GDPR (General Data Protection Regulation) is certainly on everyone’s mind at the moment whether you have anything to do with marketing, collection or storing personal data or not.

GDPR impacts more than just your email marketing – it will apply to our ‘business to business’ activity in the same way as ‘business to consumer’ communications – if you are gathering, using and storing personal (or sensitive) data you have some new responsibilities.

GDPR comes into effect on the 25th May 2018 and will be ‘managed’ in the UK by the ICO (Information Commissioners Office) and any breaches reported to them will be investigated.

They are going to be very busy.

GDPR – all you need to know – can be found at so I’m not planning to recycle their guidelines.

“GDPR has been called the Data Protection Act with ‘teeth’.”

You are now expected to abide by the law and there are a couple of new changes that may affect the way you use email marketing in the future.

Permission now needs to be explicit, not implicit

Email marketing is known as permission-based marketing, (like mobile marketing). You need to have permission to email somebody, and they need to have shared their contact details with you willingly and consciously, either through a single or a double opt-in.

When you sign up for someone’s mailing list, an email is often sent to you to confirm you want to be added to that list. It’s a good way to check the email address exists and that there are no typos or keystroke errors.

If you’ve ever had to cleanse a database, you’ll know what a total pain keystroke errors are.

You only have permission to communicate about the transaction in hand

If you are providing a service or selling products, you are free to email and write to the customer in order to deliver or the transaction. You are not meant to just quietly add them to your mailing list and hope they don’t notice…

You need to make it easy to opt in and opt out

This applies to every single campaign that you send – permission-based marketing – so hiding or disabling the unsubscribe link is not a great idea.

We need to be aware of SPAM, because it’s a bad thing, particularly if you’re using email marketing software. If there’s even a whiff of spam, your account can be suspended and your wrists slapped.

Uh-Oh, Unsolicited Email Alert

An email could even be a one-to-one communication, but if the recipient has never heard of you and doesn’t your company name, then they didn’t give you permission. Some examples include first contact, sales or job enquiries.

Bulk Email? Tsk, tsk, tsk

Bulk email is normal email but can include subscriber newsletters, customer communications and so on, where an identical message is being sent to one or more people at one time. Even if you send it to just two people if they feel it’s SPAM and unsolicited then in the eyes of the law, it is.

So what is SPAM*?

a) Pink and nasty processed pork that reminds us of school dinners?

b) Bulk email that is also unsolicited?

c) The number one reason for your email software to be shut down?

SPAM is email that is also unsolicited – people didn’t want to hear from you, didn’t sign up to your list and don’t understand why you’re emailing them. Often the content of the email is inappropriate or irrelevant and you should avoid doing this at all costs.

“Let’s face it, if GDPR can remove or even reduce the huge volumes of SPAM emails we get each day, it will be a welcome change.”

Why are you still buying contact data?

SPAM (unsolicited and junk messages) can get you into hot water if you have bought data or someone else has shared their mailing list with you. You may not have permission to contact them and the data can be really old, or contain lots of keystroke errors in the database. If you upload it into email marketing software and people on the list complain that they’ve been spammed, your account can be suspended pending an investigation. It’s not worth the risk, so be careful and avoid it. 

Also, as every frustrated marketer knows, bought data has a tiny conversion rate – if you’re lucky. And it can get you into real trouble with your email service provider, as well as the ICO.

The game-changer for all users of personal data, post-GDPR

All the guidelines above have been covered by the Data Protection Act and followed by the majority of marketers and data managers for years.

The really scary bit, especially for small businesses who don’t have a dedicated IT manager, is the legal responsibility to store personal data securely (yes, that includes your b2b customers as well).

“We live in an age when hacking, malware and ransomware are an everyday occurrence and no organisation it too big to be targeted.”

The fines if you fail to inform the ICO and all people affected within 72 hours are eye-wateringly huge.

This is why Sony wasn’t fined when they were hacked, but Yahoo was. They didn’t admit it until long afterwards.

If you have any concerns about the security of your software, hardware, cloud-based systems then I sincerely recommend working your way through the UK government’s own Cyber Essentials guidelines and beefing up your cybersecurity.

* Answer: it is a, c. Are you old enough to remember spam fritters for school dinners?

In the next article, we’ll discuss list building done properly and in line with GDPR.

Don’t leave without grabbing your free eBook.