GDPR – What email marketers need to know

Digital privacy is a real hot topic at the moment. We have Theresa May letting Internet Service Providers stalk your online behaviour and report back to the government and America imploding as Trump overturns internet privacy rules. But the EU is taking a real step in the right direction, introducing the General Data Protection Regulations (GDPR) to protect the privacy of individual data.

These rules may seem terrifying to us marketers, but as individuals I’m sure we can all agree that getting an unwanted email from an unknown sender is a rage-inducing experience. How on earth do these people even get your email address!?

The GDPR should be welcomed as a way of improving your relationship with subscribers. And don’t worry, you’ve got plenty of time to get your act together.

The why, when, where and how

The GDPR will come into effect in May 2018 to formalise what should be some common sense data rules.

It will affect personally identifiable data which includes email addresses and cookies too.

The rules will apply to any email that is received by someone located within the EU i.e. the rules are applied based on the location of your recipient.

So no…Brexit won’t make us exempt. If you’ve got subscribers who could potentially be in the EU then you must be compliant. Equally, these rules are best practice already so this is your chance to get ahead of the game before we see any specific UK legislation introduced.

How it affects data collection for email marketing

  1. Permission is a privilege, not a right:
    You must get explicit affirmative permission to contact people, with people actively subscribing to your list themselves. This means that you can’t have a pre-checked box.
  2. Be open
    Any terms and conditions surrounding how you use data for email marketing purposes must be separate from your other Ts&Cs, and you must detail any third parties who have access to the data too.
  3. Don’t buy it
    Data must be obtained via sale or sale negotiation with the individual you will be contacting. This could be a phone call, over the counter, a LinkedIn message, or even exchanging details at an event or exhibition.

When you come to use this data…

  1. Your details
    It’s important that you keep an unsubscribe link in every communication. You must also include your company name and registered address every time.
  2. No stale data
    You can’t use the data if you there hasn’t been a transaction within the last 12 months. This is a little woolly – what counts as a transaction is quite hard to quantify. If you are having regular negotiations and discussions with a given party, then the sale negotiation point above applies.
  3. Keep backdated records
    You not only have to retain proof of consent to contact people going forward, you have to have backdated information for anyone who was added to the list prior to 2018 and is still being contacted going forward.

What if I’m working with an agency?

Under the GDPR you’re most likely the Data Controller, and an agency counts as a Data Processor.

Both parties have a responsibility to be compliant. So if we’re the ones sending your emails, start talking to us.

First off we need to talk about how you keep your data clean, how you collect it and what information you supply to us. Is there a way we can make this less admin heavy going forward with the above rules coming into place?

We then need to start contacting anyone you’ve identified as ‘stale’ data or as data where there is no consent on file. We’ll then try to rejuvenate this data and update your records.
Finally we need to need to collaborate and put processes in place to regularly review how we’re doing and plan tactics for keeping records up to date across both our systems.


The fines recently levied on Google and Microsoft surrounding data protection show that governing bodies aren’t afraid of enforcement.

The GDPR holds penalties of up to 4% of turnover or €20 million, whichever is greater. This the worst case scenario for unrepentant sinners who make no effort to change their ways, but there’s a sliding scale depending on the severity and type of breach.

So what’s next?

You’ve got 322 days, 13 hours and 44 minutes (as of the time of writing) to get yourselves in ship shape.

If you’re worried about your data, don’t hesitate to get in touch with our team and we’ll help you plan for the GDPR.

Posted by:

Elanor Edwards

Digital Account Manager

Previous Article

Back to News & Blog

Next Article

Discover More

want to talk?

UK +44 (0) 1527 573 770 AUS +61 (0) 7 3844 6938
Get in Touch