GDPR Compliance: email data protection

With the introduction of the “General Data Protection Regulation” or short “GDPR” in May 2018, professional email usage will also be affected. That covers different areas of messaging has some bigger implications than just “encryption”…

European mail - protect your privacy

What is affected by the GDPR regarding emails?

Depending on the way you got the email of the recipient and what you are doing with it, there are the following aspects to keep in mind:

  1. When asking for an email address in a web form, you have to gather the consent of the user to save it and if you use marketing services like Mailchimp or Sendgrid: if you want to track the open rate and delivery rate of your newsletters.
  2. If you keep the email together with the name (or even birthday) of the user, you must save it password protected at least on your systems (very simple: if you use an eMail client on your company laptop and the laptop has no password protection, you basically violate the law – and you might just deserve to be punished for it, too).
  3. If you send personal data around (personal data includes name, addresses, birthdays, medical information, tax informations or even family details – like “say hello to your brother Peter Smith”) you have to password protect these emails.

So, in summary all data and the process of sending emails are affected by these regulations, if you use emails professionally.

What do I (or my company) need to do?

That can be an expensive question and I have helped several small to medium-sized companies in Germany, Spain and the UK to solve that in a practical approach:

  1. Make a plan: You might need some highly individual solution to that question. Maybe an audit of your digital infrastructure, maybe not. Maybe just a check of your email process in the office. That needs to be sketched out and thought through!
  2. Inform your co-workers: Changing something that has grown over years can be painful. If everyone in the company knows about it and follows a few simple rules (you have defined in your plan), things will go a lot smoother!
  3. Implement the basics: Those who are in contact with customers or exchange personal information might just install our Protection for Outlook plugin, but be aware: you might not be done just yet, if you do newsletters or promotional mailings.
  4. Check all data sources and fix questionable implementations:  Your newsletter sign-up form needs the extra box to be ticked to gather “consent” and inform the user of your intentions for his/her email.

What if I do not care?

Well, if nobody sends you a cease and desist letter, you are fine. But we (Internet marketeers) all know, that this letter will sooner or later come. So the GDPR has clear wordings for those, who do not want to follow the rules:

The site “” has a nice summary for you:

A two-tiered sanctions regime will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.

which probably hits more marketeers than anyone else, but still: you get the serverity of breaching the regulations willingly.

The first few months of 2018 will be full of news about the regulations and I do hope most of the services we use from the US and outside the EU will follow the steps to compliance quickly!


Leave a Reply

Your email address will not be published. Required fields are marked *