GDPR for Medical Device marketers

14 Sep 21

Learning Hub / Content Marketing for Medical Devices / GDPR for Medical Device marketers

Although GDPR has been around for a while now, it is still a term that scares marketers and causes them to tread lightly in their marketing activities for fear of not complying. The rules are buried so deep under technical jargon that it can be difficult to really understand what you can and cannot do as a Medical Device marketer.

Luckily, we’re here to clear a few things up and leave you feeling more confident running your marketing campaigns.

GDPR is different to the EU MDR released in May 2021. As a Medical Device marketer, you need to be aware of both sets of regulations, so once you’re finished here, you can visit our incredibly comprehensive EU MDR article and download.

What is GDPR?

The term GDPR refers to the General Data Protection Regulation of 2018. It was put in place to give consumers greater transparency about the collection and use of their personal data.

Although the EU drafted it, it still applies to companies outside the EU collecting data from its citizens. For example, a US-based company would still have to comply with GDPR if collecting data in France or Italy.

Organisations and companies that fail to comply with GDPR leave themselves open to facing vast fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. Not only that, but the damage it can do to a brand’s image can be irreparable as clients and customers lose trust in the company. So, it’s best to get it right!

Need help navigating GDPR with confidence?

How to comply with GDPR

The official legal text with all of the regulations on it is lengthy and technical and a lot of it isn’t relevant to you as a Medical Device marketer. Often, the language used is ambiguous, so it is really important to justify everything that you do.

As an organisation that collects personal data of any kind, you must be able to comply with at least one of the six legal bases for processing personal data. These are:

1. Explicit consent: Someone should agree to have their data collected and stored without being tricked in any way.

2. Performance of a contract – Sometimes, you must collect data to create a contract.

3. Legitimate interest – This is probably the most obscure basis. In general, this is when you use data because the subject would expect you to. You can find out more about legitimate interest from the ICO.

4. Vital interest – This might be used in processing health data to save someone’s life.

5. Legal requirement – This is when there is a legal obligation to collect and process data; for example, employers need specific data on their employees.

6. Public interest – This is most likely to be used in civil service and governments.

As a marketer, the safest option is probably always to gain informed consent; that way, you can know with certainty that you are collecting and processing the data legally.

What counts as personal data?

First of all, it is good to clarify what is meant by personal data. It can include the following: names, email addresses, location data, a person’s physiological details, genetic, mental, economic, cultural or social identity.

When it comes to online information that you might collect, it includes IP addresses, cookies, devices and search engines used.

It is essential to know that although all of this information could be made available to you, a critical point in the General Data Protection Regulation is that you should only collect the information you need. Storing any data poses a risk, and that risk grows with the more data you hold, so you should only hold the minimum amount that you need.

Website data collection

You probably use an analysis tool like Google Analytics or SEMrush to check how your website is performing. You might look at traffic statistics or bounce rate, but whatever data you’re looking at is collected via cookies.

Cookies are small text files that websites use to collect data on users. If you would like to learn more about what they are, check out our article “What are website cookies?”.

Although they’re helpful to marketers, cookies can store a lot of personal information, and you will need to make that explicitly clear to your website visitors. They will need to opt-in to be tracked by cookies. You can do this through a cookie banner or pop-up box, where you ask users to accept or refuse cookies.

You should also allow users to personalise their cookies settings; for example, if they want to allow some cookies but not others, they should be able to update their settings so that they can do that. If you’re not sure how to do this or if you are compliant, you can talk to a developer to work with you and update your website.

Data and privacy policies

As well as including a cookies banner or pop up, you should also ensure that your website has a cookies and privacy policy that clearly lays out what data your website collects and why.

This should be written in an easy-to-understand way to ensure that readers have full knowledge of what they’re agreeing to.

Typically, you will find cookie and privacy policies either linked in the cookie banner or pop up or in the website’s footer. This allows users to read about the website’s policies in-depth, but there doesn’t need to be a huge part of the website dedicated to it.

Writing cookie and privacy policies doesn’t have to be complicated; in fact, there are templates available online if you do not feel able to draft it for yourself, such as this template builder from Termly. If using a template, you need to ensure that it is personalised to your website and isn’t giving out any false information. Of course, if in doubt, you should consult a lawyer to ensure that you are 100% compliant.

Email marketing data collection

When the GDPR was first released, marketers feared that it would be the end of email marketing, but that hasn’t been true at all. In fact, the new rules have meant that you will only end up marketing to people who have agreed to be marketed to and are therefore more likely to be an engaged audience, so more likely to convert.

This way, you won’t waste time on prospects who have no interest in what you are offering.

If you are looking to build up a mailing list to send out campaigns to, whether it’s monthly newsletters or webinar invites, there are a few rules to follow, which are centred around consent and greater control for the data subject.

  • Explicit consent

    The major rule around email marketing is that you have to gain consent to contact your mailing list. Consent has to be explicit, so you cannot simply tell people they are signing up to join a mailing list in small print at the bottom of the page.

    The best way to ensure that people know what they are signing up for you should create a box that users have to tick to join the mailing list, and the copy should state precisely what they are signing up for in no uncertain terms.

    By having users complete an action, i.e. ticking a box, you will ensure that you have informed consent and, therefore, a legal basis for storing their data. Again, you should only store the necessary data to carry out your marketing duties, which will probably be their name and email address. As well as being more secure, you don’t risk people dropping out of the signing up questionnaire because they cannot be bothered to answer so many questions.

  • Opt-out

    As well as giving consent, your mailing list, you must allow people to have control of their data. This means that not only must you be transparent about what data you store and for how long, you must also delete people’s data if they ask you to.

    Email campaigns should make it easy for people to be removed from your mailing list by having an unsubscribe button. Campaign builders such as MailerLite and Mailchimp make it easy to include unsubscribe functions. You can choose to delete the user’s data immediately or keep it. When you do delete the data, it is your company’s responsibility to ensure that data is destroyed appropriately and cannot be gathered for fraudulent purposes as you will be held accountable.

  • Regularly review data

    The GDPR states that you shouldn’t keep data for too long, so your company should have policies in place to ensure that data is reviewed frequently to either delete it or regain consent. The amount of time you store data for is debatable as the language surrounding it is ambiguous, stating that you cannot keep data “any longer than you need it”. How long you need to store data probably depends on your purpose for acquiring the data in the first place.

    As a Medical Device marketer, your purpose for storing personal data is probably because that person is a customer, or they are a prospect/lead. As long as someone remains a customer, you’ll want to keep their personal data to contact them, but if they stop being a customer, how long will you keep their data before deleting it? Likewise, how long do you store leads data before accepting that they will not convert to becoming a customer? This is up to your company to decide, but it is very important to have clear guidelines on it so that you can justify how long you store the data for.

Our top tips for staying on top of GDPR

  • Develop a set of policies to cover how you are going to stay on top of adhering to the regulations. This should include how much data it is necessary to store and how frequently you are going to review data.
  • Having a customer relationship management system (CRM) will help you to keep track of your customers and the data you have stored on them, making it much easier to control.
  • Review your mailing list sign-up and privacy policy. Make sure that the copy is easy to understand and leaves no room for confusion.
  • Utilise social media. Information on social media is publicly available, so if you want to reach out to prospects individually, social media is a great way to do it!

Keep it simple and transparent!

As you can see, navigating the world of GDPR is no easy task. Sometimes it can be complicated, and the risk of not getting it right can be monumental.

The main thing you can do is keep it simple, always be transparent and get permission. As long as your users know what is happening with their data, you are doing the right thing.

About Podymos

Podymos is a dedicated Medical Device marketing agency. We are passionate about sharing relevant knowledge to expand our clients’ capabilities. If you would like to find out more about what we do, you can visit our services page, or get in contact with us.

And don’t forget to follow us on social media.

Start getting impactful
marketing today


Schedule your 30-minute introduction call with us.


Understand how we can execute your strategy.


Receive impactful marketing materials from medical device specialists.

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies basic services cannot be provided.

Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.

Used on sites built with Wordpress. Tests whether or not the browser has cookies enabled

Decline all Services
Accept all Services