GDPR – The Email Marketing Red Herring

— March 30, 2018

Have I got your attention? I’m going to say something else controversial, GDPR is not about email marketing! GDPR doesn’t cover email and the ICO doesn’t care how many times you email your data, once in the morning and once in the afternoon, once a day, once a week or once in a blue moon. It simply isn’t relevant. They don’t care when the last time a name on your email list opened an email, it isn’t in their remit. That’s right, GDPR is not about email marketing! It does reference the currently-under-review PECR but more as a make sure you also follow these regulations, which you should have been doing for years now. Now don’t get me wrong, anyone undertaking email marketing must adhere to the data processing principles outlined by GDPR and imho that is a good thing. However, GDPR is about processing personal data not email marketing!


OK so what is it about?


GDPR is about personal data, specifically, “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. Confused? Exactly, GDPR is shrouded in confusion and mystery and as such has business running scared, particularly the threat of BIG FINES.


Now the ICO has a job to do in protecting people’s data rights but history suggests it carries out its job in a fair and business friendly manner. Sure, repeat offenders who deliberately flaunt the regulation and don’t try and get their house in order will face its wrath and rightly so but it’s a myth to say that the ICO will come after every business who is trying to follow the regulation with a big fine right off the bat. In fact in its series of blogs GDPR myths the ICO address this very issue stating the GDPR is about citizens not fines.


So when I say GDPR is about personal data and not email marketing I am only being slightly disingenuous. Not once in the GDPR regulations does it state the word email, but it does reference marketing and email does fall into this. However, as mentioned above in a more sensationalised way, the legislation is not about how many times you email your data, or when you decide to remove people from your list or whether data that hasn’t opened an email for x, y or z months should be removed. These things are actually business decisions and fall under best practice not GDPR compliance.


Under GDPR you must have a valid lawful basis in order to process personal data and the GDPR regulation clearly states that not one of the six lawful bases is better or more important than the others. However, most lawful bases will require that processing is necessary. If you can reasonably achieve the same purpose without processing then you wont have a legal basis. So if we relate that to email marketing the capture and processing of email addresses is essential for the purpose. That being said it then comes down to your lawful basis for processing that data and for this I will copy and paste directly from the guide to the general data protection regulation GDPR document.


What are the lawful bases for processing?


“The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:



  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

So in conclusion if you wish to continue with your email marketing program under GDPR you either need consent or legitimate interest. Consent is specific consent, not bundled in with other offers, warranties, discounts, member clubs etc.. The act of consent needs to be specified not pre ticked and the user must know what they are getting into. Legitimate interest is where the recipient could reasonably expect you to process their data for email marketing purposes when they gave it to you and the act of email marketing doesn’t violate any individual personal data interests. Please don’t take this the wrong way, I am not saying that GDPR and how you process data isn’t important. I think it is of paramount importance, not only to stay the right side of GDPR but for best practice. What I am saying is GDPR is important across the board and not specifically for email marketers.


Legal Waiver


I would like to point out that this is not legal advice, before undertaking any personal data processing please seek your own legal counsel.

Digital & Social Articles on Business 2 Community

(72)