GDPR Pt 3: The One You Need to Read if you do Email Marketing

Emma Grant

Head of SEO

Results-driven Emma heads up our SEO team. A champion of best-practice SEO strategies for search engine success that lasts and delivers best value, Emma’s work focuses on boosting clients’ online visibility with the ultimate goal of increasing sales. Emma applies her extensive skill and experience to create strategies that pay off quickly for faster results. She knows precisely what to do to reduce clients’ paid ad spends for greater profits, and how to boost organic leads for better long term return on investment. After close of business, when she’s not organising exciting travel adventures, you may hear Emma strumming classical guitar tunes or working on her jazz riffs.

This month we’ve decided to continue on the subject of GDPR. As we’ve said previously, it’s a broad subject with numerous facets for us all to get our heads around. In our second post in the series in which we covered the right to be forgotten and data processing under GDPR, we touched on the fact that there was still more to talk about regarding consent. Whilst we’d covered the topic in our first post in the series, we do still need to cover the very important subject and one that’s crucial for email marketers to fully understand, and that’s obtaining and refreshing consent.

The good news is that the task of refreshing consent doesn’t have to be viewed as a chore. On the contrary, this is a job that could well bring with it numerous marketing opportunities. So please don’t switch off just yet!

Bringing consistency to digital marketing

Currently the spam regulations of each EU member state vary quite drastically, which is down to the fact that the EU E-Privacy Directive allows them all to translate the (fairly loose) rules into local law in their own ways. This has resulted in each member state using different legislation to govern email marketing.

Enter GDPR: the hero that will bring all of these rules together under one consistent piece of legislation. Great news for email marketers! However, as soon as GDPR comes in on 25th May 2018, all EU member states will be bound by its rules, and these rules will bring with them a raft of changes.

digital marketing

GDPR will affect every company that processes the personal data of EU citizens

As we’ve mentioned in our previous GDPR posts, the legislation will affect every company that processes the personal data of EU citizens. If as a business you collect email addresses and send email to subscribers anywhere within the EU, then you will be required to comply with GDPR, regardless of where your business is located. Brexit is unlikely to affect any of this.

What are the changes concerning email consent?

GDPR will control how consent is sought, collected and recorded. Marketers will only be permitted to send emails to those who have opted in to receive them. The existing EU Privacy Directive already stipulates a requirement for this in most EU countries, however under GDPR, the actual nature of the consent will come under scrutiny.

As of next May, any business wishing to send emails will be required to collect affirmative consent that is ‘freely given, specific, informed and unambiguous’.

opt in

Under GDPR, marketers will only be permitted to send emails to those who have opted in to receive them

When we covered consent in our first GDPR, post, we talked about opt-in and opt-out processes and looked at compliant and non-compliant examples. Just to recap, consent must be unbundled (never hidden or mandatory); active (opt-out and pre-ticked boxes are outlawed in favour of opt-ins); separated (one consent request per action); named (the organisation requesting the consent should be clearly named) and easy to withdraw (the consumer’s right to withdraw consent must be made clear and the method of doing so must be openly set out).

‘One consent per action’ is important here. If you are contacting your customers using more than one method, for example post, email, telephone and/or text message, then the customer will need to provide consent for each of those individually.

As well as pre-ticked boxes no longer being permissible, silence or inactivity are also not sufficient grounds to assume consent.

Why are you collecting data?

If you are collecting data, then as well as gaining consent, you’ll also need to be completely transparent about your reasons for collecting it and how it will be used.

Most marketers these days, and rightly so, profile data so that they can send relevant offers to their customers. Personalisation is, after all, key to a successful marketing campaign. If you do this, however, you’ll need to make it quite clear to your customers, and then give them the opportunity to object. Again, this needs to be a positive action so that the customer is not made to opt out of an action, but instead given the chance to opt in.

[Company name] will use your personal details and record your buying habits in order to provide you with relevant offers in the future. If you do not wish for us to do this, please tick here.

The above statement is a negative action, because you are asking the customer to opt out. Instead, you should be using something more like this:

[Company name] will use your personal details and record your buying habits in order to provide you with relevant offers in the future. Please tick the box to confirm you are happy for us to do so.

Every time you collect an email address, whether it’s via a website sign-up form, at an exhibition, through a postal mail out, in exchange for a free download or competition entry, or anything else, you will need to go through this process. GDPR does not permit the collecting, storing or use of email addresses under any circumstances without first having gained the relevant consent.

Record keeping will also form a crucial part of GDPR. You’ll need to keep comprehensive records of every consent you collect, as GDPR provides that reasonable evidence must be presented in order to prove compliance. Possible methods of storing consents could be taking screen shots of the app or web page where consent was provided and of course scanning any physical forms onto your system.


Record keeping will form a vital part of GDPR.

Important – GDPR applies to existing data too

Crucially, GDPR will apply to ALL data captured both before the introduction of the Regulation, and after.

This means that, if you haven’t followed GDPR rules to collect the data you already have (and/or don’t have sufficient evidence to prove as such), then you’ll need to refresh all your existing mailing lists and re-gain consent for every entry listed on them before you can send anything on or after 25th May 2018.

If this applies to you, don’t panic. In fact, look upon it as a fantastic marketing opportunity.

You have a viable reason to contact everyone on your mailing list, and perhaps even to find out more about them. A great chance to discover those golden details that will help you get closer to your customers and prospects and better tailor the information and offers you send to them.

If you need to do this, and most marketers will, our advice is, do it sooner rather than later. Put yourself in the shoes of the consumer: imagine the abundance of emails that are going to start coming through in the run-up to May next year requesting consent. Eventually you will tire of them, and through frustration could well end up hitting delete rather than responding. And that is certainly NOT what you want to happen with YOUR customers!

Are you ready for GDPR?

If you are in any way concerned about how GDPR will affect your marketing strategies, why not a digital marketing agency in London? We have worked hard to ensure we know precisely how the Regulation will affect digital marketing, and we’re here to assist by helping you to plan effective, compliant campaigns.

SEO results made simple

Request a Quote