GDPR & Email Marketing: What We Know

Posted by: Stafford Sumner


From conversations I’ve had over the last few months I know people are, at best, confused, and at worst, worried about what GDPR means for them and their business.

For those of you who unsure of what the GDPR is, here’s some quick background information for you. On May 25, 2018 the new General Data Protection Regulations (GDPR) will come into force. It’s a move that will make companies be more accountable for the data they hold.

The regulations themselves have been designed to supercede the Data Protection Act (DPA) of 1998, which was created long before we witnessed the data revolution sparked by the internet reaching the masses. The DPA has rapidly become outdated, unfit for purpose and unable to cope with technological development. As such, the aim of GDPR is to give individuals more control over their personal information as well as simplifying and modernising the protection of data.

Put simply, GDPR is a far reaching set of regulations and, while I can’t comment on the wider subject (which covers everything from medical records to financial information), or give legal advice, I can give you our take on the incoming regulations and how it’s going to affect email marketing as of May 2018.


From our point of view, GDPR should be welcomed and not feared. It’s building on the current regulations (including the Data Protection Act and the Privacy and Electronic Communications Regulations) and bringing more clarity to what one can and can’t do with data.

If you’re following best practice at the moment, there will be changes, but not as many there might be if you’re sailing close to (or beyond) the wind.

Just a point to note, the ICO (Information Commissioner’s Office) who are responsible for GDPR in the UK, as of 28/07/17, has not yet published its final interpretation of the regulations for email marketing following the recent consultation period, so I’ll tell you what we know, and we’ll release a follow up article to this once we know more.

It’s also important to remember, every organisation is different – there’s no single, simple way of becoming compliant. We do recommend though, that before the final interpretations are published, audit your data. Find out where it’s stored, where it came from, what you use it for and how you use it. Whether that’s sign ups from your website, transactions from your ecommerce store or email addresses you’ve collected at a trade show, make sure you know what you’ve got and where it came from.


This is what do we know right now about how things will change after May 2018:

  • If you have a bought in list (from a data company), you’re going to have to stop using it by May 2018 unless you get the contacts on this list to opt-in in before then.
  • The same applies for any data you’ve collected from competitions, for example. If you’ve run a competition in conjunction with a partner, you will need to have been named at source where people are submitting their data in order to carry on using it.
  • There’s a grey area around the definition of ‘Current Customers.’ This will more than likely affect legacy data, and, if you’re data has ‘lapsed’ (for example, a subscriber has not opened one of your emails in the last year) then you’ll no longer be able to send communications to that recipient unless they choose to opt-in again

The key point here is to gather all of your data, find out what you have got, map it and then do an audit on where it came from when the interpretations are published. Once this is done, make a plan to update your privacy policies, re-opt-in your subscribers and ditch the no-no data.

Watch this space – we’ll keep you in the loop!

About the author

Stafford Sumner

An expert in developing businesses through email marketing, Stafford founded Jarrang in 2003, and since then has worked with hundreds of business across the globe helping them grow and succeed.