The Email Savant Series: 5 Simple Steps For Aligning Email with GDPR

Mark Vogel

Written by Mark Vogel

April 26, 2018

There has been a great deal of media coverage lately about privacy, and who owns your personal data. Facebook is the highest-profile entity embroiled in this debate, but businesses of all sizes utilize data to send relevant messaging to their target audiences. If you have an e-newsletter, your email marketing program can tell you who received your message, if they opened it, if they clicked on a link, and so on. If you sell products online, it’s easy to follow-up with an email that says, “Since you bought Product X, you might like Product Y…”. With that in mind, you may have read about an upcoming regulation called GDPR and wondered if it will impact your email marketing strategy. This blog will help you determine if it will affect you and what steps to take if it does.

GDPR stands for General Data Protection Regulation. It is a regulation in European Union law on data protection and privacy for all individuals within the EU, and it takes effect on May 25, 2018. GDPR helps ensure continued, stringent protection and enforcement – and to simplify the regulatory environment for global organizations. Advanced technology like cloud computing has intensified the focus on data protection.

So, you say “I’m in the US, so I’m not bound by EU regulations!” Actually, you are – if you hold Personally Identifiable Information (or PII) on any resident of the EU. A simple email address is considered PII. Let’s be clear. This is NOT a major issue for most small- to mid-sized businesses! The regulators will focus primarily on the big offenders first. Multi-national companies that store massive banks of data are scrambling right now to comply – such as banks, insurers, healthcare institutions, major publishers and so on. But even though your risk isn’t large, it isn’t zero. And, unless you’re one of those huge data aggregators, the steps you can take to ensure compliance with your email marketing efforts are NOT expensive or difficult to implement.

Step One: Determine Level of Risk

Does your organization store relatively large numbers of email addresses from residents worldwide, say, more than 10,000? This applies not only if you OWN the data, but also if you PROCESS the data. GDPR identifies both the “controllers” of the data and the “processors” of the data as equally liable. Advertising agencies, IT consultants and email marketing firms who manage client databases and send email messages on behalf of other companies to EU residents (whether B2C or B2B) need to implement GDPR compliance efforts.

Step Two: Identify the Sources

GDPR requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous.” That means if you are emailing large numbers of messages to purchased or rented lists, you need to purge those addresses. Sorry, but email lists are going to shrink – it’s the “new normal.” Don’t collect more data than you need.

Update your Privacy Policy to follow the new guidelines. For example, you will need to explain your legal basis for processing the data, how long you keep the data and that your data subjects have a right to contact the proper authorities if they believe their data privacy complaint was not resolved directly by your organization.

Step Three: Audit Your Collection Processes

What does your sign-up form look like? Pre-checked boxes that automatically sign-up a visitor to your email marketing messages are not allowed under GDPR. For example, if you ask for an email address in order to download a whitepaper, that does not infer consent to continue to send marketing emails at a later date. Add a checkbox (not-pre-checked, obviously) that states “Yes, I’d like to receive occasional emails from you on your products and services” or something to that effect. If they check the box, you’re good. If not, just give them the whitepaper and don’t archive that address.

Don’t bury consent wording in your Privacy Policy or Terms and Conditions. It must be clear and overt at the point of sign-up. It helps to add some reassuring wording on sign-up pages such as “We never share or rent our lists, and you can easily unsubscribe at any time.” Adding a double opt-in process helps ensure that you have clear, unambiguous consent from the subscriber.

Step Four: Locate the Data

Today’s cloud-based computing means that copies of data can reside on multiple servers, not to mention the copies of Excel docs made by your team that may reside on their office desktop or personal laptop. Clearly define the process of where email marketing data goes once in it enters your possession. Ensure that everyone in your organization understands the rules. Determine who has access to the data, and routinely change login credentials, especially when someone leaves your organization.

Identify any vendors who might have access – email marketing pros, email service provider platforms, IT consultants, or temp workers, and ensure they understand the rules as well.

Step Five: Keep Records

Keep records of what you are doing to prepare for the GDPR and be ready to share records if asked by the EU authorities – how did you acquire the email marketing data, and can you prove that the consent to provide the data “freely given, specific, informed and unambiguous.”. This proof is a requirement under a new “accountability” concept included by the GDPR. Create a checklist of all processes and share it with everyone in your organization. Develop procedures to detect, report and investigate a data breach.

Data subjects will now have the right to request that their information is completely erased from all servers. This is not optional. By keeping accurate records of the data collection and storage process, you should have no trouble meeting this requirement when asked.

Compliance with the GDPR for email marketers doesn’t have to be costly or a burden on your business. In many respects, these are best-practice actions you probably should have been following all along. Other countries will be watching the GDPR enforcement and fine collection process and success, and very well might implement similarly strict data protection rules. Now is the time to ensure that your organization has taken the five steps listed above. If you don’t have the internal resources to ensure compliance, hire an outside professional.

Mark Vogel is president of Vogel Marketing Solutions LLC and serves as a lead email consultant for Nxtbook Media. He has more than 35 years of experience in the marketing world and has been actively engaged in email campaigns for more than 20 years. His email marketing clients include Fortune 500 companies, e-commerce retailers, non-profits, local businesses, and more. He can be reached at

Related Posts


40+ Awards

Consistently ranked in the top 10 best places to work in PA, and ranked nationally in the Top 101 Best and Brightest Companies.



Nxtbook Media has supported more than 100K projects... and counting.


7.5 Years

Our top clients have been with us for an average of 7.5 years.

Back to Top