Skip to main content
Email Marketing – GDPR Compliance and Privacy

blog | 4 min read


The EU’s General Data Protection Regulation (GDPR) is a directive that came into force for member states of the European Union on 25th May 2018.

GDPR gave EU citizens more control over how organisations collect and use their personal data.

In addition, it sets out specific obligations for businesses to safeguard and process personal data.

After the UK’s exit from the EU on 31st January 2020, the ICO introduced the UK GDPR4, which incorporates many of the EU GDPR’s guiding principles.

A key aspect of GDPR is that individuals must have freely given their explicit consent for you to communicate electronically with them.

When you gain consent, it must be “collected for specified, explicit and legitimate purposes”. Consent must also be demonstrable (i.e. you have proof of how and when it was provided), and the individual must be able to withdraw their consent at any time.

However, the GDPR concept of “legitimate interest” also provides some flexibility concerning explicit consent. An obvious example of legitimate interest is the sending of transactional emails regarding a customer’s purchase.

Compliance with the UK GDPR is essential. Failure to do so can result in your business receiving a penalty of up to £17.5 million or 4% of global turnover, whichever is higher.

GDPR hand complex


To ensure you minimise the risk of loss or theft of the personal data you hold, always consider who you are sharing this data with and why they need it – whether it’s to be shared internally within your organisation or externally with a supplier.

Personal data should not be shared without first adding password protection & encryption to the file.

Excel is often used to temporarily hold contact lists for email marketing purposes and the Excel file can be protected by encrypting it with a password.


  • Only send promotional emails to contacts who have given explicit consent to receive email from your organisation. Explicit consent is an affirmative action taken by an individual, such as ticking an opt-in box on a web registration – form.
  • On any web registration form used to collect personal data, you must include specific and unambiguous details what the individual is being asked to consent to.
  • Ensure you can show that consent is demonstrable i.e. capture when and where the individual consented and what they consented to.
  • Do NOT implement a passive opt-in on web registration-forms. An opt-in that’s already checked by default or an opt-out that’s unchecked by default are methods that are NOT compliant with GDPR
  • Include a link in every email that allows recipients to unsubscribe with one-click. Your ESP should have an automated unsubscribe method and all reputable ESPs will not allow email to be sent if it does not include an unsubscribe link.
  • Ensure that any web registration-form encrypts an individual’s data before they submit it. In practice, this means hosting data- capture forms on secure web pages; ones with urls that begin with https://.
  • Be careful where your data is stored. Using servers based in the USA may not be GDPR compliant. This is a complex area and many ESPs will argue that their USA based servers are GDPR compliant, but our belief at Hopewiser is that you should use European based servers to be safe. Under GDPR you can move data, if necessary, to countries where they have been granted adequacy decisions. Currently the list is: Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom and South Korea.


Measuring campaign performance is vital to prove ROI, but there is so much more in our full guide to Email Marketing, including sections on Email DeliverabilityContent CreationList ManagementTesting and Sending emails, and Great Tips for Email Performance Levels.

Email validation, such as the service provided by Hopewiser, analyses each email address in your list and returns a report detailing which emails are deliverable, unconfirmed, unverifiable, disposable, undeliverable and harmful. All without sending any emails. Once your list has been validated, you can be confident that your emails are being sent to active and verified email addresses.




, updated 15th February 2023.