I’ve been reading a lot lately about GDPR and email marketing and I keep seeing the same information – essentially a list of GDPR requirements and an explanation of what they are. However, what does this mean for small businesses in practice? What do you actually need to do to ensure your email marketing is GDPR compliant?

I wanted to put a few tips together that would help my clients and other small or medium-sized businesses get started on this process. Oh, and before you think ‘I’ll do this next month’ or ‘I’ll come back to this later’ – don’t! Get going now and avoid a last minute panic in May when GDPR becomes a legal requirement.

Before I start, I wanted to give a quick thank you to the GDPR experts over at JS Data Protection Advisors Ltd for checking the information in this blog. Or, if you would like someone to just do this for you then get in touch for a chat about how I can support with email marketing.


What is GDPR?

In brief, the General Data Protection Regulation (GDPR) is new legislation about data protection that will apply from 25th May 2018. The regulation has been designed to give people greater rights about how their data is used – giving power back to individuals. It has much stricter requirements about how to gain consent and use an individual’s data. Failure to comply with the GDPR could lead to costly fines.

Don’t worry if you haven’t given much thought to GDPR and your business yet, there’s still time to get ready.


GDPR and email marketing – where to start

  1. Register with the ICO

If you haven’t already done this, you should register with the Information Commissioner’s Office (ICO). All organisations that store and use data that can identify any individual person – which, let’s face it, is pretty much every business out there – must register.


 Have you registered with the ICO?


  1. Requirements for processing personal data

Your starting point with reviewing your database should be looking at the six valid lawful reasons for using the data. The image below, from JS Data Protection Advisors, outlines these reasons.

GDPR data processing
Legitimate reasons for data processing – provided by JS Data Protection Advisors

For most small businesses undertaking email marketing, you will probably fall into the first category ‘consent’ or possibly the last one of ‘legitimate interests’ – depending on the purpose and content of your emails.

For more detail on the six lawful bases for processing data visit the ICO website.

Whichever legal basis you choose, ensure that you log why and how you comply with it – and if in doubt, seek specialist support.

From a marketing good practice perspective, I would recommend opting to get ‘consent’ for your email marketing.


  1. Consent

One of the most important considerations for small businesses that send marketing emails is gaining consent to do this. You can’t just assume that you can email people because they used your service or bought your product or because you met someone once at an event and they gave you their business card. Equally, you can’t use pre-ticked boxes or bundle the marketing opt-in with your terms and conditions.

To be compliant with GDPR, consent to contact the individual must be given explicitly. So, start off by looking at your sign-up process and ensure:

  • People have to actively opt-in to receive your emails
  • You explicitly state what they are signing up to (be careful and clear in your wording)
  • People know how you will use their information when they sign up (link to your privacy policy – and ensure this is also up-to-date with GDPR requirements)
  • You give the company name at the point of consent.

GDPR draft guidance for consent states that active opt-in methods include:

  • Signing a consent statement on a paper form
  • Ticking an opt-in box on paper or electronically
  • Clicking an opt-in button or link online
  • Responding to an email requesting consent
  • Answering ‘yes’ to a clear oral consent request.

Yes - consent for GDPR

Have a think about how you gain explicit consent to communicate with your contacts – what can you do going forward to ensure they are actively opting in?


  1. Evidence

Once you are happy that your opt-in process meets GDPR standards, you’ll need to consider how you document that consent has been given. GDPR requires you to keep a record that can demonstrate you acted lawfully in gaining consent to email people.

Your consent documentation must include:

  • Who gave consent
  • When they gave it (a specific date)
  • How they gave it (e.g. ticked a box online, signed a form, clicked a link in an email)
  • What you told them you would use their information for.

Have a think about how you can document consent.

Also, crucially, it isn’t enough under the ‘how they gave consent’ heading just to state how they gave it. You must keep evidence of how they gave it. This might mean keeping the paper form they signed, the email they replied to or the web form they completed. And, ensure they are dated.

NB. Don’t miss this step out thinking it will be too much hard work or it isn’t important – evidencing consent is an essential part of legally complying with GDPR.


  1. Withdrawing consent

Under GDPR you must make it easy for people to remove their consent or unsubscribe from your email communications. If you use an online service such as MailChimp then this easy unsubscribe option will be included as standard in your emails.

Don’t forget to remove those customers from any other records that you may keep separately. And, ensure you outline in your privacy policy that people can withdraw their consent and explain how to do this.

Bin, delete

Have you made it easy for people to unsubscribe from your email marketing? Do you then delete them from your other records?


  1. Refreshing consent

If you’ve worked through steps 1 to 4 of this blog then you should be on your way to meeting GDPR email marketing requirements for new opt-ins. However, what about your current database? Did you gain explicit consent for every contact you email? How old are your records? And have you documented consent?

If you are confident that you already meet GDPR standards then there is no need to refresh consents. If, however, they don’t meet the new requirements or are poorly documented then you may need to seek fresh GDPR-compliant consent or stop using the data.

This could potentially mean contacting your database, perhaps through your regular email newsletter, to ask them to opt-in and reconfirm their subscription. However, if you decide to refresh consent do be careful that you don’t email anyone who has previously opted out or for whom you don’t have any evidence that they originally consented. If in doubt, seek legal or specialist advice before sending any generic ‘opt-in’ style emails.

Also, why not make this exercise an opportunity to do some analysis of your email marketing list. Search your data to see who hasn’t opened your emails recently. If recipients haven’t opened an email from you in a year then consider removing them from your list. If they haven’t opened anything from you in two years then definitely remove them.

Culling your data in this way may feel counterintuitive, but there’s no point spending your marketing budget on emailing people who don’t engage with you and will probably never buy your product. As a small business, targeting your marketing spend on warmer leads and converting them into sales is much more cost-effective and productive.

Review your current database – do you have evidence of consent? Do you need to delete people who haven’t interacted with you for a long time?


I hope that this blog has given you some helpful pointers in getting your email marketing ready for GDPR. See below for links to further resources from the ICO – keep an eye on their website for future updates and guidance.

If you would like support with your email marketing, including writing, designing and distributing email campaigns and newsletters then get in touch for a chat about your requirements.


Preparing for GDPR






The contents of this article are for information purposes only and do not constitute legal advice. It is recommended that you seek legal or specialist advice to ensure GDPR compliance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s