Ask Sawal

Discussion Forum
Notification Icon1
Write Answer Icon
Add Question Icon

How to be gdpr compliant email?

5 Answer(s) Available
Answer # 1 #

The European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25, will govern the storage and processing of data rather than its collection. It also includes some very important consumer rights. The most important are the right to be informed, the right of access, the right to correct errors, the right to erase data, the right to restrict processing, and the right take it elsewhere (data portability). How useful these will be in practice remains to be seen.

“Personal data” includes names, addresses, phone numbers and IP addresses, as well as whatGDPR calls “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. That includes biometrics such as face, fingerprint and iris recognition, and genetic information. In other words, you may have personal data that identifies someone even if you don’t know their name.

GDPR applies to companies and organisations, particularly those with more than 250 employees. Home and household users are exempt. However, as a freelancer, you store and process data, even if the “processing” just means entering a name in an address book and looking it up. You should therefore do an audit of the devices and software you use to make sure that other people’s personal data is protected. This may require the use of data backups, passwords, encryption, malware protection, and a VPN when using public hotspots. The GDPR also obliges you to tell people if there are any security breaches.

You should also audit your data to make sure that you are only holding data that is necessary for your jobs, or that you are legally required to hold, eg for tax purposes.

The UK’s Information Commissioner’s Office (ICO) has a useful 12-step plan (PDF), though like most things GDPR-related, it’s aimed at companies. IBM’s Liz Henderson provides a good summary in two posts on LinkedIn, GDPR Plan – Do you have yours? and GDPR Initial Steps, What’s Next...?

Note: the GDPR is being modified and implemented in the UK by the data protection bill, which is still going through parliament. It should include some exceptions for journalism similar to the ones in the previous DPA, so check whether these apply to you.

You are right to be concerned about sending things by email. Emails are more like plain text postcards because they can, in theory, be read at any of the many servers through which they pass, or by someone tapping a line. Of course, “read by” is unlikely to mean “read by a human being.” However, software can look for things like passwords and credit card numbers.

A more likely problem is sending emails to the wrong address, either because users have got their own email addresses wrong (this happens surprisingly often), or through human error. Pick the wrong address from a list of auto-complete suggestions and you could send personal data to the wrong recipient. This would be a data breach that might have to be reported.

It would obviously be good thing if all emails were encrypted by default so that only the intended recipient could read them. Three decades of history says this isn’t going to happen soon, if at all. Public key encryption is too hard for people who just want to send normal emails.

Some large organisations do have encrypted email services, such as the NHS, but that doesn’t help the rest of us.

Some people do choose secure email services, such as ProtonMail in Switzerland and Tutanota in Germany. However, you also have to send external recipients a password – for example, in an SMS text message – to decrypt the email.

Tutanota users get an email that says “you have an encrypted email” and you click a link to read it, and reply to it, in a browser. You have to export the email if you want to keep a copy.

There are also plug-ins for Gmail and the Microsoft Outlook email program that provide secure email services. If one of your employers is using a secure system, they might let you join in.

If there’s no other alternative, you should encrypt and password-protect your images and documents before sending them as email attachments. Again, you must send the password separately, either via a different messaging service or in the post.

It’s a good idea to upload attachments and then send people a link. However, bear in mind that you are uploading documents to the company that probably runs the biggest surveillance operation on the planet. Encrypt your documents before you upload them.

Encryption protects data if an online storage service is compromised – it has happened – or if your email is hacked.

Unfortunately, using Google Drive brings up an extra complication. If you are using Gmail, then you can assume that your data is being held in, or passing through, or accessible from the USA.

GDPR does not oblige users to store data on servers inside the EU. However, there are extra requirements if servers are outside the EU. First, you need to have a legitimate reason for transferring personal data outside the EU. Second, you must have the consent of the person whose data is being exported. Third, you must give that person the option to opt out.

In another post, the aforementioned Liz Henderson explains how to create a GDPR Privacy Notice, and you could adapt her sample to cover Gmail storage outside the EU.

You could switch to using an email service that operates wholly within the EU (see above), if only for any people who opt out, or you could upgrade to Google’s paid-for service.

Google claims that its G Suite and Google Cloud Platform (GCP) services are fully compliant with GDPR, because it offers to sign EU Model Contract Clauses and a Data Processing Amendment. The fine print notes that “the parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data” and that “Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services”.

I don’t think GDPR will actually stop advertising-driven personal data processing. Just look forward to clicking “I agree” to lots of terms and conditions you won’t even bother to read.

Bear in mind that GDPR is a legal matter and I am not a lawyer. I am also not an expert on GDPR. Companies who can be fined up to €20 million or 4% of their annual turnover should take this stuff seriously and follow the ICO’s advice. Lots of consultancies are offering guides, training, software toolkits and other services, too.

Freelancers like us are not the target, but we should work to comply as best we can. In particular, don’t keep any personal data you don’t need, and store and use it securely. Indeed, you should do those things even if the GDPR didn’t exist.

Feryna K.Somnath
Answer # 2 #

Failing to comply with the General Data Protection Regulation (GDPR) results in charges, fines, and a damaged brand reputation. And given how easy it is to stay GDPR compliant, there’s no reason you shouldn’t follow the regulations.

In this article, we cover everything you need to know about GDPR email marketing to help you write GDPR-friendly emails and avoid fines.

GDPR is a set of security and privacy laws in the European Union (EU) that regulate how data should be collected and processed.

How does it help? The GDPR protects individuals from:

The data protection rules increase transparency and accountability between businesses and their customers, giving users a better understanding of what their personal data is used for.

Since 2018, all organizations with EU-based audiences must follow the regulations.

Every piece of information that relates to an identifiable person is personal data. It might be:

The GDPR requirements apply to every company that targets or collects data related to people in the EU.

“If my company isn’t EU-based, does the GDPR affect me?”

Yes, it does. Since the GDPR rules aim to protect individuals in the EU, it doesn’t matter where you are located as long as you process the personal data of EU citizens or residents.

How does the GDPR affect your email marketing strategy?

Since you need to collect users’ contact information to reach them with marketing messages, your email marketing campaigns fall under the GDPR. This means you should follow the key GDPR principles when gathering, processing, and storing user data. (Even if it’s only an email address!)

Contrary to what some marketers expected, the GDPR didn’t kill email marketing. Quite the opposite, GDPR-compliant brands have a chance to strengthen their relationships with their audience, build trust, and improve email engagement.

Email marketing has become less disruptive and more relevant and trustworthy. Now, companies think twice before sending a promotional email, and customers no longer see marketing communications as irrelevant and intrusive.

Here are seven data protection principles every email marketer should know.

When collecting personal data, you should align with three sub-principles of the GDPR:

Users should know where their data goes and how it’s processed. You should add this information right within your data collection form.

There should be a “specified, explicit, and legitimate purpose” behind data collection. For instance, if you state you need the user’s email address to send transactional emails, you aren’t allowed to reach them with marketing communications.

The principle of purpose limitation protects individuals from wrongful use of data, spam, and irrelevant communications.

GDPR strives to minimize the collection of excessive data. To comply with this principle, an organization can only ask for the data they need to achieve the stated purpose.

This rule makes it easier for companies to manage data and keep it up-to-date. It also minimizes the damage caused by a potential data breach.

A business must also take responsibility for updating the data and erasing incorrect information whenever they spot it. Individuals have the right to request the removal of irrelevant or incomplete information within 30 days.

For instance, when a user opts out of your marketing communications, the principle of data accuracy requires you to remove their email address from your marketing email list.

The data collected should be stored only for a specified timeline. If you no longer need the data to achieve the goal you previously established, you must delete it from your database.

You can also archive the data, but you need to indicate the retention period and detail reasons for doing so in your privacy policy.

According to the official legal text of EU GDPR, this principle helps to ensure that the data is

You must adopt proper measures to secure your audience data from deliberate attacks or accidental breaches. For email marketers, this means:

The seventh principle requires you to collect all the necessary documentation that may prove that you meet compliance regulations. This documentation may include:

Maintaining records of data processing activities allows you to demonstrate your compliance with GDPR, saving you a lot of trouble.

There’s one significant reason to stay GDPR compliant — large fines for non-compliance.

Under the GDPR, fines can reach €20 million or 4% of the company’s global turnover for the preceding financial year. The fines are flexible and depend on the severity of the infringement which is determined by the nature, gravity, and duration of the GDPR violation.

The biggest ever fine was registered in July 2021. Amazon was again found incompliant with general data processing principles and had to pay a penalty of €746 million. It’s followed by Meta (€405 million), WhatsApp Ireland (€225 million), and Google (€90 million).

Source: GDPR Enforcement Tracker

But these statistics shouldn’t give you the impression that only corporate giants like Google and Facebook are subject to GDPR penalties.

In 2022, over 350 healthcare organizations, restaurants, local service providers, educational centers, stores, and other small businesses were charged for non-compliance with the GDPR. Since 2018, over a thousand companies have been fined, and this number is growing.

The more successful your company gets, the more serious the consequences of non-compliance become.

Luckily, it’s incredibly easy to build a GDPR-friendly email marketing strategy when you know what to do. Here are eight steps to help create GDPR-compliant emails and stay safe from remediation costs and damaged reputation.

A good email marketing service provider will do most of the work to help you stay compliant with the GDPR.

Sendinblue is an email marketing platform that ensures your GDPR compliance by doing all the hard work for you. To protect you and your audience, Sendinblue:

With a secure GDPR-compliant tool in your tech stack, there are very few things you can do wrong. Below are seven more best practices that leave a GDPR inspector no chance to accuse you of policy violation.

A GDPR-compliant subscription form should be the cornerstone of your lead generation strategy. Whenever you collect users’ personal information, your data collection form should include a mandatory GDPR checkbox.

Alongside the checkbox, you should provide some context as to why you collect the data and what users should expect next. If you’re going to use the data for different purposes, make it clear in the form and include several checkboxes.

Tip: Mark it as a required field so your subscribers don’t forget to check it.

If your service provider doesn’t offer a GDPR declaration like Sendinblue does, you’ll need to write one yourself.

A GDPR declaration, or a privacy note, is a document that declares your organization’s commitment to the GDPR principles and covers:

Place a link to your privacy statement near the consent checkbox to allow people to read it if they wish.

Review your privacy and data retention policies at least once every two years to keep yourself away from legal trouble.

If people don’t consent to marketing emails, don’t try to squeeze newsletters in between account notifications. You can only send them transactional emails.

First of all, it’s against the law. But even worse, your subscribers will notice you’re breaking your promises and mark your messages as spam. None of these is good for a company that wants to achieve its email marketing goals.

According to GDPR regulation, individuals have the right to request data updates, and the inquiry must be fulfilled within 30 business days.

For email marketers, this means you should make it easy for contacts to unsubscribe from company emails or configure their subscriptions.

It’s not only irritating but also unlawful when a user can’t access the “Unsubscribe” button within the email content. Make sure to include one in all your emails and don’t forget to actually unsubscribe people who have opted out from your brand communications.

For your protection, Sendinblue inserts an unsubscribe link automatically in all email templates.

The more data you keep, the more serious the risk is if there’s a data breach. Even if you aren’t worried about a data breach, there’s one more reason for you to keep your email list up-to-date  — the GDPR requires you to do so.

Ideally, your email marketing platform will take care of your mailing list and automatically disable contacts that have clicked the unsubscribe link. But that’s not enough.

To maintain your sender reputation and keep your list picture-perfect, set up rules for disabling disengaged email addresses or segmenting contacts based on how they interact with your emails.

By automating list cleaning, you’ll save a lot of time while creating more personalized campaigns and keeping your email marketing GDPR compliant.

Discover more about email list management here.

Double opt-in is a two-step registration process that requires users to confirm their subscription by verifying their email address. Sendinblue allows you to set up a double opt-in in a few simple steps.

Although double opt-in isn’t required by the GDPR, it does help you keep your mailing list clean and healthy. It’s also extra proof that your audience has given explicit consent to receive your emails.

To comply with the seventh GDPR principle  — accountability — you’ll need to keep records of your data processing activities.

The records should include proof of consent, data processing methods, information on third parties involved, and any other data that might help you prove your GDPR compliance.

Erland Canary
Answer # 3 #

GDPR raises the bar to a higher standard of consent for subscribers based in the European Union (EU), meaning how you’ve collected consent from EU subscribers in the past might not be compliant anymore.

And even now that the United Kingdom (UK) has formally left the EU, GDPR after Brexit hasn’t changed too much. The UK has created their own UK GDPR, which is essentially the same as the EU GDPR except that it applies to UK residents only. Details are covered in the Guide to the UK GDPR from the UK’s Information Commissioner’s Office (ICO). For simplicity’s sake, I’ll refer to both as just GDPR unless referencing one specifically.

So the real question is: What does all this mean for email consent from your EU and UK subscribers?

GDPR requires that brands collect affirmative consent that is “freely given, specific, informed, and unambiguous” to be compliant. The ICO has also provided a comprehensive guide on consent under GDPR. If you’re not ready to dive into the full 39-page guide just yet, here’s a breakdown of the five most important things you must know about email consent under GDPR—with plenty of examples of how we put them into action here at Litmus.

For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that assume consent if people don’t uncheck them aren’t valid under GDPR.

Recital 32:“Silence, pre-ticked boxes or inactivity should not constitute consent.”

In the screenshot above, we show an example of how we use unchecked, opt-in boxes at Litmus to get consent. If the box was pre-checked, that wouldn’t comply with GDPR.

Email consent must be freely given—and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a whitepaper, for example, then that consent is not freely given.

Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services (unless email consent is necessary to complete that service).

Article 7(4):“When assessing whether consent is freely given, utmost account shall be taken of whether […] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

In the same screenshot above: When someone downloads an ebook or other content from Litmus, there’s an unchecked box to get on our email list. But signing up for emails is optional—you can always download the ebook without subscribing to our emails.

However, in this example below, we have an email subscription form in the footer of the Litmus website. The box is still unchecked, but the red asterisk denotes that consent is required.

Why? Because email consent is necessary to complete the service. In other words, this specific service is to send you our emails, and we can’t do that unless you opt in.

Article 7(3):​“The data subject shall have the right to withdraw his or her​ consent at any time […] It shall be as easy to withdraw as to give consent.”​

All major email laws, including CASL in Canada and CAN-SPAM in the U.S., require brands to give their subscribers the opportunity to opt out from receiving emails. Each promotional email you send must include an option to unsubscribe.

If you are already compliant with current Canadian, American, or European email laws, you may not have to change much when it comes to this requirement for GDPR compliance. Still, this is a perfect time to revisit your current opt-out process to ensure you’re following unsubscribe best practices:

In the footer of every promotional email from Litmus, we include an option to opt out from receiving emails. This makes unsubscribing easy should a subscriber ever lose interest.

It’s also worth pointing out that an unfriendly unsubscribe experience is also a major driver of spam complaints. Half of U.S. consumers say they’ve reported a brand’s emails as spam because they couldn’t easily opt out, according to our Adapting to Consumers’ New Definition of Spam report. So putting up opt-out barriers not only jeopardizes your legal compliance but can also hurt your deliverability as well.

GDPR sets the rules for how to collect consent and also requires companies to keep a record of those consents.

Article 7(1):​“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

In some countries, the burden of proving consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge to tackle.

Keeping evidence of consent means you must be able to provide proof of:

If someone signs up to receive updates from Litmus, they get an email asking them to confirm their subscription (read more on the pros and cons of double opt-in here). If they then click the link in the opt-in confirmation request email, our email service provider records that action. With that, we can look at each individual subscriber, see when they opted in, and what form they used to do so.

It’s been a few years since GDPR went into effect, but if your email list is just crawling out of hibernation, you’ll need to check your consent practices and existing consent data.

Recital 171:​“Where processing is based on consent pursuant to Directive​ 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”​

Even if you’ve been compliant for some time now, it’s always good to regularly review your process and subscribers’ consent.

GDPR applies to all existing EU and UK subscribers on your email list no matter when they got added—even if it was before GDPR was around. If your existing subscribers gave you consent in a way that’s already compliant with GDPR—and if you kept record of those opt-ins—there’s no need for you to re-collect consent from those subscribers.

If your existing records don’t meet GDPR requirements, however, you have to take action:

And while consent doesn’t expire, it’s likely to degrade over time. It also depends on context: If someone gives consent to receive a back-in-stock email, for example, the expectation is that consent expires once they receive that notification. No more emails to that person.

At Litmus, we use a re-permission program periodically to help keep our email lists clean. It includes very explicit language asking the subscriber to confirm they’d still like to get our emails by clicking a confirmation link in the email.

Re-permission campaigns are a powerful way to update existing contact records to ensure GDPR-compliant consent, but they do require detailed planning and execution. Remember: If you require updated consent for GDPR compliance, but your subscriber fails to engage with your re-permission campaign, you must remove them from your email list.

Your email subscribers are your most valuable audience—treat them that way. While these GDPR consent measures must be made for your EU and UK subscribers, every subscriber deserves to be treated with respect. Establish and continue to build trust with your subscribers. And if they ever want to leave? Let them go.

This post provides a high-level overview about email consent under GDPR, but is not intended, and should not be taken, as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.

Dodo Totah
Answer # 4 #

There is a lot of information about how to send email marketing and stay within the law. Some of it is correct, some of it is wrong and some of it is simply confusing. Organisations seeking a simple answer to a simple question are frustrated. Unfortunately, neither the legislators nor the regulators have been particularly helpful with their sending out of numerous guidelines and having the law in different places. This resulted in the deluge of emails we all received in our inboxes in the days running up to the implementation of the General Data Protection Regulation (GDPR).

This frustration has had a significant impact on marketing departments within organisations as they don’t know what to do, or what risks they are taking.

In this article, we will give you the simple answer to the simple question – “How do companies send out marketing emails and stay within the law?” First, we will explain what has changed and how the confusion has arisen.

Prior to 25 May 2018, marketing emails were governed by the Data Protection Directive (enacted by the Data Protection Act 1998 in the UK (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). The latter deals with matters such as sending marketing by email, text, post and telephone.

Since the GDPR was introduced in 2018, sending a marketing email now constitutes the processing of personal data. To process personal data you need a ‘lawful basis’. There are two lawful bases available for marketing: ‘consent’ and ‘legitimate interests’. However, ‘legitimate interest’ does not work for marketing emails because PECR makes it clear that you need consent to send marketing emails (unless you qualify under the ‘soft opt-in’ under PECR). If you need consent (because you don’t qualify under the ‘soft opt-in’ under PECR), that consent needs to be of the quality required under the GDPR. It is the quality of consent that has changed in the GDPR compared to the quality of consent required under the DPA.

That GDPR requires that the consent to send marketing emails has to be freely given, specific, informed, unambiguous and provided by some form of clear affirmative action.

In other words, unless you can rely on the ‘soft opt-in’ under PECR, you need specific opt-in consent to receive email marketing which is given by some positive action such as ticking a box.

Still with us? We are getting close to the practical conclusion you are looking for.

This is what you should do before sending a marketing email.

First, establish what rights (if any) you have got to send marketing emails to your current marketing database. Did you get opt-in consent? Did you give individuals the right to opt-out? Was there an unsubscribe link in every email you sent them?

(a) you decide that you want GDPR quality consent from every individual so that the quality of your marketing database moving forward is high ie. send an email requesting such specific, opt-in consent; or(b) you decide to continue to rely on ‘soft opt-in’ for all individuals (past and future) on your marketing database ie. carry on as you always have; or(c) you draw a line on a certain date and create two marketing databases – the past database relying on ‘soft opt-in’ and a future database relying on GDPR quality consent ie. you get GDPR quality consent from new customers moving forward.

Second, make sure that your privacy policy makes it clear to individuals how you use their personal data for marketing and how they can choose not to receive such marketing.

Finally, you also need the right processes in place to ensure that any individuals who want removing from your databases get removed.

Unfortunately, there is more law on the way. The new ePrivacy Regulation was meant to come into force at the same time as the GDPR and replace PECR. We’re now in 2022 and this still hasn’t happened, which is why we have the current confusion.

Because of the uncertainty of what is going to happen to the ‘soft opt-in’ under the ePrivacy Regulation, we are advising all our clients of The Privacy Compliance Hub not to rely simply on ‘soft opt-in’ under (b) above and, instead make a choice between options (a) and (c).

There are rather extreme possible consequences of not staying within the law when sending your marketing emails. See our article on penalties under the GDPR here. We think that the regulator is likely to take an industry approach to enforcement. If it thinks that a particular industry is acting badly then it will target that industry.

We have also found that our ‘B2C’ clients have most to worry about from getting this wrong. Individuals are trolling for companies who are not sending marketing emails correctly. They are making claims in court, threatening to report the company to the regulator and, sometimes, following through on that threat unless they can settle the matter for a suitable sum. This is the sort of aggravation that companies really can do without!

In short, yes. SMS marketing is regulated by the GDPR in the same way as emails.

Yes, providing you have a lawful basis for doing so, such as consent or legitimate interest. We go into more detail about that in this post.

As above, you may be able to prove that your potential customer has a legitimate interest in hearing about your product or service and that it would not have an unacceptable privacy impact on those recipients. Read more about that here.

In short, if the person is identified, or is identifiable from their email address, then yes. If the email address is, then no. If the email address is, then yes. If the email address is, then maybe, if Dave Prentice is identifiable from that email address.

It depends what you want to email them about. If it is a service email about the product or service they have got from you then fine. If it is a marketing email then you need to follow the rules set out in this article.

Yes, but only if you have what is known as a ‘legal basis’ to do so. If a customer has signed up for certain services and performing those services requires an email address to be shared, such as with a courier company for example, then such sharing is ‘necessary for the performance of the contract’ you have with the customer and that is a valid legal basis. Other legal bases include consent and legitimate interests.

Sending an email containing personal information to the wrong person constitutes a data breach under the GDPR.

Bhrigav rvuffgvf
Answer # 5 #
  • Use a reliable email service provider.
  • Always get user consent to collect personal information.
  • Write a privacy note.
  • Stick to your promise.
  • Let users opt out.
  • Audit and clean your mailing list regularly.
  • Use double opt-in.
  • Keep records of processing activities.
Yaron Massett