GDPR – What email marketers need to know

Our digital account manager Ellie kicks off our Inbox Unlocked series with this blog about the General Data Protection Regulation (GDPR). If spoken word’s more your thing, you can see and hear Ellie and Jayne talk about this and more in our latest lunch and learn*.* 

Digital privacy is a real hot topic at the moment. Theresa May is letting internet service providers stalk your online behaviour and report back to the government, and America is imploding as Trump overturns Internet privacy rules. But the EU is taking a real step in the right direction by introducing the GDPR next year to protect the privacy of individual data.

The rules may seem terrifying to us marketers, but as individuals, I’m sure we can all agree that getting an unwanted email from an unknown sender is rage-inducing. We’re often left wondering how on earth these people even get our details.

The GDPR should be welcomed as a way of improving your relationship with subscribers. And don’t worry, you’ve got plenty of time to get your act together before the rules come into force.


The why, when, where and how

The GDPR will come into effect in May 2018 to formalise what should be common-sense data rules.

It will affect personally identifiable data, which includes email addresses and cookies too.

The rules will apply to any email received by someone located within the EU, meaning the rules are applied based on your recipient’s location.

So, no: Brexit won’t make us exempt. If you’ve got subscribers who live or travel in the EU, you must be compliant. These rules are best practice anyway, so this is your chance to get ahead of the game before we see any specific UK legislation introduced.


How GDPR affects data collection for email marketing

  1. Permission is a privilege, not a right.
    You must get explicit permission to contact people, with your recipient actively subscribing to your list themselves. This means that you can’t use a pre-checked box.
  2. Be open
    Any terms and conditions surrounding how you use data for email marketing purposes must be separate from your other terms and conditions. And you must detail any third parties who have access to the data too.
  3. Don’t buy it
    You must obtain your data via a sale or sale negotiation with the person you’ll be contacting. This could be a phone call, over the counter, a LinkedIn message, or even exchanging details at an event or exhibition.


Using collected data

  1. Your details

It’s important that you keep an unsubscribe link in every communication. You must also include your company name and registered address every time.

  1. No stale data

You can’t use the data if there hasn’t been a transaction between you and the contact within the last 12 months. This is a little woolly – what counts as a transaction is quite hard to quantify. If you’re having regular negotiations and discussions with a given party, then the sale negotiation point above applies.

  1. Keep backdated records

You not only have to retain proof of consent to contact people going forward, you have to have backdated information for anyone who was added to the list prior to 2018 and you’ll still be contacting.


What if I’m working with an agency?

Under the GDPR you’re most likely the data controller and an agency counts as a data processor.

Both parties have a responsibility to be compliant. So, if we’re the ones sending your emails, start talking to us.

First off, we need to talk about how you keep your data clean, how you collect it and what information you supply to us. Is there a way we can make this less admin-heavy with the above rules coming into place?

We then need to start contacting anyone you’ve identified as ‘stale’ data or as data where there’s no consent on file. We’ll then try to rejuvenate this data and update your records.

Finally, we need to collaborate and put processes in place to regularly review how we’re doing and plan tactics for keeping records up to date across both our systems.



The fines recently levied on Google and Microsoft surrounding data protection show that governing bodies aren’t afraid of enforcement.

The GDPR holds penalties of up to 4% of turnover or €20 million – whichever is greater. This is the worst-case scenario for unrepenting sinners who make no effort to change their ways, but there’s a sliding scale depending on the severity and type of breach.


So what’s next?

You’ve got 322 days, 13 hours and 44 minutes (at the time of writing!) to get ship-shape.

If you’re worried about your data, don’t hesitate to email or call 01527 573 770 and we’ll help you plan for the GDPR.

Posted by:


Previous Article

Back to Blog

Next Article

Discover More

want to talk?

Get in Touch