As every marketer keeps being reminded, the EU General Data Protection Regulation (GDPR) comes into force this May. But how will GDPR impact email marketing?

In this blog post, we explore the risk and opportunities GDPR presents marketers. What follows is a summary of a discussion we had on our recent GDPR webinar, which you can view on demand here.

How are marketers feeling about GDPR?

Marketers are taking GDPR seriously and 40 percent of our webinar attendees believe it will have a large impact on their business.

This has prompted marketing teams to plan ahead—75 percent of our attendees already have a GDPR strategy in place.

If you aren’t quite so organised, don’t panic. You’re in the right place.

Email marketing GDPR

Why does GDPR exist?

GDPR was created to give the public better protection and control over their personal data.

It becomes enforceable as of 25th May 2018 and there are potential fees for non-compliance. However, this doesn’t mean we need to brace ourselves for a witch hunt.

The threat of fees is there to ensure companies take GDPR seriously, prompting them to audit data and change processes. It is not intended to send companies into a state of panic.

The date of enforcement exists to act as a catalyst for a shift in attitude towards consumer data. It is by no means the end of the process and GDPR is not simply a box ticking exercise. Companies will need to continue to assess and refine processes on an ongoing basis.

According to Elizabeth Denman, the Information Commissioner, to prepare for enforcement companies need to:

  • show organisational commitment to complying (starting at board level)
  • understand and document the information you have (where it came from, who you share it with, what consent was given)
  • implement accountability measures
  • ensure you have appropriate security in place
  • train your staff on GDPR thoroughly

Marketing team working on GDPR compliance

What key changes will impact marketers?

There are three main changes that GDPR will bring in that affect marketers. These are:

  • Increased territorial scope: If you are processing personal data of EU citizens, you must comply with GDPR regardless of where your company is based.
  • Penalties: Companies can be fined up to 4 percent of their annual turnover or 20 million euros (whichever is greater) for non-compliance.
  • Consent: GDPR has set a new standard of consent.

Of these changes, the new standard of consent will have the biggest impact for email marketing. Here’s how GDPR defines consent:

“Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

What does the new standard of consent mean for email marketing?

So, what do email marketers need to consider when it comes to consent? Under GDPR consent needs to be:

  • unbundled
  • active
  • clear
  • granular
  • named
  • easy to withdraw
  • documented

We explore each of these elements below:

Unbundled consent

Under GDPR consent must be “unbundled”. This means that requests for consent must be separate from other terms and conditions.

Consent should not be a precondition of signing up for a service, unless it is necessary for that service.

Active opt-in

Pre-ticked opt-in boxes are invalid under GDPR.

This means marketers must use unticked opt-in boxes or similar active opt-in methods. For example, giving users a binary choice where each choice is equally prominent.


The language used to request opt-in must be clear. Confusing double negatives or other vague ways of presenting choices are not allowed under GDPR.

The way opt-in questions are phrased need to be explicit, clear, and easy to understand.

Here’s a great example from Sainsbury’s that makes the user actively choose to opt-in or not, in simple, easy to understand terms:

Sainsbury's opt-in example


To aid clarity, GDPR encourages marketers to get granular.

Marketers need to give granular options wherever possible. This is to allow people to consent separately to each different type of processing or contact (e.g. email, text, post).


GDPR requires that companies name themselves and any other third parties who they are requesting consent on behalf of.

It is not enough to just define categories of third party companies. You must list every party out, explicitly naming them to allow informed consent to each party to be given.

Easy to withdraw

Under GDPR companies have to tell people they have the right to withdraw their consent at any time and make it clear how to do this.

It should be as easy to withdraw consent as it was to give it. And it goes without saying, that hiding your unsubscribe button is an absolute no-no.


GDPR requires consent to be documented. As such, companies must keep records that demonstrate:

  • what each individual has consented to
  • what they were told
  • when they consented
  • how they consented

GDPR email marketing consent

What about legacy data?

GDPR also applies to legacy data. This means that any data collected before GDPR was ratified must still be compliant.

It is important, therefore, for companies to make sure that their data audit includes all of their legacy data. Marketers will then need to carry out re-permission campaigns to update the permissions they hold.

So, what’s the best way to go about this? A strong re-permission campaign email won’t just ask the recipient to verify their contact details and preferences. It will detail the benefits of consenting to receive email marketing.

Treat a re-permission campaign as a chance to remind your customers what’s great about receiving emails from you. This will encourage them to give consent and means they are more likely to engage with your future campaigns.

What opportunities does GDPR offer marketers?

If your existing lists aren’t GDPR compliant, GDPR requires re-permission campaigns. This may mean your company ends up with a slightly smaller email list.

But, this isn’t necessarily a bad thing. A longer email list does not always equal more engagement.

Re-permission campaigns mean that you may end up with fewer subscribers, but those that actively decide to stick with you, will inevitably be more engaged.

Increased engagement may well lead to a rise in conversions and a boost to your bottom line.


GDPR does not have to cause your team stress. It is a chance to cleanse your data and brings about a positive shift in the way we treat consumers’ personal details.

GDPR may mean you end up with a smaller list. But it could also lead to a significantly more engaged subscriber base—which can only be a good thing.

By following the steps we’ve outlined, your team will be making good progress as May approaches.

However, we recommend that you do further reading and seek independent legal advice on compliance to make sure you’re hitting the mark.

Be ready for GDPR