Are You GDPR Ready? What Marketers Need to Know

Table of Contents

You may have heard rumblings about some big changes coming to the way we do marketing…a little something called GDPR.

But if you’re like many business owners, you may only have a vague idea of what the GDPR is and what it means for your business.

I’m going to demystify the GDPR “law” for you, by telling you exactly what it is, and how you can make sure you’re in compliance with it.

Don’t think this new law applies to you? Think again! If you have even ONE European resident as a customer or email subscriber, it most certainly applies to you…and failing to comply could cost you BIG TIME!

Are you ready for GDPR? What Marketers Need to Know

What is the GDPR?

GDPR stands for The General Data Protection Regulation.

Approved by the EU Parliament in 2016, it’s a privacy regulation meant to provide better protection for the personal information of EU residents.

All businesses – worldwide – are expected to be GDPR compliant by May 25, 2018.

If you have even ONE European resident as a customer or email subscriber, GDPR most certainly applies to you…and failing to comply could cost you BIG TIME! ??Click To Tweet

Simply put, the goal behind the GDPR is to ensure that companies collect and store personal information in a way that provides the utmost protection for individuals.

This “personal information” can include a number of different types of data including:

  • Email addresses
  • Names
  • Photos
  • Bank info
  • Social media posts
  • Medical information
  • Computer IP addresses

In light of the recent Cambridge Analytica/Facebook scandal, I’m sure you can understand the importance of protecting this type of information!

So, why should this concern you…especially if you don’t even live in the EU?

Well, as already mentioned, if you hold the personal data of even ONE EU resident, you need to comply with the GDPR.

And even though this regulation doesn’t come into effect until May 25, it applies retroactively – meaning it also applies to anyone from the EU who joined your list in the past (and who is still on your list).

? GDPR doesn’t come into effect until May 25 ; however, it applies retroactively – meaning it also applies to anyone from the EU who joined your list in the past (and who is still on your list). #YIKES! Click To Tweet

Thinking of just ignoring these new regulations?

Not a good idea!

The consequences for not being compliant aren’t exactly nominal: with fines of up to €20 million for more serious offenses, and 2% of annual global turnover (sales) for offenses like not having your records in order or not notifying the authorities of a breach, this is nothing to sneeze at!

How to make sure you’re GDPR compliant

These impending changes will apply largely to the way you do email marketing.

Since this is the primary way businesses communicate with customers and ask for personal information, this only makes sense.

For that reason, this section will look at the main ways to ensure you’re collecting, storing and protecting your email subscribers’ information.

*Please keep in mind that I’m definitely NOT a lawyer or data protection expert, and this blog post should not be taken as legal advice! If you have any questions or concerns about how to comply with the GDPR, please consult a local expert.

1. Make it VERY clear what people are signing up for

One of the biggest concepts of the GDPR is consent – do your subscribers really know what they’re signing up for?

When asking for an email address, be extremely clear about asking for consent – not just consent to send them a free guide, ebook, etc. but also consent to continue emailing them in future.

It’s also no longer okay to simply include a pre-checked box – you know the kind that requires the person to UNCHECK it in order NOT to be sent emails?

Instead, your subscribers will need to consciously, clearly and intentionally request to join your list and receive emails from you.

You’ll also need to get permission if you want to send different TYPES of email to your subscribers; for instance, if a customer has given you their email address so you can contact them about product recalls, you can’t turn around and suddenly start sending them promotional emails!

Action item: On your email opt-in forms, include wording that makes it clear what people are signing up for. If you’re offering a free product in exchange for the email, include a (NOT pre-checked) checkbox asking if they would also like to receive regular marketing emails from your company. It’s no longer enough to simply use wording like, “By entering your email you agree to receive my guide and regular emails”.

2. Don’t ask for more info than you need

As a business owner or marketer, it can be tempting to ask for a wide variety of information in order to improve your marketing efforts.

However, the GDPR stipulates that businesses should only ask for the info they actually need.

In other words, if you’re in the personal finance business and are asking people for their favorite movie or their dog’s name, you’re probably asking for too much info!

Action item: Review the fields you currently include on your opt-in forms and ask yourself if they’re all really necessary. If you can’t easily justify why you ask for a specific piece of info, it’s probably best not to ask for it at all.

3. Make it easy for your subscribers to change or delete their info

One of the elements of the GDPR is the “right to be forgotten”. This means your subscribers should easily be able to withdraw their consent or stop having their personal information used.

Once they unsubscribe, it’s also important that their info is removed from any third party vendors you use (e.g., Stripe), OR, that you clearly state that you’re not responsible for what happens after people leave your site in your privacy policy.

Action item: Make sure your emails include a clear and working “Unsubscribe” and “Edit your preferences” link or button. Fortunately, most email marketing services already require this and include them by default in their templates. Add a clause to your privacy policy stating that you’re not responsible for what happens after people leave your site.

4. Never, ever, ever email people who have unsubscribed from your list!

While this may seem like common sense, some companies have used what they thought was a loop hole to continue connecting with those who have unsubscribed – by emailing them and asking them if they would like to receive future emails.

This is a HUGE no-no – not just in terms of the GDPR but in terms of respecting your subscribers’ wishes!

Action item: If someone has opted out of your list, do not, for any reason, email them again (unless of course they explicitly ask to re-join your list at some point). Make sure to also DELETE those people from your list…as some email providers (e.g., AWeber) will only move those emails to a separate unsubscribed list.

5. Use a double opt-in process when collecting emails

This has always been considered a best practice, but in light of the GDPR it’s probably best to now consider it a must-have.

When someone signs up for your list, most email marketing services give you two options: going through a single opt-in or double opt-in process.

The single opt-in means that the person enters their email, and that’s that – they’re now signed up to receive future mailings.

The double opt-in, on the other hand, means that after entering their email, they also need to click a confirmation link in an email to confirm they want to receive your emails.

Action item: Go to the settings in your email marketing software and make sure you’ve selected the double opt-in process.

6. Keep records of people’s consent

If you’re using a double opt-in process to collect emails, this is a great start.

But what if you occasionally collect emails at live events, conferences or tradeshows?

Simple: just make sure you keep the original records where people ask to be added to your email list!

Another element of keeping compliant records will be to keep a record of how each person on your list signed up (a data flow map).

Basically, you just need to be able to prove how each person on your list got onto your list!

Action item: If you’re adding new subscribers manually for any reason, keep a spreadsheet or flowchart showing exactly how they opted in to your list. If you’re collecting emails at a live event, make sure to have and keep a document where your subscribers have physically signed up to be added to your list.

7. Include a clear link to your privacy policy or terms of use

When people opt in to your list, there should be an obvious link to your privacy policy or terms of use that they can click for more info.

Basically this page should explain how you plan to use their personal data, how you plan to protect that data, who will be able to view that data, etc.

You should also know how your vendors or service providers (e.g., Stripe, PayPal) are using that data…OR ELSE include a disclaimer that you aren’t responsible for what happens when people leave your site.

Finally, your privacy policy should clearly explain who you are, why you have the right to use their data (because they opted in), and that people have the right to complain to the ICO if there’s an issue with the way you’re handling their data.

Link to this page on every page of your website, especially on pages where people are sharing their email or other personal information – like any landing pages or sales pages.

Action item: Include a clear link to your email privacy policy or terms of use on your opt-in forms, website, as well as on the emails you send out to your list. If possible include a tick box that people can check to say they’ve read your policy. Make sure your privacy policy is written in clear language, and covers everything listed above. Here’s a good overview of what your email privacy policy should look like. **Consult your lawyer for more info on this!

8. Make sure your website is switched to HTTPS

Having a secure website ( versus is super important in terms of SEO (search engine optimization); and in light of the GDPR, it’s become a must-have for data security as well.

Switching your site to https isn’t overly complicated, and ensures your site not only ranks well in the search engines, but that it encrypts sensitive data thereby keeping that data safe.

Action item: Ask your web host to help you make this switch or do it yourself if you know how. Most provide a simple way to do this through your web hosting control panel. Keep in mind you’ll also need to make sure Google knows you’ve made this switch or you could suffer from a major drop in your search rankings!

9. Write down your procedures

To comply with the GDPR, you should have a written record of the various policies and procedures you have in place related to how you collect and use personal data.

This includes:

  • How will you delete personal data?
  • How will you protect personal data?
  • What will you do if your email or website is hacked and personal data is compromised?

Action item: Create a simple document outlining your policies and procedures for each of the items above.

10. Make sure your email marketing service is GDPR compliant

Most of the big email providers are already working furiously on this (e.g., Ontraport, Convertkit, Send Lane, Active Campaign, AWeber, Kajabi, etc.).

However, not all email systems are, so it’s on YOU to make sure they have a compliant data processing agreement in place.

Also ensure you’re able to add a tick box to your optin forms!

Action item: Reach out to your email marketing service and inquire what they’re doing to prepare for the GDPR.

11. Remove contacts that don’t comply with the GDPR

After reading this post, you may have realized some mistakes you’ve made with your list in the past and yes, it does matter! Remember, this law is retroactive so previous email building tactics can be called on the carpet.

If this is the case, now’s the time (before May 25) to go into your email marketing software and remove contacts that weren’t collected appropriately.

Remember: These guidelines only apply to subscribers from the EU. BUT, if you’re not sure where your subscribers are located, you may need to ask them to opt in again.

Action item: If you know you’ve committed a big no-no in the past (like manually adding emails without getting permission first), I’d strongly suggest removing those emails from your list. And if you’re not sure whether you collected emails appropriately or not? Send an email to your entire list asking them to opt in again.

Final thoughts

I hope this post has taken some of the mystery out of the GDPR, and has set your mind at ease. While you shouldn’t get too stressed out about the impending changes, now IS the time to make sure you’ve covered all your bases…both in terms of fixing any mistakes you’ve made in the past, and ensuring you’re in compliance in the future.

Thoughts? Questions? Concerns? While I can’t provide legal advice, feel free to leave a comment below and I can point you in the right direction!


About Author

Comment Via Facebook
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
6 years ago

Thank you, Kim! Simple & concise instructions; much appreciated.

6 years ago

Thanks Kim, for simplifying this to me. I have had a hard time trying to figure how this relates to blog owners, for example. But you have clarified this for me. Thanks again!

Paul Towers
Paul Towers
6 years ago

Hi Kim, This is the clearest post I have read on GDPR yet! Thanks for sharing and clearing up a lot of the questions I had on the process/requirements.

6 years ago

Thanks Kim, really helpful.

Staci Witten
Staci Witten
6 years ago

Thank you, Kim! You’ve simplified this in easy to read terms! I especially appreciate the “action items.”

Shonali Burke
Shonali Burke
6 years ago

Completely agree on the clarity and helpfulness of this post, Kim. THANK YOU!

6 years ago

I agree with Paul! This is the clearest info I’ve read.
Thanks Kim!

Melinda Thomas
Melinda Thomas
6 years ago

Kim, you’re amazing! I have been ignoring those GDPR notices! Thank you so much for helping me understand how it applies to me AND explain the actions I need to take. SUCH a HUGE help! Thank you!

6 years ago

Thanks Kim for this simple explanation of GDPR

Geoffrey Morris
Geoffrey Morris
5 years ago

Love this article! Really clear, and just making sense of everything.

Matt Pliszka
Matt Pliszka
5 years ago

That’s a really useful to-do list..

Shane watsoon
Shane watsoon
3 years ago

Thank you for this information here

Get FREE Access to 51 Mini Digital Product Ideas that people will line up to buy!