Responsive Menu
Add more content here...

GDPR for Medical Device marketers

14 Sep 21 | 14:06:25

Although GDPR has been around for a while now, it is still a term that scares marketers and causes them to tread lightly in their marketing activities for fear of not complying. The rules are buried so deep under technical jargon that it can be difficult to really understand what you can and cannot do as a Medical Device marketer.

Luckily, we’re here to clear a few things up and leave you feeling more confident running your marketing campaigns.

GDPR is different to the EU MDR released in May 2021. As a Medical Device marketer, you need to be aware of both sets of regulations, so once you’re finished here, you can visit our incredibly comprehensive EU MDR article and download.

What is GDPR?

The term GDPR refers to the General Data Protection Regulation of 2018. It was put in place to give consumers greater transparency about the collection and use of their personal data.

Although the EU drafted it, it still applies to companies outside the EU collecting data from its citizens. For example, a US-based company would still have to comply with GDPR if collecting data in France or Italy.

Organisations and companies that fail to comply with GDPR leave themselves open to facing vast fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. Not only that, but the damage it can do to a brand’s image can be irreparable as clients and customers lose trust in the company. So, it’s best to get it right!

How to comply with GDPR

The official legal text with all of the regulations on it is lengthy and technical and a lot of it isn’t relevant to you as a Medical Device marketer. Often, the language used is ambiguous, so it is really important to justify everything that you do.

As an organisation that collects personal data of any kind, you must be able to comply with at least one of the six legal bases for processing personal data. These are:

  1. Explicit consent – Someone should agree to have their data collected and stored without being tricked in any way.
  2. Performance of a contract – Sometimes, you must collect data to create a contract
  3. Legitimate interest – This is probably the most obscure basis. In general, this is when you use data because the subject would expect you to. You can find out more about legitimate interest from the ICO.
  4. Vital interest – This might be used in processing health data to save someone’s life.
  5. Legal requirement – This is when there is a legal obligation to collect and process data; for example, employers need specific data on their employees.
  6. Public interest – This is most likely to be used in civil service and governments.

As a marketer, the safest option is probably always to gain informed consent; that way, you can know with certainty that you are collecting and processing the data legally.

personal data

What counts as personal data?

First of all, it is good to clarify what is meant by personal data. It can include the following: names, email addresses, location data, a person’s physiological details, genetic, mental, economic, cultural or social identity. When it comes to online information that you might collect, it includes IP addresses, cookies, devices and search engines used.

It is essential to know that although all of this information could be made available to you, a critical point in the General Data Protection Regulation is that you should only collect the information you need. Storing any data poses a risk, and that risk grows with the more data you hold, so you should only hold the minimum amount that you need.

Website data collection

You probably use an analysis tool like Google Analytics or SEMrush to check how your website is performing. You might look at traffic statistics or bounce rate, but whatever data you’re looking at is collected via cookies.

Cookies are small text files that websites use to collect data on users. If you would like to learn more about what they are, check out our article “What are website cookies?”.

Although they’re helpful to marketers, cookies can store a lot of personal information, and you will need to make that explicitly clear to your website visitors. They will need to opt-in to be tracked by cookies. You can do this through a cookie banner or pop-up box, where you ask users to accept or refuse cookies.

website cookies

You should also allow users to personalise their cookies settings; for example, if they want to allow some cookies but not others, they should be able to update their settings so that they can do that. If you’re not sure how to do this or if you are compliant, you can talk to a developer to work with you and update your website.


Data and privacy policies

As well as including a cookies banner or pop up, you should also ensure that your website has a cookies and privacy policy that clearly lays out what data your website collects and why. This should be written in an easy-to-understand way to ensure that readers have full knowledge of what they’re agreeing to.

Typically, you will find cookie and privacy policies either linked in the cookie banner or pop up or in the website’s footer. This allows users to read about the website’s policies in-depth, but there doesn’t need to be a huge part of the website dedicated to it.

Writing cookie and privacy policies doesn’t have to be complicated; in fact, there are templates available online if you do not feel able to draft it for yourself, such as this template builder from Termly. If using a template, you need to ensure that it is personalised to your website and isn’t giving out any false information. Of course, if in doubt, you should consult a lawyer to ensure that you are 100% compliant.

Email marketing data collection

When the GDPR was first released, marketers feared that it would be the end of email marketing, but that hasn’t been true at all. In fact, the new rules have meant that you will only end up marketing to people who have agreed to be marketed to and are therefore more likely to be an engaged audience, so more likely to convert. This way, you won’t waste time on prospects who have no interest in what you are offering.

If you are looking to build up a mailing list to send out campaigns to, whether it’s monthly newsletters or webinar invites, there are a few rules to follow, which are centred around consent and greater control for the data subject.

Explicit consent

The major rule around email marketing is that you have to gain consent to contact your mailing list. Consent has to be explicit, so you cannot simply tell people they are signing up to join a mailing list in small print at the bottom of the page.

The best way to ensure that people know what they are signing up for you should create a box that users have to tick to join the mailing list, and the copy should state precisely what they are signing up for in no uncertain terms.

By having users complete an action, i.e. ticking a box, you will ensure that you have informed consent and, therefore, a legal basis for storing their data. Again, you should only store the necessary data to carry out your marketing duties, which will probably be their name and email address. As well as being more secure, you don’t risk people dropping out of the signing up questionnaire because they cannot be bothered to answer so many questions.


As well as giving consent, your mailing list, you must allow people to have control of their data. This means that not only must you be transparent about what data you store and for how long, you must also delete people’s data if they ask you to.

Email campaigns should make it easy for people to be removed from your mailing list by having an unsubscribe button. Campaign builders such as MailerLite and Mailchimp make it easy to include unsubscribe functions. You can choose to delete the user’s data immediately or keep it. When you do delete the data, it is your company’s responsibility to ensure that data is destroyed appropriately and cannot be gathered for fraudulent purposes as you will be held accountable.

Regularly review data<

The GDPR states that you shouldn’t keep data for too long, so your company should have policies in place to ensure that data is reviewed frequently to either delete it or regain consent. The amount of time you store data for is debatable as the language surrounding it is ambiguous, stating that you cannot keep data “any longer than you need it”. How long you need to store data probably depends on your purpose for acquiring the data in the first place.

As a Medical Device marketer, your purpose for storing personal data is probably because that person is a customer, or they are a prospect/lead. As long as someone remains a customer, you’ll want to keep their personal data to contact them, but if they stop being a customer, how long will you keep their data before deleting it? Likewise, how long do you store leads data before accepting that they will not convert to becoming a customer? This is up to your company to decide, but it is very important to have clear guidelines on it so that you can justify how long you store the data for.

Our top tips for staying on top of GDPR

  • Develop a set of policies to cover how you are going to stay on top of adhering to the regulations. This should include how much data it is necessary to store and how frequently you are going to review data.
  • Having a customer relationship management system (CRM) will help you to keep track of your customers and the data you have stored on them, making it much easier to control.
  • Review your mailing list sign-up and privacy policy. Make sure that the copy is easy to understand and leaves no room for confusion.
  • Utilise social media. Information on social media is publicly available, so if you want to reach out to prospects individually, social media is a great way to do it!

Keep it simple and transparent!

As you can see, navigating the world of GDPR is no easy task. Sometimes it can be complicated, and the risk of not getting it right can be monumental. The main thing you can do is keep it simple, always be transparent and get permission. As long as your users know what is happening with their data, you are doing the right thing.

About Podymos

Podymos is a dedicated Medical Device marketing agency. We are passionate about sharing relevant knowledge to expand our clients’ capabilities. If you would like to find out more about what we do, you can visit our services page, or get in contact with us.

And don’t forget to follow us on social media

Join the mailing list

Related Articles

should you have a chatbot on your website cover image
8 June 2023 | 12:19:19
Should I have a chatbot on my website? The pros and cons.
Have you ever wondered if you should include a chatbot on your website? Do you want to know the advantages...
man looking at computer with confused expression because of medical device branding mistakes
6 June 2023 | 14:10:52
What are the most common medical device branding mistakes?
Are you just getting started on creating the branding for your company? Maybe you have a well-established brand, but are...
Two women editing video
5 June 2023 | 14:39:54
Video vs Animation: Which is better for medical device companies?
Are you considering introducing videos into your marketing efforts, but aren’t sure whether you need a video or animation? Maybe...
Marketing team working on a new project
30 May 2023 | 09:20:05
How much does a Medical Device messaging project really cost in 2023?
When launching a new medical device, the first thing needed is to create clear, concise and easy-to-understand messaging that resonates...
Marketing professionals smiling and discussing a client
29 May 2023 | 13:00:58
Why is consistency so important in Medical Device marketing?
Are you looking to bring more consistency into your brand? Is your marketing looking a bit messy? Consistency in marketing...
Coworkers sharing content
25 May 2023 | 12:00:25
How much does an effective content marketing strategy really cost in 2023?
Are you looking to stand out from the crowd and reach your target audience in a way few others are?...
Business woman talking with client on mobile phone
25 May 2023 | 09:15:59
How does Podymos ensure efficiency and accuracy when onboarding new clients?
Starting work with a new agency can be a nerve-wracking time for a Medical Device company. How can you be...
Co workers reviewing a presentation
23 May 2023 | 09:22:39
Medical Device Marketing: What you can and can’t say in 2023?
Are you wondering what you can and can’t say about your Medical Device in 2023? Are you confused about what...


We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies basic services cannot be provided.

Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.

Used on sites built with Wordpress. Tests whether or not the browser has cookies enabled

Decline all Services
Accept all Services
Thank you! Your subscription has been confirmed. You'll hear from us soon.