GDPR Compliance – What we’re doing

clear skies of GDPR compliance

GDPR Compliance – What we’re doing

Here at fastmap, one of the key components of our research in the last couple of years has been helping organisations with their GDPR compliance, whether that be through providing data driven recommendations towards post-GDPR legitimate interest  and consent or through our workshops. However, while helping other organisations is all well and good, we at fastmap are also subject to the regulation changes and the restrictions that come with them. With this in mind, this article is written to demonstrate some of the ways in which we introduced our GDPR strategy, to show that we ‘practice what we preach’.

The Split: Research vs. CRM

As both researchers and an agency, it was vital for fastmap to distinguish between the two in our GDPR strategy. As such, we developed two different approaches to GDPR compliance.

GDPR Compliance: fastmap as Researchers

As researchers, it is paramount that we anonymise participant data and remove personal identifiers (PI) as soon as possible, while at the same time maintaining access to the data we actually need for our research. We also need to ensure that we were maintaining ethical research standards and being transparent as to where their data is going and is being held. Fortunately, only minor changes were necessary as we already treated participant information with integrity and care.

Figure 1 shows a simplified version of our GDPR approach as researchers. The key take away from the flow diagram is that participant PI are anonymised and removed from our system shortly after the project has come to a close. That is not to say we remove the actual research data from our system, its just that there are no PI that can link survey responses to actual participants.

Figure 1

GDPR Compliance: fastmap as an Agency

As an agency, more work was required to restructure our database to ensure GDPR compliance. A key issue was that there was a pre-CRM period, where we had insufficient information regarding consent of contacts in our database. On opening of our CRM, we updated our contacts and removed inactive contacts, however we still had a large number of invalid entries from the pre-CRM era. Figure 2 shows a simplified version on the problem.

Figure 2

To tackle this issue, we launched an email campaign with two main objectives. The first was to ask people from the pre-CRM era to reconsent to our marketing. The stages of this campaign are outlined in Figure 3. For contacts that we obtained in our CRM period, we simply sent an email notifying people of our new T&Cs and Privacy Policy. The outcome was a fully compliant and engaged database, which we can proudly bring forward post-GDPR.

Figure 3

A Brave New World

Moving forward, fastmap will maintain compliance with GDPR and embrace a new data culture. We hope that GDPR will counteract data apprehensions that have been gathering like a storm in the past couple of years – as we discussed in a recent post on data fundamentalism – and business-consumer relationships will be strengthened. However, time will only tell in this case.

For more information about fastmap’s research into data protection, post-GDPR Legitimate InterestConsent and more, visit or get in touch with David Cole, Managing Director, fastmap on +44 (0) 20 7242 702 or

Contact Us