Join Free

GDPR and email marketing

What is it?

GDPR is a new, EU wide set of regulations that replace the current UK DPA regulations. The GDPR is largely based on the UK DPA and is, therefore, broadly similar in its scope and meaning. It has two key aspects;
  1. Data Protection - the protection of a subject’s (your subscribers) data from access by unapproved third parties.
  2. Opt-in - the protection of subject's data (email, telephone and postal address etc) being used without their prior consent.


GDPR came into force on the 25th May 2018.

Key Principles

GDPR defines two categories of organisation;
  1. Controller - This is the organisation (your company) that holds or owns the email marketing data and controls it's use.
  2. Processor - This is the organisation (email blaster) that processes the data in accordance with instructions from the Controller.

What are the requirements of GDPR?

Contractual requirements

  1. GDPR requires a written contract to exist between the Controller and the Processor, agreed by both parties. email blaster’s T&C’s represent such a contract between Controller and Processor.
  2. The Controller is obligated to employ the services of a Processor who is a GDPR compliant organisation. Specifically, this means;

    1. Processor must operate within the jurisdiction of the EU in accordance with EU laws and regulations regarding email marketing. It will usually require the Processor to be registered (in part or in whole) for trade within the EU.
    2. Processor must be able to show, if requested, that it visibly complies with the data protection requirements set out in GDPR (see later).
    3. Processor must not sub contract any part of the data processing to a third party without the consent of the controller.
  3. Controller is in breach of GDPR if it employs the services of a Processor that is not GDPR compliant - email blaster is GDPR compliant.

How does GDPR relate to email marketing?

GDPR now requires that all of your subscribers have agreed to receive your email marketing via a POSITIVE OPT-IN. Positive opt-in is defined as;
  1. Subject agreed to opt-in by a positive action - ticking a box is sufficient. Pre-selected subscribe boxes (soft opt-in) are no longer lawful.
  2. Subject has been made aware what they are opting in to, i.e who is permitted to send them emails. If it is any third party (such as is the case with a purchased list) this must have been made clear at the opt-in stage.
  3. As a Processor, email blaster is legally bound to require a Controller to affirm that their email list has been obtained by a POSITIVE OPT-IN process.
  4. In email blaster’s contract, there is the requirement for the Controller to positively affirm that their list meets the POSITIVE OPT-IN requirement.

GDPR compliance checklist

  1. check_circle Positive opt in data capture - If you use a sign up form with a checkbox to obtain consent from your customers, make sure that the box is unchecked, your recipients need to manually tick the box to be added.
  2. check_circle Include an explanation of use - When a customer agrees to join your mailing list, include a statement that details what they are signing up for and the estimated frequency of emails that they will receive.
  3. check_circle Right to forget - When a contact asks to be removed from your future mailings, it is required that they are deleted from all data that you may hold.
  4. check_circle Always use double opt-in - GDPR requires that you keep a record of when and how your customers opted in to receive your emails. If you use a double opt-in form, the recipients will be required to reply to an email to join, this then creates a record of their opt-in.
  5. check_circle Hire or appoint a DPO - GDPR requires that your company has a named DPO (Data Protection Officer). This person can be an existing member of staff.
  6. check_circle Create a data protection plan - Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
  7. check_circle Conduct a risk assessment - This relates to any data that you may store on EU citizens and understanding the risks around it. The risk assessment must also outline measures taken to mitigate that risk.
  8. check_circle Set up a process for ongoing assessment - To ensure that your company remains compliant, schedule and conduct regular risk assessments, making continuous improvements.
Let's get started.
Join Free
Give us a call
Let's go
Where? Unit 10A
Burcote Wood Business Park
NN12 8TA
Email Blaster is a trading name of JC Peters Ltd registered in England & Wales no. 07168254
UK based servers.