GDPR and Email Marketing

GDPR: What Email Marketers Need to Know

GDPR, or the General Data Protection Regulation, is on the way! Mark the date in your calendar; May 25, 2018. You may have heard a lot of talk about what GDPR is and how it affects your marketing operations, here we'll break it all down to short actionable steps.

What is GDPR?

The GDPR is a set of guidelines set out by the European Union, or EU, to give consumers a bigger say in how companies collect and use their data, with the aim to make it completely uniform across the EU. As mentioned above, these will come into play on the 25th May 2018. These guidelines not only give more power to consumers, they also allow businesses to all operate under one set of guidelines with clearly defined rules. GDPR will apply to any company processing consumer data belonging to EU residents. It's also been confirmed that the UK will enforce GDPR, regardless of Brexit.

What does it mean for me?

The GDPR guidelines will mean you will need to review both how you capture and how you process user data. Here are some key points from the DMA, or Direct Marketing Association:
  • Asking for consent should be separate from other terms and conditions, so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
  • Active opt-in: The GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
  • Granular: Where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want  organizations to be as granular as possible which means giving consumers more control over what they’re consenting to.
  • Named: Always tell individuals who your organization is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organizations that the data will be shared with need to be named.
  • Documented: Maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
  • Easy to withdraw: Individuals should be easily able to withdraw their consent. Organizations must put in place simple, fast methods for withdrawing consent and tell individuals about their right to withdraw consent.
  • Freely given: Consent should be freely given by individuals.

Yikes! What if I don't follow the guidelines?

Under GDPR supervisory authorities will be able to impose some pretty hefty fines, depending on circumstances. They break these fines into two tiers:
  • €20 million or 4% of annual global turnover for breaches of, for example, the principles of processing and data subjects' rights
  • €10 million or 2% of annual global turnover for breaches of obligations including maintaining written records, implementing technical and organizational measures and in relation to the appointment of Data Protection Officers.
You definitely don't want to be on the wrong side of one of those fines!

So, what do I do?

The ICO have laid out a fantastic 12 step program to ensure you're fully compliant before GDPR hits. Some of it, however, only applies to users in the UK, so we're pulled out some key points for you to review.
  1. Awareness - You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
  2. Information you hold - You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit.
  3. Communicating privacy information - You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests - You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
  6. Lawful basis for processing personal data - You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  7. Consent - You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  8. Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.


As you can see, there is a lot of work to be done! With less than a year until GDPR hits us, you don't want to be retrofitting all of these privacy notices and data capture forms, you want to be well prepared. As always, I welcome your comments on this blog. I'm by no means an expert on GPDR and any feedback or actionable tips for email marketers will be well received!

Don't guess, test!

Try out email testing free today! Email is an ever-changing medium, that's why we offer a 7 day free trial of our testing suite.