Join Free

GDPR and email marketing

Everything you need to know

GDPR (General Data Protection Regulation) came into effect in May 2018, orignated by the EU, it has now been adopted into UK law. GDPR regulates the way the that a business collects, uses and stores their contact's private information.

If you are looking to get into email marketing, or are already a user of email marketing software, then this section will give you everything you need to be fully compliant.

GDPR in 2022

Since the launch of GDPR in May 2018, the main change that has taken place is that the U.K has left European Union (E.U), this happened at the end of January in 2021. Whilst GDPR is a European Law, the U.K had already decided to adopt it into domestic law. This means that U.K businesses continue to be required to observe and follow GDPR.

Now that GDPR has been in existence for three years, it has become quite established. There are lots of companies that have been offering compliance training for U.K businesses. This formal training has been incredibly effective in helping U.K businesses understand how to become fully compliant.

When GDPR was originally passed into law, it prohibited email marketing activities to businesses and consumers if the recipient had not followed a positive opt-in process to receive your emails. Very early on in the life of GDPR, the DMA (Data and Marketing Association) successfully lobbied to have the law changed for B2B email marketing activities. This means that GDPR now confirms that it is legal to send out email marketing to cold business email addresses that have not asked to receive your emails. This is termed as 'Legitimate Interests' in GDPR.

Important Note

Whilst GDPR now says that it is perfectly legal to send out cold emails (either from publically available information or third party purchased data), email marketing software, such as Email Blaster and others will prohibit this kind of activity.

Commercial email marketing software suppliers, such as Email Blaster choose to follow the original intentions of GDPR as unsolicited emails can and often do result in domain and sender reputation damage both for service supplier and client. It's very common indeed for spam filtering organisations to black-list companies sending out unsolicited emails (or spam as it is often referred to as).

GDPR in a nutshell

What is it?

GDPR is a new, EU wide set of regulations that replace the current UK DPA regulations. The GDPR is largely based on the UK DPA and is, therefore, broadly similar in its scope and meaning. It has two key aspects;
  1. Data Protection - the protection of a subject’s (your subscribers) data from access by unapproved third parties.
  2. Opt-in - the protection of subject's data (email, telephone and postal address etc) being used without their prior consent.


GDPR came into force on the 25th May 2018.

Key Principles

GDPR defines two categories of organisation;
  1. Controller - This is the organisation (your company) that holds or owns the email marketing data and controls it's use.
  2. Processor - This is the organisation (email blaster) that processes the data in accordance with instructions from the Controller.

What are the requirements of GDPR?

Contractual requirements

  1. GDPR requires a written contract to exist between the Controller and the Processor, agreed by both parties. email blaster’s T&C’s represent such a contract between Controller and Processor.
  2. The Controller is obligated to employ the services of a Processor who is a GDPR compliant organisation. Specifically, this means;

    1. Processor must operate within the jurisdiction of the EU in accordance with EU laws and regulations regarding email marketing. It will usually require the Processor to be registered (in part or in whole) for trade within the EU.
    2. Processor must be able to show, if requested, that it visibly complies with the data protection requirements set out in GDPR (see later).
    3. Processor must not sub contract any part of the data processing to a third party without the consent of the controller.
  3. Controller is in breach of GDPR if it employs the services of a Processor that is not GDPR compliant - email blaster is GDPR compliant.

Who regulates GDPR in the UK?

Since May 2018, up until the UK was no longer a member state of the EU, regulating and enforcing GDPR was handled centrally by the E.U. When the UK left the European Union in January 2021, these duties then passed to the UK's domestic governing body; The ICO (Information Commissioner's Office).

The ICO is an independent authority, which was set up to uphold UK citizen's information rights, promoting openness by public bodies and upholding data privacy for individuals. The ICO covers many types of legislation, all relating to protecting and governing the way that UK citizen's private data is collected, stored and used. These include The Data Protection Act, Privacy and Electronic Communications Regulations, Freedom of Information Act and NHS Regulations.

Penalties for breaching GDPR

The UK has retained the guidelines as defined in the original EU legislation regarding the penalties and fines that can be imposed for a breach of GDPR. Failing to comply with the requirements of GDPR carry some pretty hefty penalties. A company or organisation found to be in breach of GDPR can be fined up to 20 million euros or 4% of their annual global turnover.

The ICO is able to fine any amount that is deemed appropriate, up to a cap of 20 million euros (or the sterling equivalent). Fines have been imposed on companies in breach of GDPR quite frequently over the last few years, these have mainly been for sending unsolicited direct marketing to consumers.

Probably the most high profile case over the last few years was the one successfully pursued by the ICO against Cambridge Analytica for a breach of GDPR, who were accused of the misuse of the personal data of 87 million people.

How does GDPR relate to email marketing?

GDPR now requires that all of your subscribers have agreed to receive your email marketing via a POSITIVE OPT-IN. Positive opt-in is defined as;
  1. Subject agreed to opt-in by a positive action - ticking a box is sufficient. Pre-selected subscribe boxes (soft opt-in) are no longer lawful.
  2. Subject has been made aware what they are opting in to, i.e who is permitted to send them emails. If it is any third party (such as is the case with a purchased list) this must have been made clear at the opt-in stage.
  3. As a Processor, email blaster is legally bound to require a Controller to affirm that their email list has been obtained by a POSITIVE OPT-IN process.
  4. In email blaster’s contract, there is the requirement for the Controller to positively affirm that their list meets the POSITIVE OPT-IN requirement.

GDPR compliance checklist

  1. check_circle Positive opt in data capture - If you use a sign up form with a checkbox to obtain consent from your customers, make sure that the box is unchecked, your recipients need to manually tick the box to be added.
  2. check_circle Include an explanation of use - When a customer agrees to join your mailing list, include a statement that details what they are signing up for and the estimated frequency of emails that they will receive.
  3. check_circle Right to forget - When a contact asks to be removed from your future mailings, it is required that they are deleted from all data that you may hold.
  4. check_circle Always use double opt-in - GDPR requires that you keep a record of when and how your customers opted in to receive your emails. If you use a double opt-in form, the recipients will be required to reply to an email to join, this then creates a record of their opt-in.
  5. check_circle Hire or appoint a DPO - GDPR requires that your company has a named DPO (Data Protection Officer). This person can be an existing member of staff.
  6. check_circle Create a data protection plan - Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
  7. check_circle Conduct a risk assessment - This relates to any data that you may store on EU citizens and understanding the risks around it. The risk assessment must also outline measures taken to mitigate that risk.
  8. check_circle Set up a process for ongoing assessment - To ensure that your company remains compliant, schedule and conduct regular risk assessments, making continuous improvements.
Let's get started.
Join Free
Give us a call
Let's go
Where? Unit 10A
Burcote Wood Business Park
NN12 8TA
Email Blaster is a trading name of JC Peters Ltd registered in England & Wales no. 07168254
UK based servers.