GDPR for Email Marketers: Consent, Rights, and Records

GDPR has applied to EU personal data since May 2018, and it catches you even if your business is based outside Europe. Here is a plain-English breakdown of what it means for your email programme.

email-marketingemail-marketinggdprregulations

Disclaimer: This material is provided for general information only and is not legal advice. To understand the full impact of the GDPR on your data processing activities, consult an independent legal or privacy professional.


What is the GDPR?

On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. It applies to the personal data of EU individuals regardless of where that data is stored or processed.

The regulation creates consistent, enforceable privacy requirements across all EU Member States. Its core aim is to protect every EU individual's right to the privacy and security of their personal data.

Does the GDPR apply to you?

Most likely, yes. If you collect, record, organise, store, or perform any operations on data relating to an EU individual, the GDPR applies to you, even if your business is based outside the EU.


How does GDPR affect your email marketing programme?

The GDPR places clear accountability on data controllers and processors.

  • A controller is the party that "determines the purposes and means of the processing of personal data", that is you, and in some cases us.
  • A processor is the party that "processes personal data on behalf of the controller", that is us when you send emails through our platform.

For email marketers, consent is the most familiar and most practical lawful basis for collecting and processing data, though other lawful bases exist.

We recommend consulting a legal or privacy professional for a full picture of your obligations. The guidance below is a starting point for thinking through your compliance.

Review and update consent (signup) forms

The GDPR sets out specific conditions for how consent can and cannot be given.

Rather than relying on the older concept of "explicit" consent, the GDPR defines informed consent in a way that reinforces data subject rights and puts clear obligations on you as the controller.

In practice, this means working through the following:

  1. Review consent obtained from existing subscribers. You do not need to re-obtain consent if it was originally collected in a way that already meets GDPR requirements.
  2. Review your signup forms to confirm that any new information you collect complies with the GDPR's consent conditions.
  3. Review your public-facing data collection policies, for example, your online Privacy Policy, to confirm they are transparent about how you collect, share, and use personal data, and that they are linked from your consent forms.

Review and update privacy notices

Your subscribers have the right to know how their personal data is being processed. Your privacy policy should be easy to find and easy to understand.

To get there:

  • Clearly describe all processing activities, including those carried out by any third parties acting on your behalf.
  • Present this information in a concise, transparent, and accessible form, using plain language.
  • Make sure your online privacy notices are not buried, excessively long, or written in legal jargon that most readers will skip.

Build processes to handle subscriber requests

Data subjects, your subscribers, in the context of your email marketing, have the right to:

  • Transparent information about how you process their data.
  • Deletion, correction, or portability of their data.

You need a workable process for receiving and responding to these requests. When building that process, consider the following:

  • The steps a subscriber must follow to exercise their rights should be clear and easy. Instructions should be where subscribers expect to find them, and the request mechanism should not require specialist knowledge.
  • Not every request will be legitimate. Verify the identity of the requester before disclosing or modifying any personal data.
  • Respond accurately and on time.
  • There may be lawful grounds that prevent you from modifying or deleting a record in full or in part. Document your reasoning carefully.
  • Keep your responses to subscribers clear and unambiguous.
  • Store subscriber data in a common, portable file format so it can be transferred if requested.
  • You generally have one month to fulfil a request, though extensions are allowed in certain circumstances.
  • Document every step of the process.

Record keeping

Keep records of your signup forms, data collection mechanisms, and processing activities. This could be the underlying code, a screenshot, a PDF, or a written description of each mechanism you use. Good records help you prove the nature of consent between you and your subscribers, and they give you a clearer view of what is and is not working in your data collection over time.

The tips above are not legal advice and do not represent a comprehensive compliance standard for your email marketing programme.

What we are doing to help

TouchBasePro is GDPR compliant in terms of our policies and internal processes. We are also building GDPR-compliant features into the platform to help you meet your own obligations as a controller of your subscribers' personal data.


Consult an independent legal or privacy professional to understand the full impact of the GDPR on your data processing activities.

[Blog CTA](https://www.touchbasepro.com/Account/Register.aspx?utm_source=TouchBasePro Blog&utm_medium=Bottom CTA Button&utm_campaign=Try It For Free Today CTA Button)

Frequently asked questions

Does the GDPR apply to my business if I am based outside the EU?
Yes. If you collect or process personal data belonging to EU individuals, the GDPR applies to you regardless of where your business is located.
Do I need to ask my existing subscribers to opt in again under the GDPR?
Not necessarily. If you originally collected consent in a way that already meets GDPR requirements, that consent remains valid. Review your historical consent records and only re-obtain consent where the original method falls short of the GDPR's conditions.
How long do I have to respond to a data subject request?
You generally have one month to fulfil a request, though the GDPR allows extensions in certain circumstances.
What is the difference between a data controller and a data processor under the GDPR?
The controller decides why and how personal data is processed, that is typically you as the email marketer. The processor handles data on the controller's behalf, that is TouchBasePro when you send emails through the platform.