Home > Actionable Insights > 9 Steps Marketers Need to Take Before the GDPR Goes Live [Plus Bonus PDF Checklist]

9 Steps Marketers Need to Take Before the GDPR Goes Live [Plus Bonus PDF Checklist]

Dale Langley
Dale Langley , Head of Email Strategy & Deliverability, Emarsys

The GDPR is an Opportunity to Cleanse Your Database and Improve Marketing Practices

The Global Data Protection Regulation, or GDPR, is getting a lot of attention as we creep closer to the May 25 effective date.

If you haven’t realized it by now, this new regulation requires the attention and immediate action of marketers. And while it may seem that only brands in the EU need to take action and adhere, that’s not the case. In fact, any brands that communicate with contacts in Europe must comply — or face steep penalties.

Are you ready? Unfortunately, although the GDPR goes into effect May 25, 2018,  73% of businesses are not ready to satisfy the compliance obligations of the GDPR.

According to a recent PwC report, most execs are taking notice, though:


Come May 25, the GDPR will go into full effect. It’s going to alter the way you gather information about customers, and how you prompt them to opt-in to communications from your company.

Related Content: What is the GDPR? Everything You Need to Know

Why now? The current EU Data Protection Directive was conceived in 1980 — before smart phones, social media, and systems enabling AI, machine learning, and the like. The new law is meant to restore control of personal data back to consumers in our evolved digital world. EU regulators believe data processors weren’t being transparent in their collection and use of customer data, and that specifications and realignment were needed. As a result, marketers like you and I will need to be more concerned with consent, data permission, and access to data.

The Global Data Protection Regulation is the most significant overhaul in EU data protection legislation in 20 years, and the law applies to everyone. 

If you’re concerned about what needs to be done or the steep fines you’ve heard about as the result of  non-compliance, you’re not alone.


There area lot of resources available to help you become compliant — including information and pointers provided in our recent GDPR webinar.

However, the aim of this post is to provide an overview of how the GDPR serves as a dually valuable opportunity to:

  • Strengthen your data privacy policies, processes, and platform; and
  • Reform how you seek consent to communicate with customers , a.k.a. reconsidering your “permission-based marketing” tactics

So, let’s get into some “to-dos” and best practices within these two categories, which will simultaneously help you prepare for the GDPR.

Prepare Your Privacy Policies and Platform

Let’s talk about data, your marketing automation platform, and their importance going forward.

Quick timeout! It’s important to note that the GDPR is raising the threshold for both how data is collected and consumers’ rights to access their data.

The GDPR stipulates that individuals must be given (or have clear access to):

  • The controller’s identity (your brand) and contact information;
  • The reason you’re collecting their data;
  • Retention period (how long you’ll keep it);
  • Portability (right to object to processing, to require restriction, and to withdrawal consent);
  • The right to complain (to a supervisory authority); and
  • The right to access (to obtain personal copies of their data)

Related Content: Addressing FAQs about the General Data Protection Regulation (GDPR)

So, it’s your job to communicate and ensure access to them. The to-dos in this section address the people, processes, and technology to ensure data cleanliness and a  fully functional platform.

To-Do #1: Update your privacy policy

Ask This: What should I do between now and May 25 to improve my privacy policy?

The GDPR serves as an excellent opportunity for you to update and provide easy access to your brand’s privacy policy.

Use the new regulations as an opportunity to update your privacy policy, and be as concise, transparent, and intelligible as possible using clear and plain wording. Source

If you weren’t taking privacy seriously before, consider this a sign that you should start. Take a moment to refine your privacy policy and ensure it’s easy to find — especially when prompting subscriptions.

To-Do #2: Assess portability processes and data restriction capabilities

Ask This: Should we review and implement data accessibility protocols? Can we automate this process should our contacts seek their data?

This is also a great opportunity to assess data subject access procedures, and methods of complying with portability and restriction requests.

The GDPR contains conditions around how we organize and store data, but also require us to be able to provide full access to data subjects about what information we have on them.

You should evaluate how easy it is to share data with subjects if they ask, and even look into how you could automate the process. It would also behoove you to understand the repercussions that restriction of data would carry for the health of your database — not a huge concern, but worth consideration.

To-Do #3: Consider whether you must update your platform

Ask This: Do we have constant database development and necessary integrations to be able to capture new fields if required? Should we review and implement consent-gathering workflows to ensure we’re gathering proof of consent (e.g. timestamp, IP address, sign-up forms, etc)?

As the GDPR deals with data, of course. This includes how we store it. Leverage this time to ensure your technology is prepared to store opt-in credentials in an easy, scalable way.

Additionally, the GDPR requires that brands have the ability to show data subjects exactly what data we have about them, as well as the ability to delete that data (“right to erasure”). This process should be scalable and easy. If you can’t access and export data with your automation system, it may be time to look at updating to a more robust platform.

To-Do #4: Consider the implications of GDPR for your staff

Ask This: How might our staff need to be augmented and trained? Do we need a Data Protection Officer?

The GDPR’s added conditions around data protection, governance, and access may require you to examine your current teams, both in marketing and IT.

For example, your team members might need to be able to take on additional duties. For example, data subjects will inquire about their data. They may want a copy of all the data you have about them. And they could request that you delete it all – and provide proof that you have done so. Someone is going to have to respond to their requests. Does your existing team have the skills and capacity to handle the influx of such requests?

Once your team and technology are aligned with the upcoming regulation, it’s time to ensure your database is full of (and continues growing with) affirmative, confirmed subscribers. The to-dos in the next section concern your marketing tactics, and how you’re building your email list.

Refine Your Permission-Based Marketing and How you Gain Consent

Seth Godin popularized the term permission-based marketing. According to Seth, it’s “the privilege (not the right) of delivering anticipated, personal and relevant messages to people who actually want to get them.”

This perspective is the essence of the GDPR, and the justification behind the new regulations it outlines. But it’s also best practice for our marketing strategies, in general. We should be building our community of subscribers, registrants, and customers in non-intrusive ways where they take intentional and deliberate action to engage with our brands. Here’s how.

To-Do #5: For existing database contacts, ensure you have a record of how they subscribed

Ask This: Do we have a record of how existing customer data was collected?

For years, many brands have been using poor data collection practices to get as many subscribers, registrants, or sign-ups as possible — without regard for what they would actually do with those names (email addresses) or how they would communicate with them going forward.

Related Content: How to Obtain, Maintain & Use Clean Customer Data

That’s about to change.

The GDPR is raising standards. You need to be able to document all the data you have about the people who have already subscribed, as well as those who will do so in the future. Collect offline registrations, online account creation, email sign-ups, and SMS data capture with the goal of creating a clean, valuable, addressable customer database.

This means being transparent in how you plan to use data, and keeping it organized in a way that reflects what each user has opted into. A preference center is the outward expression of this idea, and allows customers to choose exactly how they want to subscribe.

A good preference center is easy to navigate, easy to understand, and even addresses frequency of communications and offers more information about each type. Source

To-Do #6: Gain affirmative consent

Ask This: Do we have a record of affirmative consent for opt-ins (with subscription channel [e.g. email, web form] and registration timestamp)?

While consent is the method by which most marketing data is collected, it is just one of six lawful basis for collecting data (e.g. legitimate interests).

The GDPR essentially expands on existing data protection laws when it comes to what’s called “affirmative consent.”

Consent is going to be really important when thinking about how you’ve obtained the data you have on individuals.

These new restrictions for consent are meant to further protect customers’ privacy. They tighten up the existing directive, and make it a law.

Now, “controllers” — which basically means businesses — will need to be able to prove that consent has been freely given by the “subject,” or customer, to collect any personal data.

What is personal data? Personal data is any information that helps identify someone, including name, date of birth, place of birth, height, weight, address, email address, identification number, race, religion, IP address, cookie identifiers, biometrics, fingerprints, and more.

This is a good thing, and will also create better, more informed, more engaged subscribers because they’ll actually want to be there. Yes, the threshold for consent is going up, but so will the quality of a subscriber.

To-Do #7: Institute “re-permissioning” campaigns

Ask This: Have we obtained email addresses using poor or inauthentic practices in the past? Does our database contain contacts who opted-in to one type of communication, but have been inserted into other lists? Can we identify those people?

All of your customer data — old and new — will need to comply with GDPR regulations.

So, if your customer database is really large with a bunch of different categories of data — and especially if you can’t really be sure of where that data came from (and thus prove consent if asked) — it’s worth identifying customers worth re-permissioning.

Why are we doing re-permission campaigns if people in our system already opted-in?

Many practices that marketers previously used to grow their database won’t be compliant under GDPR. For instance, let’s say someone provided their email address to download a whitepaper or provided their contact information to enter a contest. If you didn’t tell them you’d use their personal data to send marketing messages — and if they didn’t actively agree that it is okay to use their data for that very reason — it won’t be legal to add those email addresses to your mailing list.

Aside from engagement and deliverability benefits, re-permissioning email campaigns are a relatively easy-to-execute way to ask contacts if they want to continue to receive your emails… so they’re beneficial even aside from reasons related to GDPR.

These simple campaigns help to set expectations and offer a “yes” or “no” option for subscribers.

We now must be more deliberate and calculated in our approach to data collection, understanding what we can and cannot do.

Best practice advice for re-permissioning campaigns

  • What’s a good timeframe for inclusion of contacts for re-permissioning? Consider starting with six months. Six months of inactivity indicates some kind of issue — a loss of interest in communications from your brand, for example.
  • Should you just send re-permission communications to everyone all at once? It depends on the size of the list that you identify. If you have a large list of inactive contacts (think 40k+), it might be a good idea to cut it into segments of 10k or less for deliverability and testing purposes.
  • What do you even say to a contact — Because “Hey, are you SURE you really want to remain a subscriber?” feels awkward. No need to sugarcoat… just make it clear you value your relationship with them, but that you haven’t heard from them in a while and you want to make sure they’re happy.

Editor’s note: We’ll be publishing an in-depth article by our internal GDPR and email deliverability experts showing you how to do re-permissioning campaigns in a month. Ensure you’re subscribed to stay tuned.

To-Do #8: Augment your sign-up/subscribe forms

Ask This: Are checkboxes on our forms pre-checked?

Currently, it’s acceptable to use pre-checked boxes to collect consent for additional marketing communications.

The GDPR changes this, requiring that consent be freely-given, informed, and unambiguous — as indicated by “clear affirmative action,” or, checking the box themselves.

But even if you don’t do business in Europe, you should still tighten up your opt-in forms, and ask users to indicate how they want to hear from you. This is about creating transparency, forging trust, and earning mindshare.

We can’t assume consent has been given as a default from inactivity, or inaction. Now, customers have to actively indicate they understand the kinds of communications they’ll receive.

With GDPR, consent must be a clear and deliberate choice.


And this is for the best. Ultimately, we want consumers of our content to want to receive what we deliver to them, and to have set expectations for what they receive.

To-Do #9: Go omnichannel

When it comes to re-permissioning existing contacts or obtaining consent of first-time subscribers, there’s a lot of value in looking at how you can use several of your marketing channels to get maximum buy-in.

Related Content: Why Omnichannel is Every Marketer’s Future

Although email should be at the core of your overarching omnichannel strategy (the email address, or digital ID, is the single most important piece of data you have about customers), you should use other channels to confirm the email addresses you have in your database, maximize new opt-ins, and seek consent.

Continue using your top-performing data collection methods, like:

  • Online forms. If these work well to generate leads, continue using them. In general, using your website is the easiest, most common, and most effective medium to gain consent via sign-ups, subscriptions, registrations, and more.
  • Mobile app downloads. If these are on the rise and increasing your database contacts, keep aiming for downloads.
  • E-newsletter sign-ups. If these are steadily rising, no reason to skimp on seeking subscriptions.

Final Thoughts

Use multiple channels to do everything you can in every way possible to obtain consent from customers. Channel options will vary based on your unique marketing strategy, but all require the same level of permission for consent. Think about how  you can leverage SMS (push notifications leading to an in-app notice), your website, Facebook ads, and even direct mail.

With the closing of one chapter opens another.

The GDPR isn’t a bad thing.

It’s truly an opportunity. A chance to cleanse and strengthen your list, to tighten up your privacy policy and procedures, and to earn more high-quality subscribers/registrants.

Because the “barrier of entry/opt-in” is going up, those who do convert will now have (a) more well-defined expectations for what they’ll be receiving from you, and (b) actually be interested, engaged, and satisfied.

Ultimately, a GDPR-compliant business won’t have to worry about inadvertently duping subscribers. It will understand that compliance is an opportunity to become more efficient, more process-driven, and more in-line with consumers’ lawfully-protected data privacy rights.

Maximize the number of contacts you have with affirmative consent before May 2018 with the steps in this guide and this checklist, and you’ll be on a clear path toward increased deliverability, better engagement, heightened trust from your audience, and much better brand reputation.

GDPR  Compliance Webinar