How GDPR Affects Email Marketing for UK Businesses

Reading Time: 8 mins

How GDPR Affects Email Marketing for UK Businesses

The General Data Protection Regulation, or GDPR, is going to fundamentally change how businesses handle personal data in the UK and across Europe from May 25th 2018, especially when it comes to email marketing. 

Email marketing plays a key role in digital marketing for many businesses, and handling email addresses and other personal data will need to be reconsidered once GDPR hits.

What is the GDPR?

If you haven’t seen GDPR in the news or across the web, GDPR is big news for virtually all businesses operating in the UK and the EU.

The GDPR sets about looking to put “privacy by design” into how businesses collect and store data.

The GDPR replaces the Data Protection Act 1998, and will update data protection legislation to be in keeping with the new digital age we have been living in for some time now.

Much of what the Data Protection Act outlined remains in the GDPR, but it brings along a lot of new regulations that businesses must adhere to, or face rather large fines that could potentially put a lot of smaller businesses out of business.

Overall, the GDPR aims to give data subjects more say in how their data is collected, handled and stored. They should have more control over what organisations can do with their personal data, and who has it.

The benefit for businesses is that your data will be better, and any contact or email lists you have will consist of contacts who are interested in what you offer. Rather than a list of contacts you have collected over many years that didn’t even realise you had their personal data. Quality over quantity, at the end of the day.

From the GDPR Europe website, they detail it in the following:

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.

​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.

How will GDPR change email marketing?

GDPR means data subjects have more control over their data, which means businesses must allow them the right to have their say on who holds their data, for what period of time, and for what purpose.

GDPR EU Email marketing businesses

By allowing your email contacts access to how their data is handled, it means your business will take one step towards GDPR compliance, whilst reassuring customers their data is only in the hands of businesses they want it to be.

Marketers will need to purge any old email lists or unauthorised email lists that may have been purchased or collected in the distant past.

Your current email lists should only consist of recent, relevant data that is required by your business. Any data which your business has no real right to use or hold will have to go.

The benefit for your business is that your email lists should be much higher quality and more likely to engage with your campaigns.

Email marketing obligations under GDPR

When putting together future campaigns or compiling email lists, your business will need to consider the following:

Unbundled data

When asking for the consent of using someone’s personal data, the question should be a stand-alone question that isn’t hidden or within terms or conditions. Data subjects need to clearly see what they are signing up for. Consent is sought separately from any other conditions.


Consent has to be expressed clearly. Consent is not assumed when a customer signs up for a particular service or another form of contact. Unless of course, your service specifically needs it.

Consent must be freely given, rather than forced in some way.

Active opt-in

Consent of data subjects relies on opt-in boxes, and boxes may no longer be pre-ticked. It must be a clear action on the part of your data subject that they have actively opted-in, rather than opting-in by not un-ticking a box or otherwise.


If there are different parts to your email marketing or data handling, data subjects need to be fully aware of this and express consent for each part.

This maximises the control data subjects have over their own personal data.

So if you send separate campaigns about different areas/products/services etc, data subjects will need to give consent for each area.

Named data handling organisations

You will need to detail names of data-handling organisations that may be involved. You must include any third parties that any information is shared with.

So if information is shared with other organisations, these must be detailed and consent must be given. Essentially, if the data will be used in a number of different ways, it’s recommended that you ask for separate consent to each part, as the data subject then has as much control over their data as possible.

Withdrawing data

Data subjects need to be able to retroactively remove consent to be able to handle their own data. They should be able to opt-out of your email marketing.


Where consent is given, records need to be kept.

This should include what data subjects have consented to, what information they were provided with, and what the method of consent was.

What happens if I don’t comply with GDPR?

If there is a data breach, a failure to comply with the new regulations has a fine of 4% of turnover or €20 million – whichever is higher.

Data subjects and individuals can also bring their own lawsuits into the equation, in order to make compensation claims if there is a breach.

With the latest news stories of data breaches and how personal data is stored online (such as with Google and Facebook), a data breach would also have a significant impact on your brand or business. Perhaps so significant that there’s no coming back from it.

If you’re already putting into motion how you will handle the incoming GDPR regulations, then that’s a great first step.

However, if you have not thought about your next moves ahead of the May 25th deadline, then there’s no time like the present.

If you have any questions about your digital marketing or web development requirements with GDPR in mind, do get in touch with the team here at Xanthos, who would be more than happy to help.