2018 is the year of GDPR. The new legislation is shaking up how businesses use, store and understand the management of personal data.

When the publication was released back in 2016, businesses were given a two-year period to prepare themselves for the new legislation. With the deadline edging closer and harsh penalties at stake, it’s imperative that your business is ready.  

The affiliate industry incorporates various players: from the customer, to the affiliate and the retailer – which means there is a lot to consider. The increased level of data protection will require all players in the affiliate space to review their current practices and improve the management of personal data.

Here’s an overview of what it means for the affiliate industry and how you can prepare for this.

What you need to know

Whilst data protection is already an important topic for businesses, new GDPR legislation aims to consolidate data protection laws across Europe. Particularly for the affiliate industry, current laws state that those who process personal data on behalf of another organisation were exempt from the responsibility of compliance. Instead, responsibility resides with the data controller – the client.

Changes to legislation under GDPR mean that now, data controllers and data processors will be responsible for the handling of data. So, affiliate marketing websites that process any visitor data will be required to follow GDPR regulations.

In addition to this, in the case of any data breach within an affiliate marketing campaign on a website, a supervisory authority must be informed within 72 hours. If that breach could potentially result in a high privacy risk, those who will be affected must also be notified.

What you need to do: Affiliate Marketing

There are no shortcuts

GDPR is a collective responsibility for affiliate marketing networks, so you all need to be prepared. Each website must disclose their data collection practices and display the consent of visitors agreeing to the management of their data.


If you conduct business with individuals in the European Union, the legislation certainly applies. With globalised business, even if your business resides outside of the EU, if you have European customers, the legislation will affect you.


One of the most important elements of GDPR, is the consent of individuals to use personal data. The customer no longer simply opts-out,  the customer now has to opt-in. That includes consent for marketing email,cookies and anywhere else their data will be used. The ability to opt-out must be clearly and easily available to customers.

Review consent to ensure that you are still meeting the individuals request as a person has the right to withdraw their consent at any time.

Be Ready

Research and prepare! There is a lot of work to do – and the penalties of being unprepared are too expensive to bear.  Fines for failure to comply with regulation could potentially be as high as 20 million euros or 4% of global turnover, not to mention the loss of credibility amongst your customers.

There are numerous trusted resources online from which you can research the legislation. Ensure that your business is prepared for 25th May 2018 and remember that the work doesn’t stop there. The handling of data will need to be reviewed on a regular basis to ensure it’s still meeting regulation.