How will GDPR impact email marketers?

Affecting every company collecting, processing and storing personal data from EU residents and citizens, the impact of the General Data Protection Regulation (GDPR) will be far-reaching. Marketing teams will likely be the first to be affected by these regulations as they are one of the main players when it comes to data processing in companies. Their data collection and processing strategies will have to be unambiguous and communicated to all users/subscribers. In other words, it will be prohibited to collect and use the email address of a consumer, without his or her agreement.

Recent research from the Direct Marketing Association (DMA) indicates that the majority (96 percent) of marketers are aware of the upcoming GDPR legislation and almost three quarters (72 percent) feel prepared, but sentiment about the impact of the new rules on email marketing programmes is split – with 36 percent feeling positive and 43 percent taking a more pessimistic approach.

Consent will be key

Key concerns from marketers worried about the negative impact of GDPR focused around consent, however it’s worth noting that consent represents only one of several legal bases under which personal data may be processed under GDPR. Other bases include: legitimate interest; contractual obligation; legal obligation; vital interest; and to administer justice. Furthermore, email marketers also need to be aware that they’re still governed by legislation specific to their own industry – PECR and ePrivacy in the future, for example – and that GDPR does not replace the requirements of these laws, unless it sets a higher standard.

Some marketers are intending to rely on legitimate interest, with article 47 of GDPR stating “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However, marketers will also need to apply a series of tests around “necessity” and “balance of interest” to prove that a legitimate interest genuinely exists. They will also need to ensure they remain compliant with PECR/ePrivacy as described above.

Most marketers, therefore, are still going to have to rely on consent for their data processing activities. GDPR has set the bar high for consent, which will have a huge impact on the industry. Transparency will be enforced as companies will be required to give customers choice and control over how their data is handled. Under GDPR, key requirements for consent are that it is unbundled, granular, requires a positive response, names third parties and gives recipients the power to revoke consent at any time. Marketers will need to have a complete understanding of how they collect personal data, how it is stored and how it flows throughout their infrastructure.

It will also not just impact European markets. Whether you are a European head-quartered company, an overseas firm with offices and customers in Europe, or even if you simply have EU nationals in your marketing database, you will need to adopt new practices to ensure full compliance with this regulation.

Heavy penalties

Failure to meet these regulations could potentially be devastating. Not only will poor data handling reflect badly on the company and its reputation, but regulators will be within their rights to award eye-watering fines of up to 4 percent of a company’s annual turnover or €20m, whichever is higher. The Information Commissioner’s Office (ICO) is cracking down on poor data protection and will likely make examples of brands that are identified as being non-compliant. Last year, the ICO fined Honda, Morrisons and Flybe £93,500 in total for the poor handling of people’s personal data. While not GDPR related, the ICO is clearly intent on ensuring businesses manage people’s data appropriately. Its primary objective is to educate and inform, however they will impose financial penalties on companies that still fail to adhere to these regulations; some of which could be business-changing.

To guarantee compliance, many businesses are now appointing a Data Protection Officer (DPO). In the past, it’s been fair to say that many organisations have not applied enough rigour in their approach to data protection, but it’s likely those with particularly sensitive data – public sector organisations, for example – will feel obliged to appoint a properly trained DPO.  A DPO would be responsible for informing and advising the person in charge of data processing, as well as monitoring the company’s compliance with the new regulation.

There’s no doubt about it, marketers’ jobs are going to be heavily impacted by regulations this year. They will need to ensure they are as open as possible to customers about how and why they are collecting personal data and give them the choice of opting out. It will no longer be acceptable to send marketing materials to an email address that was provided when a customer downloaded a whitepaper without first obtaining explicit and unambiguous consent to do so. GDPR is bringing the questions of trust to the fore; customers will have greater say and insight into how their data is managed, which will ultimately improve trust and build relationships with brands. Being explicit – and being able to show proof of this transparency and consent – will be key.


By Guy Hanson, senior director, professional services, Return Path

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at