GDPR and email marketing

The General Data Protection Act (GDPR) came into effect in May 2018. The original directive for EU Data Protection is old and out-dated.

It was passed in 1995, and a lot has changed since then in the way data is used. The new regulations require organisations to have a stricter handle on how they obtain and use data, and provide the public with greater control on how their information is used.

The update is designed to protect EU citizens from privacy and data breaches in our increasingly data-driven world.

GDPR is a big deal

So important are the changes, the topic featured in the Queen’s speech in 2017, where it was confirmed that GDPR would remain as part of UK law after Brexit. The speech acknowledged that “over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade”. With that in mind, it’s crucial that we have regulations in place which are suitable for our digital age, so citizens have better control of their data. But what does it actually mean in practice and how can you take the first steps to ensure that your organisation is compliant?

It’s a topic that is hot on the lips of industries far and wide and it guarantees change in the way companies handle their data. Is it a big deal? In short – yes. But there is much to be gained, and it’s a great opportunity to improve data management, reconnect with customers and strengthen those relationships.

Actions for email marketers

Digital communication is key for marketers. We have to utilise multiple channels, one of the most popular being email. GDPR for email marketing has lots of implications. It will affect the way data for email can be collected, how it is stored, the manner in which it is used in the future, and how this is all communicated your customers.

Worried about what you need to do and how? Fear not. There’s plenty of time, and we have developed a hit list of pointers to benchmark yourself against, and steps you need to take to become fully compliant:

  1. If your customers reside within the EU then the GDPR changes apply to you no matter where your company is located, so ascertain your customers’ whereabouts, if you don’t already know (this can be confirmed by IP addresses if you have them). We recommend complying with the regulations for all customers, in and outside the EU – it’s good marketing data protection practice, and stands to only benefit you.
  2. Prepare for a new opt-in campaign for your existing EU customers. Even if you previously obtained permission to use their email address, you will need to solicit explicit, positive permission from them once again.
  3. Review any requests for email addresses, including pop-up windows and sign-up forms, to make sure the language is clear and specific, and explicitly covers all the reasons for using that address.
  4. Implement a double-opt in process for email sign ups. A benefit to this is that it provides you with the opportunity to clarify how you will be using your customer’s data.
  5. Keep a record of all the points at which customers have given permission to use their email address, and be prepared to present these records if asked. Make it clear that individuals are entitled to access records of their data, and explain clearly how to do so.
  6. Take steps to protect against potential breaches in security. Review your current data storage and security practices to see if additional measures should be added. [1]

So how did you fare? If you are already implementing some if not all of the above, then congrats – you are well on your way to GDPR compliance! If you aren’t, don’t panic just yet. There is still time.

A positive impact

That said, there is so much to gain from the principles of GDPR, so you might as well take the changes by the horns and start using them as the foundation for making your email marketing platform the absolute best it can be.

Unconvinced? Consider the following:

  1. The stricter rules can improve your bounce rate, thus increasing email deliverability and your sender reputation. Having your emails interpreted as spam becomes less likely.
  2. The key metrics with email communication are around engagement. A refined list of individuals who have positively opted in to communications should be much more engaged. This means higher click-through, open, engagement and conversion rates in your email campaigns.
  3. Now more than ever, consumers are aware that their personal data is valuable to businesses. They’re also increasingly suspicious about how their data is used, which is something that GDPR will help to ease. More transparency has two benefits: it boosts trust at the outset, but it’s also an opportunity to tell your customer how giving you their data will benefit them – all the ways it will enable you to serve them better.
  4. Stopping data breaches before they happen should be easier under the new GDPR regulation. Additional data protection and security regulation benefits both customer and brand. No business wants to deal with the negative PR which accompanies data losses and breaches. [2]
  5. You can incorporate a lead generation element into the process. A real benefit of the need to speak directly to individuals in order to gain their consent, or not, is that it presents the ideal opportunity to qualify them as leads and identify business potential.

… and if none of the above have convinced you, perhaps the fine of 4% of your company’s turnover or €20 million (whichever is more) might change your mind!

We’re here to help

As well as ensuring mark-making* is fully compliant, we are assisting several of our clients in their journey to data protection marketing through bespoke advice and support. If you have any GDPR-related concerns, or think your company would benefit from a tailored helping hand, then do not hesitate to get in contact.

If you want to learn more, Futurelearn has a free online course “Understanding the General Data Protection Regulation” starting on 1st November – we’ve found their material very useful in the past.

We leave you with a little food for thought and a useful list from EUGDPR of the main changes to be aware of, to set you off in the right direction on your journey to GDPR compliance:

The main changes happening under GDPR

Extended jurisdiction

GDPR applies to all companies processing the personal data of data subjects residing in the union, regardless of the company’s location.


Fines of up to 4% of annual global turnover or €20 million (whichever is greater) can be imposed on companies for the most serious infringements of the regulations. For example, not having sufficient customer consent to process their data. This is applicable to both controllers and processors – meaning ‘clouds’ will not be exempt.

Stronger conditions for consent

Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Breach notification

Will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must take place within 72 hours first having become aware of the breach. Data processors will also be required to notify their customers, the controllers “without undue delay”.

Right to access

Data subjects will have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller must also provide a copy of the personal data, free of charge in an electronic format.

Right to be forgotten

Data subjects will be entitled to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Conditions for erasure include the data no longer being relevant to original purposes for processing, or the data subject withdrawing their consent.

Data portability

Involves the right for a data subject to receive their personal data from a data controller in a “commonly used and machine-readable” format, and supply it to another controller.

Privacy by design

Calls for the inclusion of data protection in the designing of systems, as opposed to being added on at a later date. The regulations call for controllers to only hold and process data that is necessary for the completion of duties, as well as limiting the access to this data to those who need to act out the processing.

Data Protection Officers (DPOs)

Internal record keeping requirements will be put in place, and the appointment of DPO’s will be mandatory only for controllers and processors who do regular, systematic monitoring of data subjects on a large scale, or are dealing with categories of data relating to criminal convictions and offences.

Key definitions

Data subject: “an individual who is a subject of data”
Data controller: “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”
Processor: “any person (other than an employee of the data controller) who processes the data on behalf of the data controller.” [3]

About markmaking*

mark-making* is an award-winning creative agency specialising in branding, campaigns and communications