Hlib Kliuiko

Technical Writer

Email marketing perspectives from the GDPR standpoint + rescue checklist

Email Marketing Perspectives from the GDPR Standpoint + Rescue Checklist

General Data Protection Regulation (GDPR) are new rules to regulate the use and protection of European Union citizens’ personal data that will come into force on May 25, 2018. Inter alia, this new statute means that email marketing process will be significantly changed. So if you send newsletters to any of the 28 EU countries, you will have to follow these rules.

GDPR is coming

Previously, the European traffic was regulated by the EU E-Privacy Directive that was rather recommendative. The new standard has a real legal force. For its violation, a fine of 20 million euros (or 4% of brand’s total annual turnover if it exceeds the specified amount) has to be paid.

To avoid this, you need to do the following things properly:

  • collect,
  • use
  • and store personal data.

Collection and use of information

A user should be completely aware of how and why his or her personal data will be used and completely accept it. Accordingly to GDPR email security, the procedure is to be done in the following way:
A user puts a checkmark in the subscription form; this way he confirms that he is informed of all the terms and conditions and agrees to receive emails from you.
Then, it would be good if he goes to his inbox and confirms the subscription once again - for this purpose you need to configure Double Opt In (DOI).

Note: now it’s prohibited to put the default agree to checkmark in advance, as it was often practiced before. A user has to put it by himself.

Now let’s imagine that you want all your newsletters to contain relevant info and to be delivered right at the subscriber’s most convenient time. For this purpose, it is necessary to collect not only addresses but other specific data: views statistics, open rate etc.

If you are going to add a person to campaign where CTR is tracked, don’t forget to warn him about it. Get client’s permission if you need to track the open rate. Want to give a piece of advice about the interests... well, you know.

Warn your customer about the way you are going to use his data

Data storage

collect affirmative consent

With new requirements of GDPR, all the consents a newsletter and its terms properly received must be stored - it will be the only protection in case of some incident.

Permission documenting 

GDPR rules for email marketing prescribe that you must be ready to provide the "provable permission". It should contain the clear information regarding the person who agreed to your terms and conditions, when it was confirmed, what personal data subscriber allowed to use, and the way he or she did all that. However, the mechanism of documenting and data storage is not regulated in any way. For example, our system registers the time, date and subscriber’s IP address as well as subscription forms with confirmed consent.

Documenting and providing storage conditions. Right to be forgotten

You need to document where the data is stored, who and when has an access to it and the way the technical security of servers is provided. In general, providing a steady state of user's personal data security is crucial.

Be advised that subscriber may demand a copy of all his personal data you store. You must provide it within 30 days.

In addition, a subscriber has the right to be forgotten - you must exclude him from all the marketing campaigns and delete all his personal data upon his request.

What about your current database?

If you have subscribers without subscription confirmations you will have to request it again... or unsubscribe from the newsletter list all the recipients who don’t have all the required documents.

Confirm subscription of existing subscribers

Who is responsible?

Accordingly to GDPR email security, two subjects are involved in email marketing: Controller and Processor.

A controller determines the goals and means of processing personal data (eCommerce).

Processor’s function is to process personal data on behalf of Controller or provide tools for this purpose (Email Service Provider).

A controller is responsible for collecting, storing and using personal data. Article 28 (1) states that:
"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject".

So pay attention not only to template editor or automation options but also to service accordance with GDPR email security requirements when choosing ESP now. Especially regarding the email marketing aspects, you are going to purely entrust your email provider.

Responsibility of a Controller and a Processor is different

What strategy should be followed?

The easiest way is to block the European traffic and unsubscribe all the clients who have European IP. The disadvantage of this approach is pretty obvious.

You can develop two different subscription forms, for the Europeans and for the rest. But then firstly you may simply get confused and mistaken. And secondly - there is no guarantee that requirements of GDPR for email will not become relevant for other countries legislation in the nearest future.

So if European traffic is important for you, it’s better to develop email marketing strategy in accordance with the new GDPR rules for email marketing. In addition, following these demands you will significantly improve your database quality, reduce the number of unsubscribes and spam complaints, get rid of extra expenses for newsletters to those who are not interested.

So, after all, a preferable way is to configure the whole process accordingly to the new GDPR email security requirements. It is obvious that it may cause the contact database redux and its growth temps may decrease in the beginning. But our platform has several ideas how to minimize your losses.

Our recommendations

Advice about GDPR compliant


First of all, make sure that all subscription forms include checkboxes with clear checkmark field for a user to confirm that he is informed and accepts your terms and conditions. By the way, they should be clearly formulated - this aspect will be also monitored.

A problem with the checkmark is that most people don’t like to make a choice. They are used to agree with the default conditions. For example, 4650 trees in the Rutgers University area were saved in three years just by a simple change of printer settings - there was two-sided printing set by default.

Of course, saved trees is a good thing. But failed subscriptions are not.

Only active choise!

This problem has an easy solution: no more choices by default. Provide an additional checkbox for users to make some choice. It completely depends on your offer relevance what choice will be made.

One more piece of advice: specify the offered choice. Give a client an option to decline the personalized UTM tracking but agree, at least, to a regular promo campaign. The same goes for unsubscription - specify what the subscriber exactly wants to decline.


The new rules require user’s ACTIVE subscription confirmation. Certainly, logging in inbox and re-confirmation via email are actions of this kind. In addition, the procedure ensures that email address is real and belongs to a person who wants to subscribe.

Use Double Opt-In

DOI is your reliable insurance against spam bots, email cheaters, and fake subscribers. Using a double subscription you will reduce spam complaints and bounce rate, increase open rate and click rates.

So we recommend making double opt-in a default process for all new subscribers. By the way, we not only provide our customers with a free subscription form but also help set double confirmation scenario.

Re-subscription for existing clients

To document the permission of already existing subscribers you will need to send them special GDPR transactional emails with a request to subscribe once again. The main thing to remember is that transactional emails are not supposed to be formal and boring. Design an attractive message, provide some bonus. Ask what kind of information subscribers really want to receive.


Those who read you will undoubtedly re-subscribe, and those who do not - will stop ruining your newsletters reputation.

It’s time to send these GDPR transactional emails right now and to determine your unsubscribe algorithm. After all, only some will perform the target action immediately: someone will not receive the email, others may not open it ... After May 25, it will be too late to do anything.

25.05.2018 - deadline for GDPR compliance

We recommend configuring a multichannel scenario to re-confirm subscription. It may end with a message "if you won’t confirm the subscription in ... days we will have to remove you from our mailing list".

Entrust the personal data storage to specialists!

We can’t solve this issue without programmers. So you need either to form a department of relevant specialists or to trust your ESP.

Our platform will kindly help you develop all the processes you need. If you have some questions, suggestions or wishes, feel free to contact our support service.


Is GDPR email security really that scary?

Not at all. Of course, you can not avoid the problems if your contact database was bought. But for those who have been professionally engaged in email marketing, there shouldn’t be any extra difficulties. After all, the main principles of new legislation are transparency and security. It would be quite desirable for each of us as it protects us from annoying calls from bank clerks, from spam overloading our inboxes, trash SMS with some irrelevant stuff and from other "benefits" of unprotected personal data.

In fact, GDPR for email is not a problem but an opportunity. A way to improve your contact database quality, optimize data storage, make email campaigns much more desired (and therefore more effective).

So, if you need some help, we are always here!

GDPR: Checklist for B2C

1. Awareness

  • Inform all your staff working with personal data about the GDPR email security requirements.
  • Let them know about responsibility in case of violation.
  • Make a list of risks (name, priority, consequences, solution ways...)

2. Documentation

Register all the stored data: it’s owners, how and when it is used, the way you got it. 

3. Privacy Policy informing

Provide users with an information about the data you collect and the way you plan to use it. Everything should be stated clearly.

Privacy Policy informing

4. Ability to enforce rights

GDPR rules for email marketing declare the following rights for individuals:

  • right to awareness;
  • right to receive personal data in digital format (in 30 days);
  • right to edit;
  • right to remove;
  • right to limit processing.

5. Obtaining the permission

Permission to use personal data must be free, specific, informed and unambiguous. It must be active - it cannot be obtained via default checkmark.

Permission must be obtained for each type of data you are going to collect. A user should be aware how exactly you are planning to process the data.

Such permission should be obtained from all subscribers regardless of when they were signed up. That is if there is no documented confirmation for subscription in existing database - you have to obtain it.

6. Special requirements for children

You should be able to check user’s age. A person has a right to give independent permission to use his or her personal data from the age of 16 in the entire European Union (except Britain where this age is 13). If user’s age is less - you need to obtain the permission from parents or guardians.

Ask about the age

 It’s mostly relevant for eCommerce. Therefore, the privacy policy should be written in the simple language that even children may understand. 

7. Reports about confidentiality violation

General Data Protection Regulation requires the mechanisms developed to detect violations, investigate their causes and inform the relevant authorities - usually that is Information Commissioner's Office (ICO).
It especially concerns the violations that may cause

  • discrimination, 
  • reputation damage, 
  • financial losses, 
  • Confidentiality violation
  • or any other significant economic or social troubles.

In the notification, it should be indicated who may be affected by the consequences of violation. 

8. International regulation

If you process the data received from citizens of several EU countries you must appoint the central regulatory institution and register it.

Special requirements for specific information

9. Data Protection Officer

This employee is needed by:

  • state officials;
  • organizations that regularly and systematically monitor the personal data on a particularly large scale;
  • organizations engaged in the large-scale processing of specific data categories such as medical or criminal entries.

10. Data protection by assessing privacy impacts 

Required when specific data categories are processed on a large-scale (medical entries, religion, sexual orientation etc.)


All comics ideas are borrowed from gdprtoons.com

5.0 from 5 based on 3 reviews

Hlib Kliuiko

Technical Writer

Comments 0

Similar Articles

Data science on duty of email marketing specialist

04 September 2017

Data Science on Duty of Email Marketing Specialist

Sergii Kovalenko

Analysis of Data and RFM Segmentation

25 February 2015

Analysis of Data in E-Marketing. Part 2: RFM Segmentation

Dmytro Kudrenko

What is a Customer Data Platform? Why does your business need one?

15 December 2018

What Is a CDP (Customer Data Platform)?

Kateryna Milokhina