Yet another blog post about GDPR

Yet another blog post about GDPR

Author: James Greenwood — Read time: 9 mins

I know, I know. It’s boring.

But if you think it’s boring having to read about it, try researching the topic to be able to write and advise about it.

There are tons of articles on the GDPR changes — some are dry and factual and some are scary-clickbait pieces.

All, without exception, are a bit boring.

So having said that, here’s the Strawberry Guide to GDPR #HopefullyNotBoring

Go on, then — I’m reading. What is it?

Let’s assume you’re new to the topic and start at the beginning…

The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018.


I know. But GDPR will affect every company that uses personal data from EU citizens.

Personal data is any piece of data that, used alone or with other data, could identify a person.

So if you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.

If you’re the customer of an agency like ours, you’re more than likely collecting email addresses and sending email to subscribers in the EU.

There may well be other areas of your business where this impacts, but we’ll focus on email for now.

When does is it kick in?

25th May 2018.

I mentioned that above in the boring definition bit. Keep up!

Taps nose, wink-wink. But does it really kick in then?

Ahhhh, a rule-breaker, eh?

We remember the “cookie law” nonsense, too. The old “Let’s just ignore it and it’ll go away” tactic?

Yeah, that’s not going to work this time.

Non-compliance with GDPR can lead to fines of up to €20 Million or 4% of total global annual turnover (whichever is higher).

But who is going to come and knock on the door?

Will you actually be fined those types of numbers?

Clearly, there won’t be enough bandwidth to go after everyone. But if a fair few of your customers report you to the ‘GDPR rozzers’, you might get your collar felt.

The ‘police’ in this case will be the ICO, and this article gives good insight into the fines that have been given even before GDPR arrives.

As a business, showing a knowledge of GDPR will at least be well received, with an acknowledgement that fines will be lower if some effort has been made.

Probably (and perhaps more realistically for smaller businesses), you could lose access to tools you rely on if you don’t comply. More on that later.

OK. I want to play ball. Tell me more.

GDPR touches several aspects of email marketing, especially how marketers seek, collect, and record consent.

As of May, marketers will only be allowed to send email to people who’ve opted-in to receive messages.

Now you’ll need to collect “affirmative consent” that is “freely given, specific, informed and unambiguous” to be compliant with GDPR.

Have you got a pre-ticked box on your website? Stop. Because GDPR clarifies that “silence, pre-ticked boxes or inactivity” is not adequate.

Also, the signup process must give information about the purposes of collecting personal data.

So, if you use an individual’s data to determine what other offers you might send to them (a simple example), you’re obliged to tell the person that at the point of signup.

When you add it all together, many of the ways marketers have used to grow their email database have just been snookered.

Urgh. That sounds a right pain. I’ve built my data up over many years of hard work!

Think like a consumer for a moment.

You probably get a bit pissed off when companies send you stuff you didn’t ask for. So you could argue that these rules are overdue.

Even if you’ve behaved perfectly, we all know of other businesses who haven’t been quite so well behaved.

Any other pain points?


GDPR sets rules for how to collect consent as we’ve just discussed, but also requires companies to keep a record of that consent.

The Information Commissioner’s Office of the UK (ICO) has provided a comprehensive guide to consent under GDPR.

Have fun. It’s too big a topic for this simple blog post.

Righto. I’ll update my processes so I’m a good data citizen and move on to something more interesting.

Hang on.

You may need to re-onboard your full email list. The GDPR covers retro-data too.

It’s not a case of claiming your existing data fell before May and moving on.

ALL of my old data?


If you’ve collected addresses previously in a manner not befitting GDPR, you need to get that person’s consent.

Oh, FFS. What do I do now?

Hard to say exactly as your business will be different to the next.

But you definitely need to have a look at your data collection processes against the above information.

It might be that you’ve been collecting data in a manner that is OK against the changes being brought in. We doubt it though. It’s pretty stringent.

You also need to check the statements of any underlying tools you use (I promised early we’d return to this).

For example, MailChimp have this post on their site.

Shopify, too.

In the short term, services like these are far more likely to be the ones who can have an impact on your business.

If you don’t play by their rules (and their rules will be GDPR-led), they’ll cease your service. And that could be just as painful as a fine if you depend on them.

Do I need to update my privacy policy or change the disclosures I make to your customers?

Your privacy policy needs to very clear about how you are capturing data, where you are going to store it, how long you intend to keep it for, how people can view their data and finally, how they might go about having their data removed.

What about those cookie & privacy popup notice thingies?

What cookies are stored should be detailed in your privacy policy along with what they will be used for e.g Google Analytics for performance measurement. We’d recommend a cookie notice or banner when visitors first arrive onto your website that highlights the use of cookies and how the user can grant or remove consent.

I’m using a few tracking codes too — what’s the story there?

You maybe use software that provides you a tracking code to embed on your site, so that they can they provide you with identifiable details of your visitors. This is different to the anonymous data that can be found in Google Analytics. You will need to make sure that any IP tracking you do is also stated in your privacy policy as IP addresses are classed as ‘personal data’.

I’ve read about being able to opt out?

It must be as simple a process to remove a users consent as it was to grant it and individuals always need to know they have the right to withdraw their consent. In terms of your web user experience, this means providing a way of unsubscribing on your email marketing and providing a link via your website also – this may be best placed in your website’s privacy policy.

I probably should be asking lots of other questions too?!?

Yeah, here’s a few for you to think about:

If you’re using third party applications, do they comply with GDPR?

Do you need to appoint a Data Protection Officer?

Do you need to start conducting documented Data Protection Impact Assessments?

Do you need consent from your customers and do you need to change how you obtain consent?

Will you be able to comply with the right to access, correct, erase, and export their data?

All of those are questions — we’re not giving you actual advice, here. #NotLawyers

Review your processes and if you need to do it, get going now.

You’re going to be on the end of a fair few as an individual so now’s the time to do it — while it’s in the minds of the consumer.

Manchester United went to the lengths of advertising their campaign around their pitch for several minutes in their live televised game against Chelsea.

They’ve done a great job of reminding the consumer of the benefits.

But people might not sign up again?

Yes, it might mean your data pools shrink. But that was probably a vanity number anyway.

This way, at least you’ll have a list of people who want to hear from you. And that’ll probably make your email marketing more successful.

Equally, there’s good and bad ways of handling any re-permissioning — a good campaign can see more data ‘saved’ than a poorly executed campaign.

Thanks, I was having a nice day until I read this.

Soz. Don’t shoot the messengers.

But do get sorted before May 25th.

Data is key to the success of your eCommerce marketing campaigns. Find out what you should be using and how.