What does GDPR Mean for Email Marketing?.

The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. GDPR is EU legislation which aims to improve data protection for European data subjects. It is applicable to businesses of all sizes located in the EU, as well as businesses outside of the EU who process personal data of EU citizens. You can read more about some of the points surrounding GDPR here.

GDPR is fundamentally about the privacy and protection of EU citizens and it has major implications for marketing, and in particular, email marketing.

Some of the key challenges which GDPR presents for email marketing are outlined below.

Opt-In Versus Opt-Out

A big change that the GDPR brings is the definition of providing consent, or opting in to receive an email. Passive opt-ins, such as making opt-in a default will no longer be sufficient. You can no longer assume people want to be contacted by your company, rather they must explicitly opt-in. Consent now needs to be in a “freely given, specific, informed, and unambiguous” way, which is reinforced by a “clear affirmative action”.

Many practices previously used by companies to grow their databases will no longer be compliant. For example, the method of using a whitepaper as a lead generation form will need to be reviewed. If you do not inform people that their information will be used to send marketing messages, or if they don’t explicitly give you permission to do so, you can no longer add them to your mailing list.

You need to tell visitors exactly what you are going to do with their data.

GDPR Applies to Historical Data

Under the GDPR, there is no allowance for data that was captured prior to the introduction of the GDPR. Therefore, companies will no longer be allowed to use email addresses that were historically obtained from passive opt-in processes.

In order to be compliant, organisations have two options:

  1. They can delete all their contacts from their database, similar to what Wetherspoons did, or,
  2. They can run a re-permission campaigns before GDPR comes into force on the 25th May 2018.

As deleting all of your emails may be a bit drastic, a re-permission campaign may be a good alternative. The aim of a re-permission campaign is to get your existing database to opt-in and to be able to record and prove this opt-in in the event of an audit.

Typically, a re-permission campaign will result in a reduction of the number of people on your database. However, those who actively opt-in are likely to be more engaged in what you are selling, leading to better open rates and more conversions.

Right to be Forgotten

Under the GDPR, individuals have more control over how their data is being used, as well as a right to be forgotten. The right to be forgotten refers to the individual’s right to access their data, as well as having it removed. In terms of email marketing, complying with the right to be forgotten can be as simple as including an unsubscribe link in all newsletters, as well as a link for the users to manage their preferences.

The Risks of Non-Compliance with GDPR

The risks of non-compliance with GDPR are high, with fines of up to €20 million or 4% of turnover, whichever is higher. With only three months left until GDPR comes into play, businesses should be doing all they can to ensure compliance.


IMS Marketing are running a GDPR for Marketing Seminar in April. Stay tuned for more information on this.