Everything You Should Know About GDPR’s Email Guidelines

Jordan MacAvoy, VP Marketing, Reciprocity Labs About The Author

November 18, 2020

This is a guest post written by a member of the Reciprocity Labs team. As with any guest post, the opinions stated herein  do not necessarily reflect the opinions of rezora. For more on rezora and email data regulations, see here.

gdpr blog post

The General Data Protection Regulation (GDPR) came into effect in May 2018. It governs data storage and processing by organizations and requires organizations to secure all forms of personal data. If your organization collects, stores, or uses EU residents' data, then the regulation applies to you. Here are some pertinent aspects of the legislation to keep in mind:

GDPR and Consent

Thanks to GDPR, the era of scattergun marketing emails is gone since marketers can no longer send non-targeted emails without seeking consent. Since the legislation came into effect, marketers have been grappling with the challenge of collecting and storing consent. For your organization to be compliant, it should collect informed, unambiguous, and freely-given consent before sending messages to your email list.

For consent to be considered valid under GDPR, customers should confirm their consent actively. They can do this by ticking unchecked opt-in boxes, for instance. Pre-checked boxes that take advantage of customers’ inaction to assume consent are not valid under GDRP. The regulation also stipulates that email consent be kept separate. Consent shouldn’t be bundled with your private notices, terms and conditions, or your services, except when email consent is required to complete that service.

For your organization to be GDPR-compliant, subscribers should be allowed to withdraw consent whenever they feel like. Furthermore, they should know how to do it. The promotional emails that you send out should also come with the option to unsubscribe.

Besides requiring you to collect consent, GDPR requires you to maintain a record of the consents you collect. If your company collected the opt-in, it’s your responsibility to probe consent whenever it’s required. Maintaining evidence of consent entails providing proof of:

  • Details of individuals who consented
  • When they consented
  • Everything they were told while providing the consent
  • How they provided the consent (e.g., during checkouts or via Google Forms)
  • The status of their consent

Email Retention

Since it’s one of the data protection principles, data erasure is a key aspect of the GDPR. According to Article 5(e), personal data shouldn’t be stored for longer than the purpose for which it was meant. Data erasure is a personal right granted and protected by the regulation. In this regard, data subjects have the right to have their data, including emails, erased.

Indeed, many people never erase emails, and they have plenty of reasons for that. As an organization, the more emails you keep, the greater your liability if a breach occurs. The GDPR requires you to delete emails whose data you no longer need. Similarly, you must review your company’s email retention policy periodically.

GDPR and Email Marketing

Initially, many people argued that GDPR would bring email marketing to its knees. Contrary to their arguments, the regulation isn’t meant to stifle email marketing. Instead, it seeks to ensure that subscribers' emails provide value to them by containing a message they want to receive nevertheless.

The regulation requires organizations to ask for affirmative opt-in before sending out the emails. You also need to make it easy for subscribers to opt-out if they no longer find your emails relevant. You will violate the GDPR if the marketing emails you send don’t come with the option to unsubscribe, or you send emails to individuals who never signed up for them.

Email Security

Even as you delete emails that you no longer need, GDPR requires you to secure your mail system using appropriate organizational or technical measures. If you fail to show regulators that your organization has implemented measures for protecting personal data against accidental loss or destruction, you will be fined.

Reviewing Your Consent Policy and Practices

To stay GDPR-compliant, your organization should regularly review and update its consent policy and practices. In particular, you should evaluate the consent you acquired before GDPR came into effect. If earlier subscribers had provided consent in a manner that’s GDPR-compliant, and you’ve maintained a record of the consent, you won’t need to re-collect consent from your subscribers. However, if you collected consent in a non-compliant manner, you will have to recollect it. As you review your consent practices, it’s best to keep these two pertinent points in mind:

  • Audit Your Current Email List

Start by figuring out whether your current email list provided GDPR-compliant consent. Moreover, ensure you have an up-to-date record of the consents.

  • Implement a Re-Permission Program

If anyone in your email list hasn’t provided GDPR-compliant consent or you’re unsure about the compliance status of the consent, you’ll have to roll out a re-permission campaign. This will enable you to either refresh the consent or expunge that individual from your mailing list.

Key Takeaways

The GDPR is here with us. Organizations should educate employees about email security. Implementing basic measures such as two-factor authentication and email encryption will go a long way in protecting your data and ensuring compliance with the GDRP.


About The Author:
Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company's go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.  

Enjoy the read? Subscribe for more.