Edinburgh Web Development

Dealing with the GDPR regulations for email marketing

How to prepare for 2018

by Iain Wilson

14 March 2017


There's new email marketing legislation on the way.

It's part of the EU's General Data Protection Regulations (GDPR), due in May 2018.

If you send out any kind of email marketing, you've got work to do.

And because one of the main things you have to do to stay legal is re-permissioning, now is the time to start. Luckily, we can give you some pointers.

What fresh hell is this?

You may well ask.

Right now, the UK's Data Protection Act governs what we can and cannot do when it comes to email marketing. You might think that is a fairly stringent set of rules, but in 2018 the rule-book gets thrown out and is replaced by the GDPR; a brand new set of teeth.

And no matter how diligent (or lax) you've been in the past, you're now going to have to do things differently.

Brexit will save us!

No, Brexit will not make any difference at all. The new legislation is coming.

  1. We'll (probably) still be in the EU at that point.
  2. Even if we weren't, UK legislation will mirror the EU legislation. In fact, the regulations will likely be adopted by most countries, so it's not just an EU thing.
  3. Even if your local legislation doesn't implement it, if you're sending to any EU citizen, you must comply.

How will GDPR affect email marketing?

As you can imagine, GDPR covers a lot of ground, including obligations for the management of 3rd party data, controllers of the data, and a widening of the definition of personal data. Sigh.

One of the key things that applies to email marketing is that it strengthens the rules for obtaining consent and for breach notification.

Most people already know that you can't legally send unsolicited marketing information to people who haven't opted-in to receive it. But for many, the definition of 'opting-in' has been down to almost personal interpretation.

With GDPR, that definition becomes very clear.

But we've been using email marketing for years!

Even if you've been doing all the right things, those things will almost certainly not be enough for GDPR.

If you've been asking people on your website form to tick a box (not pre-ticked) to receive your marketing emails, then you've been doing the right thing. But come 2018, that's not enough.

If you've been emailing people and companies because you already have a 'business relationship' with them, that certainly is not enough either.

What will I need to do?

GDPR will require email marketers to do at least three things they may not be doing right now:

  • Get subscribers to consciously provide affirmative consent to opt-in to a service that is clearly described. Ticking the box for them, taking silence as acceptance, or taking inactivity as acceptance is not acceptable.
  • Be able to prove that each of your subscribers have provided consent. This applies to any current list and future ones.
  • Provide a process for subscribers to ask for and have information on them removed. If you're using an email service (such as Mailchimp), the Unsubscribe facility will stop emails being sent, but you still need to remove any other information you are holding.

Preparing for GDPR

Just how can you provide proof of consent for subscribers who signed up to your current lists years ago?

The answer to that will be just about no-one can.  If you didn't keep all the original opt-in permisions (ROFL!), you will have to get your subscribers to re-permission.

Bearing in mind that almost everyone who uses email marketing will need to do this, as we get near 2018 there will be a flood of companies doing this.

So it might be a good idea to take action now, so you don't get lost in the rush.


How do you get your subscribers to re-permission?

You have the technology. Email marketing.

  1. You send out an email marketing campaign, asking them to opt-in. But you've got to get them specifically and unambiguously to say they want to opt-in themselves.
  2. So, in the campaign email, explain what is going on and ask them to reply to the email using some specific words; for example 'I wish to opt-in to your mailing list for xxxx'. Give them the words as examples or put them into the subject of a return email, to make it easy for them.

Perhaps some of the email marketing services will introduce a facility to help do this. Or maybe it's an opportunity for software companies to build something. But I wouldn't wait.

Now your lists are going to change when you do this:

Your list(s)

The people who regularly open your emails and like them, will reply with an opt-in email. You can start a new list with them on it, and remove them from the old one. You also need to make sure you save their email somewhere (see section on Consent Store).

The reason you remove them from the old list is because you're going to send out the email again. You're going to send it to the people who have not responded (try different wording). Go through this process a few times. If they forgot to reply the first time, they may respond to the next email.

Quite a few people on your email list are not going to reply, either because they never open your emails, or don't want to be on the list. After several attempts, if they don't respond, forget about them.

At this point, you will have a new list or lists, which will be significantly smaller than the old one(s). For example, my open rate is around 35% on newsletters, so I would expect my new list to only have around 30-35% of the subscribers from the original list.

Trimming your lists down in this way isn't really a bad thing at all. You'll get rid of uninterested past subscribers and it might actually save you a few pounds if you pay for a service based on number of subscribers.

The additional things you need to do:

Amend your opt-in processes

Make sure that ALL your methods of collecting email addresses are bona-fide; no auto-ticking of opt-in boxes, no adding to lists just because someone is a customer or you met them at a networking event. And make it clear what they are opting into e.g. regular newsletters.

Get proof and keep it in your Consent Store

Most importantly, make sure that when people do opt-in retrospectively and in future, you have some material proof to show they did opt-in.

This will probably be an email showing they have opted-in, and your opt-in process should generate it.

Once you receive it, you must find a way of keeping it. Set up a folder somewhere (your email server, the cloud, a filing cabinet).

In theory, someone from the ICO could knock on your door in a few years time and ask to see them. Good excuses will not save you from a fine.


If you still want to be sending legal email marketing campaigns after GDPR, you will need to take action.

It's a bit of work, especially if you have multiple lists. But if you want to keep taking advantage of one of the most effective ways of marketing, it's worth it.

Everyone will have to do it, but many will leave it late, so avoid the rush and do it right now!

Liked this article? Please share it with your friends and colleagues.

comments powered by Disqus
Blot Design,
10 Colinton Road, Edinburgh, EH10 5DT
Terms, Cookies & Privacy