What is GDPR and how will it affect your email marketing strategy?

There are less than 100 days to go before the new General Data Protection Regulation (GDPR) comes into force – yet according to research by the Direct Marketing Association (DMA), only 54% of businesses expect to be compliant by the 25th May deadline. This article doesn’t constitute legal advice, but we wanted to clarify a few key points – based on our understanding of the information available – to help ensure you don’t get caught out by the new regulation.



The main point of the GDPR is to give people ownership of their personal data, and to give them more say over what companies can do with this data. It means that, once legislation comes into effect, companies must ensure that any personal data they hold is used lawfully, transparently and for a specific purpose. Under the new regulation, individuals will also have the right to withdraw consent for this data to be used at any time, as well as the right to access any personal information stored about  them – and have this permanently erased at their request.

Names, addresses, phone numbers, email addresses, even IP addresses – basically anything that makes an individual identifiable – all count as personal data under the GDPR. And this not only includes customer data, but also any prospect data that you hold – for example a purchased list, or details captured in an enquiry form.

If you ignore this important new regulation, you run the risk of a penalty of up to €20 million or 4% of your global annual turnover – whichever is greater. Any data breaches within your business must also be reported to the Information Commissioner’s Office (ICO) within 72 hours of them being discovered. Failure to do this could result in a fine of either €10 million or 2% of your annual revenue, again depending on which is greater.

This may all sound rather daunting, but don’t worry – there are a few basic measures you can take to ensure that any data you hold, or collect in the future, is GDPR compliant…



Don’t wait until the 25th May to start thinking about getting your processes up to speed. You will need this time to review any existing databases you hold, and to decide how you are going to make them compliant – or how you are going to change your marketing strategy, so that you no longer need to use them. Likewise, by making your data collection processes compliant now, you’ll ensure that any data you acquire between now and then can still be used after the deadline, in line with the new regulation.

First, start by mapping out a flow diagram of all the methods by which you are gathering personally identifiable information about your customers or prospects. You need to know exactly where you acquired the data from, and how. You must also document your reasons for holding or using this data, and be able to justify those reasons on a person-by-person basis. So you need to decide exactly which marketing activities you intend to carry out, and which ‘legal basis’ you will use to justify the use of the data as part of that activity. There are two options to choose from – Legitimate Interests or Consent.



Legitimate Interests are based on a company’s right to carry out commercial activities, such as direct marketing. If you already have a relationship with an individual – for example they are an existing client and hence wouldn’t think, “Why am I receiving this piece of marketing?” – then you can use this ‘legitimate interest’ as your legal basis. But the same justification would not apply if you were contacting a prospect with a sales message, where they have no previous relationship with you.

If you use this legal basis, then you will have to inform people as to exactly how you plan to use their data, at the time of collection – and you must always allow the individual to opt out. This should all be explained as part of your documented Privacy Policy – which must be written in plain English and broken up into clear sections, to make it easy for the reader to understand. One last point to bear in mind – this route cannot be used if you have already asked an individual for consent, and they have refused.



If you choose Consent as your legal basis for using personal data as part of your marketing activities, then this consent will need to be given as an active, affirmative action – meaning that the individual will need to ‘opt in’ rather than ‘opt out’. Consent given for data use, including for marketing purposes, must be ‘freely given, specific, informed and unambiguous’ – so you need to be detailed about what exactly you plan to do with a person’s data, and you must keep a record of how and when their consent was given.



If you have already been obtaining explicit consent to contact every person on your database for marketing purposes, and have kept all of the necessary records of this, then you can happily continue using this as normal. However, if not, then you will need to rethink your data collection processes, and possibly your email marketing strategy as well.

If you have a large database and you cannot be certain how you obtained each person’s information, or whether they have consented to being contacted (and when!) then unfortunately you will not be able to use this data for marketing purposes in the future. However, you may still be able to market to existing consumers under the legal basis of ‘Legitimate Interests’.

Our advice would be to consider what value you are offering to your audience through email marketing, and the actual results you get from your current strategy. If you are already producing insightful and original content, or offering people deals they just can’t resist – then they are likely to be happy to ‘opt in’, in order to continue receiving these emails from you. You just need to ask them to do this before May 25th.



It’s all about weighing up the results you get with the amount of time and work it will take to bring your database, and your future data collection processes, up to the required standard.  But if you receive a significant number of leads or sales as a direct outcome of email marketing, then surely it is worth pursuing?

Having said that, Wetherspoons is just one example of a company which has decided to stay completely clear of all email marketing in the future. Following a data breach in December 2015, the brand is being justifiably cautious and, as a result, has chosen to get rid of its entire email mailing list – which held data on nearly 700,000 customers. The company will now promote all offers and events on its website and social media pages instead. It’s a good option, which is unlikely to have a detrimental effect on this particular brand’s marketing efforts.

So all is not lost if you decide email marketing is no longer a viable solution for your business. Social media is an excellent alternative for raising awareness of your brand, and promoting your products or services. It also provides you with a platform for sharing other content, such as blog posts or news updates, as well. Digital advertising, such as Google ads, can also ensure you get your brand in front of the right people – and it can often be carried out for a far lower budget than you might expect.

But if you do decide that email marketing is still worth pursuing, then we would recommend seeking advice from a trusted and experienced authority, such as Trunomi or Commvault – or going through this useful checklist from the DMA, to ensure you’ve ticked every box ready for the 25th May…


Whether you ‘opt in’ to email marketing, choose to grow your presence on social media, or decide to venture into the world of Google ads – we can help you, with our range of digital marketing services. To find out how, please email anna@shinecreative.co.uk.