Some Good Thinking

Is Your Email Program GDPR-Ready?


We’re seeing this question a lot in marketing blogs and white papers. But before we can answer that question for you, let’s back up. You may be wondering what GDPR even is and how it relates to you.

What Is GDPR?

GDPR stands for General Data Protection Regulation. It governs how personal data of citizens of the European Union is collected, stored and used. The regulation goes into effect May 25, 2018. Everyone who processes personal data of EU citizens should read the regulation; I recommend starting with the European Commission’s website.

In a nutshell, GDPR gives data privacy protections to EU citizens. Under the law, businesses must do the following (note, this is not an exhaustive list):

  • Use plain language. When collecting data, identify your business or organization. Explain why personal data is being collected, and how and for how long it will be stored.
  • Gain consent before collecting data. Consent should be clear. You cannot rely on a pre-checked opt-in box on a checkout page.
  • Provide a means for people to access the data you have about them. And provide a mechanism for them to erase their data and exercise their right to be forgotten.
  • Inform people of data breaches when they pose a risk.
  • Provide people the option to opt-out of direct marketing and marketing that uses their data.

Does GDPR Only Apply to EU Businesses?


GDPR applies to any company doing business in the EU or collecting data of EU citizens. That means if you’re collecting email subscribers from EU countries, you must comply with GDPR. It doesn’t matter whether you’re actively marketing to them or not.

Action Items for Email Marketers

  • Ensure you have consent for EU subscribers. Under GDPR, there are six lawful reasons to collect and use data. One of the lawful reasons that is most applicable to email marketers is appropriate consent. In the EU, express consent is generally required. Another common lawful reason to collect data is the performance of a contract, which is commonly used for transactional email like order and shipping confirmations. If you don’t have a lawful reason for collecting and using data for EU citizens, the best course of action is to remove their records from your database prior to May 25.
  • Review and update email sign-up forms. Ensure the forms contain plain language to acquire consent, let subscribers know they can opt out, and provide a link to your privacy policy.
  • Review and update privacy policy. Policies should include details on how data is gathered, stored and used. You should also outline how subscribers can exercise their right to be forgotten. I strongly recommend having your privacy policy reviewed by your legal team or an attorney who is familiar with GDPR and privacy laws. Add a link to your privacy policy in the footer of your marketing and transactional emails.
  • Discuss GDPR with other teams including the head of marketing and IT. GDPR is MUCH bigger than just email. It’s a cultural shift in how data is collected, stored and used across all business practices.
  • Document what you’ve done to comply with GDPR and share this with your data compliance officer.

All of the technology partners we work with at Katey Charles Communications are GDPR-compliant or have committed to being compliant by May 25. Please contact your account manager or email if you’d like to discuss GDPR compliance in greater detail.

More Resources Related to GDPR:


Please Note: The staff at Katey Charles Communications are not qualified to provide legal advice. This article is not intended to constitute or be a substitute for legal advice.