that allows you to target households based on postcodes grouped according to their demographic profiles. Use special software to organise postcodes into categories and make well-targeted campaigns. GDPR legislation doesn’t apply because you won’t be processing any personal data.


The ICO has made it quite clear:

“If an organisation is sending mail or leaflets to every address in an area and does not know the identity of the people at those addresses, it is not processing personal data for direct marketing, and the GDPR rules will not apply.”


This makes door-drop media an attractive option for print marketers looking to reduce GDPR risk while maintaining a positive strategic advantage.


April 9, 2018

[Webinar] GDPR for Marketing Professionals – APRIL

Webinar GDPR for Marketing Professionals

———– Download the presentation and watch the recording here ———–

Continuing our highly successful series of LIVE webinars, Romax Marketing will be offering Marketing Professionals the opportunity to get a full and practical insight into what GDPR means to the future of marketing.

The LIVE Webinar will cover:

  • The 5 Key principles of marketing
  • Why GDPR is being introduced and its scope
  • Accountability and Data Security
  • Legitimate Interest
  • What constitutes ‘Consent’
  • What is a Data Breach and what must be done following a breach
  • The data subjects rights
  • Profiling and the GDPR
  • Live Q&A.

———– Download the presentation and watch the recording here ———–

GDPR as a topic can leave you at best feeling drained so our Webinar Content will be presented in an easy to absorb format, specifically focussed on GDPR in a marketing role.

Who should attend:

  • Any Marketing Professional
  • Directors needing reassurance that their organisation is ready for GDPR
  • Data Professionals.


Webinar:  GDPR for Marketing Professionals
When: Wednesday 11th April Download the presentation and watch the recording here
Time: 1 pm BTS
Host: Robin Sumner, Managing Director Romax Marketing & Distribution.


March 20, 2018

GDPR Glossary

The GDPR uses terminology that marketers may not be familiar with. In order to provide clarity, the DMA has translated these legal terms so that marketers, not just legal professionals can understand the language used.


  1. Anonymous data: the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.
  2. Consent: According to the GDPR, consent, “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she. By statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  3. Controller: the organisation or individual that determines how the personal data is processed.
  4. Legitimate interest (LI): A legal ground that can be used to process personal data for direct marketing in certain circumstances. As well as providing the right of individuals to object to the processing of personal data based on LI. The GDPR sets our strict criteria for organisations that seek to rely on LI. These include establishing that the processing is necessary and that a balancing test has been conducted.
  5. Personal data: Any information that can be used to identify a person is personal data. For example, names and email addresses are personal data because they reveal someone’s identity. The GDPR expands the definition of personal data to include IP addresses and online identifiers, like cookies.
  6. Personal data breach: A breach of security that means authorised individuals or groups are able to access personal data. This could be the result of hacking by outside groups or because an employee made a mistake.
  7. Data-protection-by-design: is a new concept introduced by the GDPR, whereby an organisation considers what impact a particular campaign or product may have on privacy from the very start. In a marketing context, this means identifying a campaign’s risk for privacy and/or data protection, recording them and taking appropriate steps to mitigate them., thinking about privacy from the start and nor as an afterthought.
  8. Data-protection-by-default: Similar to Data-protection-by-design, this phrase refers to privacy setting on goods or service. For example, when a phone app goes to market it should have its privacy settings set to the highest level possible as the default setting. The user could then decide to lower the privacy settings if they so wished.
  9. Processing: Any operation conducted on personal data, which may include collecting, recording, storing, structuring, organising, transmission or dissemination of personal data.
  10. Processor: The organisation that only processes personal data according to the instruction of the data controller. For example, an email services organisation only processes personal data in line with what their client tells them and this means they’re a data processor.
  11. Profiling: Any type of automated processing of personal data that evaluates the characteristics of someone in order to make a decision. Marketing segmentation or targeting is a type of profiling.
  12. Pseudonymisation: A method of making personal data no longer attributable to an individual, without further information, meaning someone could not be identified from the data. It is a process that reduces the privacy risks for people as they can no longer be identified.
  13. Special categories of personal data: Criteria of personal data that are subject to stricter requirements because of its sensitive nature. The GDPR lists the following as special categories of personal data: “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of generic data, biometric data for the purpose of uniquely identifying a natural persona, data concerning health or data concerning a natural person’s sexual orientation.”
  14. Supervisory authority: An independent public authority responsible for enforcing the GDPR. The Information Commissioner’s Office (ICO) is the supervisory authority in the UK.
  15. Third party: Any organisation or individual that is nor the data controller or processor that is authorised by either the controller or processor to process personal data. For example, if an organisation sold personal data to another organisation, the organisation purchasing the personal data would be classed as a third party.





Romax Marketing & Distribution, a Greenwich-London based company, provides a wide range of services in Direct Marketing for B2B and B2CDirect Mail, Data Management, Printing, Discount Postage, Membership Communication Services and Marketing Consultancy.

 Contact us: +44 (0) 20 8293 8550


Contact Us


December 19, 2017

What impact will GDPR have on SMEs

General Data Protection Regulation (GDPR) is nearly upon us, and SMEs need to be prepared. So let’s take a look at what it is, the way it’ll affect businesses and what you can do to mitigate the risks.


What is GDPR?

Essentially it is a complete update of existing EU data protection laws. The updates are needed because the way data is gathered, stored and used has changed dramatically since the 1995 EU Data Protection Directive. The new legislation aims to make personal data more secure in the face of rising cyber-crime. It also gives people more power to control their own data.

What impact will it have on SMEs?

Small businesses that gather, process and store personal data will need to audit their existing framework and make changes where necessary. For instance, if a business relies on computer networks and digital storage, it will need to make sure it has taken strong measures to prevent data breaches; this could mean investing in better cyber-security solutions, training staff to be more web-savvy, and implementing policies that aim to stop leaks from within the organisation. Because of the right to access subject – which gives consumers greater power to access their stored data – SMEs may face additional costs.

What are the consequences of not adhering to GDPR?

Businesses, regardless of their size, face fines of 2-4% of their annual turnover or €10-20 million (whichever is greater). It’s been reported, however, that regulators have more discretion when punishing SMEs. So depending on the severity of the situation, SMEs may be treated more leniently. However, it’s not yet clear how much discretion they really have. Besides monetary penalisation, businesses face huge reputational damage for falling foul of GDPR.


What can SMEs do in preparation for GDPR?

The most important thing is to read through all GDPR chapters, articles and recitals and familiarise yourself with the law. Once you have a clear idea of GDPR requirements, you can then audit your business and make changes as per the directives. Document each and every step you take – so if a breach does happen, you’ll have evidence that demonstrates your compliance. To help you get started, the Information Commissioner’s Office (ICO) has put together a useful 12 Step Fact Sheet. If there’s anything you’re unsure about, always seek professional advice.
How will it affect consumers?

Because of active consent, consumers won’t be tricked into giving permission to share personal data. The right to access subject gives consumers more power to request their data without incurring costs. Similarly, GDPR means that businesses will have to clearly inform consumers about their right to object, which is the right to prevent organisations collecting a consumer’s personal data. Overall, it gives consumers a clearer picture of where they stand and gives them more control over their personal data.

What impact will it have on SME marketing?

Small businesses will need to make sure they collect and process data in the right way. This means being clear about consent and the consumer’s rights.

Robin Sumner, Managing director at Romax Marketing, advice: ‘From the beginning, you need to get it spot on – so the first step is to audit your data processing policy and get it in line. You need to create a process that factors in the new requirements so that it flows out from the strategic level into every aspect of your marketing communication. In other words, it needs to be baked into your organisation so that it becomes integral to operations.’





Romax Marketing & Distribution, a Greenwich-London based company, provides a wide range of services in Direct Marketing for B2B and B2CDirect Mail, Data Management, Printing, Discount Postage and Membership Communication Services and Consultancy. Contact us: +44 (0) 20 8293 8550


Contact Us

July 6, 2017

Is the Direct Mail Sector in trouble?

Is the Direct Mail Sector in trouble?

Whether the Direct Mail Sector is in trouble, is much debated within our industry, both by outside commentators, and those that make their living within it. Whilst I agree it is difficult for me to be subjective let’s take a dive into the facts and try to form an educated opinion.

Firstly, what do we mean by “in trouble”? Yes, there have been some notable casualties of late with the latest being the Anton group going into administration. Having had conversations with those within the industry, yes this was unexpected, however, the full facts of management decisions are yet to come to light and will, I suspect, yield some answers. Sadly, as at the time of writing this piece, the administrators were winding the company up with creditors losing everything they were owed.

Are we “in trouble” because of outside factors beyond our control? To a certain extent yes as we have little sway on paper or postage price increases for example. Allied to the raising of costs (such as the increase in minimum wage and pension arrangements) means that the Direct Mail sector does become more and more expensive compared to online channels such as email and therefore margins are squeezed.

Online communications also have one big advantage – instant analytics!

Size is a factor in the recent downfall of some businesses such as the Anton Group. Small to medium size businesses are more agile both in reacting to demand, as well as diversifying into other areas of communication such as online communications and e-publishing. Consolidation will be a big topic over the coming months and years. The trend will, we believe, go from the bigger companies snapping up smaller rivals to similar size companies joining forces in mergers and acquisitions.

Create the insight and fight the pessimism

However, with insight, it is possible to fight back against this wave of pessimism.

Direct Mail has had an issue for a number of years with people’s perception of how the environment is affected by the industry. However, the good folks over at Two Sides have debunked that argument of which we should shout louder about.

Further optimism comes in the form of data taken from some MarketReach analysis. For Marketers, the highlight finding is that 92% of mail recipients will act on what they consume from the mail medium. Further good news only goes to highlight the upward trend in the sector.

And lastly. General Data Protection Regulation (GDPR). We see an opportunity for the Direct Mail Sector with the advent in May 2018 of the new data laws covered by GDPR. If you are unfamiliar with these new laws, some of the best information can be found at the DMA website. This will restrict the way, in particular, digital marketing is conducted and the use of personal data. At the very least those operating digital communications will need to gain or regain more specific permissions from their customer, via a printed communication, so they can continue to engage with them. This presents Direct Mail suppliers the chance to capture more volume of work.

Plan and invest to reap the benefits

The old saying “fail to plan, plan to fail” is never truer than in business. Writing a business plan has some benefits including:

  • forces you to think realistically, objectively and unemotionally about your business
  • leads to questioning of past and future assumptions
  • makes it easier to communicate planning objectives and strategies to bankers, partners, employees, financial backers and so on
  • helps to ensure that all aspects of the plan are clear and integrated
  • serves as a reference point when determining the effects of alternative courses of action on business operations
  • allows you to identify any areas where you may need external assistance
  • allows you to plan the growth of your business and associated capital requirements.

Many companies fail to write one yet the above benefits make it clear to do so would help! You can find many templates and resources on the Web to get you started.

From having a clear strategy, a business can then invest wisely, therefore, making the business more profitable and attractive to new clients. However, with big investments never underestimate the length of deployment or day to day distraction this could involve so ensure you account for this in your plan.

So in conclusion, with the right plan and foresight, along with, crucially the right staff, things look good for the Direct Mail industry.

The blog post was written by Wesley Dowding.

romax_logo_tag_blueRomax Marketing & Distribution, a Greenwich-London based company, provides a wide range of services in Direct Marketing for B2B and B2CDirect Mail, Data Management, Printing, Discount Postage and Membership Communication Services and Consultancy.

Contact us: +44 (0) 20 8293 8550 or filling the form below:

April 21, 2017

GDPR General Data Protection Regulations


 What is GDPR?

GDPR stands for General Data Protection Regulation and is set to replace the existing Data Protection Directive in May 2018. This framework was first put forth by the European Commission in 2012 and was finally agreed upon by the European Parliament and Council. GDPR contains several new protections for data and is due to be enforced in the spring of 2018.

The main aim of the GDPR is:

“to provide individuals with better control over their personal data, in a way that will help businesses to get the most out of the digital single market; through providing them with various business opportunities.”

As the digital economy grows, it is important for laws to be clear with an individual’s rights to be safeguarded and for there to be consistent international data protection regulations. Particularly with the increase in businesses/services operating across borders. It is believed that the introduction of this framework will ultimately contribute to an increase in consumer trust.

How will it affect your Direct Marketing?

The GDPR regulation will change the way you manage, protect, and administer the data under your control. One of the main effects will be how your organisation communicates with your members or customers via email, SMS, telephone, and direct mail.

You will have to provide clear opt in and opt out option for consumers.

Additionally, the recording of consent and improved privacy policies will be a requirement for when personal data is collected.

Data Categories (There are 4)

The GDPR widens the personal data net and clearly defines personal data into four categories which are as follows:

1 – Personal data and unique identifiers – includes online identifiers and location data

2 – Pseudonymous data – that has been through technological measure i.e. hashing or encrypting

3 – Genetic data – to do with an individual’s gene sequence)

4 – Biometric data – such as facial recognition, fingerprints, etc.

What are the Practical Implications?

Crumbling Cookies  – online and unique identifiers such as cookies used to gather data and further target potential consumers Non-EU advertising, analytics and social media platforms will most likely find themselves in a position where they will be legally required to treat these identifiers (cookies) as personal data under the protection of European law and will need to update their policies, procedures and systems as required.

Increased Costs – to carry out processes to organise your data sets and reduce any potential data breach will require system adaptation and human resource. Is your finance director aware of this and have they allocated your department a budget?

Organisational Compliance  – with data subject access, correction, deletion, and transferability being under close scrutiny.

Penalty for GDPR non-compliance

Penalties for not adhering to GDPR

You could face a fine of up to 4% of your organisation’s annual turnover.

Reputational Damage –  portraying a negative image which will ultimately damage your brand

Further Fines – If a company receives high amounts of complaints they could be liable to pay additional fines from the Information Commissioner’s Office (ICO)

To ensure that sensitive data is protected, your organisation will need to identify the risks that exist and then put in place procedures and policies to help mitigate these risks and prevent any problems that may occur.

Ensure that your IT meets GDPR regulations – Areas to consider:

  • Get up to speed with the proposed legalisation.
  • Research anything that you are unsure about.
  • Check your organisation’s  current internal data and IT processes.
  • Look at how to protect all data and whether you can provide evidence that will satisfy any inspection of it.
  • Find a reputable ADISA registered asset disposal expert that will be able to provide useful support and advice on the organisation’s IT lifecycle and provide robust solutions to limit the risk of data non-compliance.
  • Efficient and secure disposal of hardware.
  • Consider the use of personal devices by employees.
  • Be aware of all access to data and limit this beyond systems owned externally to the business so that it is under the sole control of the operating organisation.

6 Helpful Tips

  1. Develop a clear and concise privacy policy
  2. Enable an Opt-in requirement for data sharing
  3. Start implementing privacy through design
  4. Prepare for new data breach reporting requirements
  5. Implement controls to track and manage data
  6. Be prepared for data protection impact assessment


Test your GDPR knowledge – 6 quick questions – Get your result instantly

If you get 6/6 you may well be an expert – if not – come back, download the GDPR Fact Sheet and read on and get up to speed! – Then take it again.


Blog is written by Robin Sumner with research and contribution from Chenyse Taylor

Further Reading and References: FieldFisherDataIq,

Romax_tagRomax Marketing & Distribution provides a wide range of services in Direct Marketing for B2B and B2C, including Direct Mail, Data Management, Printing, Discount Postage, Membership Communication Services, and Consultancy. 

Contact us, either by phone +44 (0) 20 8293 8550, email, or filling the form: