Email marketing in the GDPR era

Alexandros Nasiopoulos on 17-10-2019. Modified on 19-09-2020
Email marketing in the GDPR era

Email marketing in the GDPR era

The appliance of the GDPR has caused major changes to digital marketing. Many believed that the appliance of GDPR automatically meant the end of the era of email marketing.

But is this true?

In this article, we will try to give you all the important information you need to know to develop a secure email marketing campaign in the GDPR era.

General Data Protection Regulation - GDPR

The European Union's General Data Protection Regulation (GDPR), is a law adopted by the European Union (EU) and came into force on May 25th, 2018.

GDPR does not focus on email marketing. In contrast, as its name describes, GDPR relates to the protection of personal data.

Although the regulation was adopted by the European Union, it does not mean that no penalties can be imposed on companies based outside the EU. If you are managing EU citizens' personal data and you are not in compliance with GDPR law, you may be subject to bitter fines.

How serious should you take the GDPR?

In short, we could say that GDPR is not a regulation that you should take lightly. Failure to comply with its regulations could result in fines of millions of euros.

Now that you know the reason why everyone is freaked out on GDPR, let's dive into more details about GDPR and how GDPR affects email marketing.

How to comply with GDPR

GDPR consists of a list of regulations for managing EU citizens' personal data.

GDPR is designed to help consumers gain greater control of their data while providing greater transparency throughout the data collection and use process.

The key elements of GDPR that you should definitely comply with, are the following:

  1. Consent to receive data: The terms of consent must be accurate and explained in simple terms. Consent must be given easily and it should also be easily withdrawn at any time.
  2. Breach Notification: In case of a security breach and leakage of personal data, you should notify all users within 72 hours that they have stolen personal data.
  3. Right of access to data: If a user requests the personal data you have collected about him/her, you should be able to provide them immediately, free of charge and in detail, in an electronic form. This report should also include the ways you use this data.
  4. Right to delete: Users have the right to request the deletion of their personal data.
  5. Data portability: Users can reuse the data you have collected about them in different environments outside of your company.
  6. Data protection by design and by default: The systems you use to collect and manage personal data must implement appropriate security protocols from the very beginning of their development.
  7. Data Protection Officer: Depending on the size of your company or the way you collect and process personal data, it may be mandatory to hire a data protection officer (DPO).

If you need detailed information on GDPR, you can visit the official website of the European Union.

Email marketing and GDPR

The ability to develop an email marketing campaign is based on one single element: Email collection.

The days when we were buying infinite lists of emails from third parties are over.

Users' emails are personal data too. So in case you are wondering why I cite general GDPR compliance information and I don't just give info about the subject of this article, which is email marketing in the GDPR era, I will answer with a question:

Where did you find the email of the person you messaged?

As I said above, GDPR was not intended to stop email marketing. This, of course, does not mean that GDPR does not affect email marketing.

As a negative effect, we could say that obtaining consent to collect emails hardened marketers' jobs. More simply, collecting an email from companies has become more difficult and deleting it from their list is easier for users.

Just from the above, one can conclude that GDPR is aimed at protecting and facilitating individuals rather than businesses.

Something that is not necessarily bad for businesses, at least as I see it. Why;

Perhaps, at last, it's time to focus our efforts on users who are genuinely interested in what each of us is trying to promote.

Can I develop an email marketing campaign in the GDPR era?

The answer is, of course! However, you should keep in mind the following rules. All of the rules below are not necessarily mentioned in GDPR legislation, but you should follow them if you want to be sure you will not be penalized.



Make sure your emails are correctly and properly targeted

The GDPR does not prohibit the search and collection of data but requires a higher level of awareness and precision. Awareness refers to the fact that you should not collect more data than you need or are going to use. Precision is about the audience you are targeting, and it simply means that your email recipients will not be surprised when they receive an email from you.



Express your legitimate interest

In most cases, the reason you send an email is self-explanatory. But that doesn't mean you don't have to explain what your email is about. Examples of this might be: "You are receiving this email because you are subscribed to newsletter" or "Are you interested in a casing for the iPhone 11 you bought a few days ago?"



Make deletion easy

Your email should definitely contain an "Unsubscribe" button. A user who has decided that he is no longer interested in receiving your emails and wants to unsubscribe will not remain because of the difficulty. Be sure to at least leave a positive last impression on you.



Regularly clean your database

GDPR is not just about deleting those who do not want to receive your emails. It also refers to deleting personal data that is inaccurate or inactive for months.



Terms of use and consent are two different things

Consent to sending emails should be presented simply and easily and not simply stated in terms of use. For example, you should under no circumstances state in the terms of use that when someone purchases a product, you automatically save the user's email to send the newsletter.



Keep consent data

According to the GDPR, user consent alone is not enough. If you are under the microscope of a test, you should be able to answer questions such as:

  • What date did you get the consent
  • How did you get the consent (contact form, check-out, newsletter, etc)
  • What exactly did you say to the user once he gave you his consent?
  • Has the user withdraw his consent?



Email Encryption

GDPR does not require email encryption. However, as mentioned above, GDPR requires "data protection by design and by default". This means that you must have implemented some data protection techniques from the beginning of developing your personal data management application. If you want to be sure that you comply with the regulation, it would be advisable to encrypt your emails.



Email Security

On the same wavelength as email encryption, email security also moves. By "security", I mean malicious email management. As you may know, 91% of internet attacks start with a phishing email, in which hackers try to gain access to an account by deceiving a user. How; By sending an email containing a link that leads to malware. Once they have access to an account, they are more likely to be able to steal your data. Proper training of your company staff in managing malware emails can save you a lot of trouble.

Can I purchase an email list and be eligible for GDPR?

GDPR does not prohibit the purchase of emails, as long as the list you purchased also contains the consent of all users included. I would definitely recommend avoiding such actions. Why;

What is legal does not mean that is also good for developing a successful email marketing strategy.


If you need more information on what you have read or you are looking for a reliable company to develop a successful and secure digital marketing strategy, you can contact us.

Reviews (1)
By Joe N. on 19-10-2019

Email Marketing Great info!

Comments (0)