Message us

All great projects start with a conversation.

Thank you. We received your message and will get back to you soon!

Browse our showcase

or Send another message?

Digital Marketing

Design & Development

Digital Marketing

GDPR Compliance - the CLD Guide to the Death (or Rebirth) of Email Marketing

Hey you. Yes, you with the Mailchimp account.

You know those marketing lists you’ve been using for years? Yeah, you’ve got some work to do.

guide to gdpr compliance


GDPR stands for “General Data Protection Regulation”, and it comes into effect on the 25th May 2018. It essentially redefines personal data across the EU (Brexit or no Brexit, the UK still has to comply, as does anyone who seeks to market to people in the EU).

The intention is to give consumers more control over how their personal data is used.

By making data protection law identical across the whole of the single market, businesses will apparently save 2.3bn euros a year.

So, from 25th May 2018, you have to ensure that any personal data you collect is processed lawfully, transparently, and for a specific purpose.

And I’m guessing you’re now wondering what the word ‘lawful’ means. 

Here are two possible ‘lawful’ scenarios:

  1. The person whose data you are using has explicitly consented to their data being processed. So, in an email context, they have ‘opted in’ to receiving your email. That consent has to be an active, affirmative action – and not a passive one. More on that later.
  2. The person whose data you are using would be at risk if you were not to use that data. For instance, if you manufacture medical devices, and you have a product warning – this is an essential use of their data to communicate. Or if you need to carry out a fraud check within a financial transaction.

Let’s focus on the first scenario, as from a digital marketing viewpoint, this concerns the majority of us.

Consent needs to be active, and so do people

Your database has to give you explicit consent to receive any marketing communications from you.

This means that you have to go beyond the simple ‘tick box’ on a contact form, and you have to create a double opt-in if you want to market to these contacts subsequently. What’s more, pre-ticking the box does not count.

Inactivity can also count as not giving consent.

So, upon hearing this, you may be like me. You may be thinking: “OK, I’ll just send out an email to my database asking them to consent, and I might have a smaller database but that’s OK.”

No, you can’t do that.

Flybe and Honda tried it, and they were both fined. What they did was nothing out of the ordinary, at least in terms of what us marketers have always done. Flybe sent an email to their database of 3.3m people with the subject line “Are your details correct?”.

This broke current laws, and resulted in a fine of £70,000. Under GDPR, the penalties could extend to 4% of annual global turnover, up to 20 million euros.

Rather a lot for asking your database to update their personal details.

You cannot simply email a database and demand their consent. They explicitly have to give it in the first place. And if you market to people who have deliberately opted out, you are breaking the law.

If you have data, look after it & help users look after it too

Here’s the security issue. If you’re holding data: customer, prospect, newsletter… then users have the right to access that data pertaining to them. So, at any time, people can ask to check the data you hold on them – and what you’re planning to do with it.

There’s also a “right to be forgotten” written into GDPR. So this has to be worked into privacy policies, with an active link for people to find out what information is being held on them.

And be warned: data breaches might result in fines right now, but they’ll result in much greater fines under GDPR. TalkTalk, for instance, will feel mightily relieved that they got away with a fine of just £400,000. Under GDPR, it would have been £70m.

What you need to do

Change your Sign-up Processes

  • Remove any pre-ticked boxes and replace them with an unticked box so users can explicitly give consent
  • Be very clear about why you’re collecting their personal data, and what you intend to do with it, e.g. send offers, send a regular newsletters, etc.
  • Create a double opt-in process, where confirmation is explicitly given via email after the contact has joined the marketing list. 
  • This counts even for ‘soft conversions’ such as White Paper or Brochures. You cannot market to people who download your content unless they have specifically double opted-in.

Find a method of storing consent forms

  • If requested, you will have to show these forms, either to the authorities or to the person concerned.
  • That might require you changing email platform.

Adjust your expectations

  • You should immediately review your email database. If you have contacts on that database who have not explicitly opted in, delete them.
  • If you have contacts who have opted in who are not opening your emails, you need to consider at what point this will be considered ‘inactivity’, which implies they need to be removed from your database.

And the future? 

Some crystal ball gazing…

I certainly foresee many smaller organisations getting caught out, and potentially some larger businesses, as recent surveys have shown that very few businesses are up to speed with GDPR. It will take businesses a long time to adjust, and ‘business as usual’ is not an option.

I also foresee Mailchimp’s business model changing. Already, you can see they’ve moved into Facebook advertising and automation, which is a significant move. They are, at least, one of the platforms who can provide good data on opt-ins, and have strict compliance rules, but databases will be getting smaller, and that means smaller subscription fees. They’ll need to find other revenue streams.

And on those same lines, social advertising will probably end up going down the same route. The recent controversies around Cambridge Analytica and political campaigning indicate that personal data extends beyond simply emailing people. Your Facebook data (likes, behaviour, etc.) is up for grabs, and it will be a question of at which level of granularity do the authorities draw a red line?

Finally - and back to the title of this piece - it’s not the death of email marketing. If you can find a compelling reason for people to sign up to your mailing list, and you can provide engaging content, you’re left with an engaged marketing list. Instead of chasing the 0.1% from a bought list who may engage with you, you will chase the full marketing list, and if you’re able to segment this down to personal preferences, then your engagement rates will be far higher, as inboxes become less saturated.

Got any questions around GDPR? Drop me an email via the contact form, I’ll see if I can help you out.

Want to take your email marketing further? Take a look at our inbound services.