GDPR and your email list – what you need to know

By May 3, 2018March 31st, 2019Super Mentor Academy

Listen to the podcast (banner)

A lot of small businesses are feeling stressed and confused about GDPR. There are several steps they need to take to make sure they don’t risk a huge fine when new legislation comes in on May 25th. A lot of business owners have been asking questions about GDPR and mailing lists in particular. So we asked Heather Stanford of Stanford Gould to share her knowledge.

We asked her if we need to email everyone on our mailing list and ask them to opt-in again, what about people who sign up to attend our events and if our followers outside the EU need to be taking steps to comply with these new rules.


Questions, answered:

gdpr mailing listsMy company isn’t based in the UK or the EU. Do I have to make any changes?

The GDPR and associated legislation is EU wide and does not require businesses outside of the EU to comply…


If you have customers in the EU, or perhaps more importantly business partners, suppliers or freelancers, they will be subject to these regulations. It is likely they will want assurances from you about managing data under a similar regime.

Facebook, Mailchimp, and PayPal (for example) have all issued GDPR updates. They recognize that a significant proportion of their operations are in the EU, and to continue to do business they will need to comply also.

A common example of this would be a Virtual Assitant, a HR advisor, or marketing services provider, outside of the EU, providing services to a business within the EU. They almost certainly they will need to be GDPR compliant.

What data does GDPR apply to?

In simple terms, this includes an individual’s name, address, email address, mobile numbers, age, dates of birth, criminal convictions, medical information, etc. It can include images and also information in the public domain – like a work email for example.

‘Personal data’ and ‘sensitive personal data’ are defined in the regulations.

Personal data

Means data which relate to a living individual who can be identified;

  • (a) from those data, or
  • (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

… and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data

Means personal data consisting of information as to;

  • the racial or ethnic origin of the data subject,
  • their political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • whether he/she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
  • their physical or mental health or condition,
  • their sexual life,
  • the commission or alleged commission by a person of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

What does this mean for my mailing list and client information that I keep?

General rules about good business housekeeping have been beefed up so physical and cyber security are paramount.

Good passwords, changed regularly, encrypted data, good IT firewalls and security systems, password protected hardware, a clear desk, locked up files, papers, materials and documents are the way forward for us all.

Security is key, and you must only keep data that you need for your business. So, archiving, deleting and a good old clear-out may be in order! A policy for destruction of data – how long you keep something for and when and how it is deleted  or disposed of – is advised.

Use your mail list for legitimate business interests and only sharing such information when you are transparent about it, and have permission, is essential.

Here’s where a good Privacy Policy – on your website and in your office – is key.

There are three main legitimate bases for processing data. In simple terms sending an email or using a phone number – and they are:

  1. To provide goods and services – essentially to deliver the products and services to your current client base.
  2. If you have consent that has been open, clear and actively given. Someone must actually do something to consent like tick a box on your web page, or check a box on a paper form. You cannot assume consent. The focus on you being given active consent, not an individual taking proactive action to unsubscribe. No pre-ticked opt-in boxes for online forms anymore! Ideally, you should give the customer/client options about how they receive such information – for example whether it’s by text, post or email. Don’t assume if they say yes to being updated by email that they’ll be happy to get a text sharing your latest offer!
  3. The third basis is if you are required to process data by a government agency such as the Police.

Do I need to email everyone who is already in my contacts list and on my mailing list to ask them to provide consent?

If you want to process data after May 25th, 2018 – yes in principal, an opt-in is required to do so.

The exception is if the people on your mailing list gave their consent in a way that was already compliment with GDPR regulations. So was clear, informed and active consent given? For example, no pre-ticked boxes when they gave their email address and you told them exactly how you would use their data.

If you aren’t confident that this is the case, ask for consent.

Many people are worried that this will lose them significant numbers subscribed to their mailing list. However, savvy marketeers see it as an opportunity to clean up their lists. The people who consent are the ones who are truly engaged!

There’s also some lesser talked about legislation which covers the use of email marketing too – Find more information HERE.

I am advertising free content on my website or social media that I send via email for example an e-book or online training which requires people to provide their email address. Does this mean I can add people who sign up for this to my mailing list?

Not automatically.

This is where you need to provide a box to tick – some sort of action for them to take –  to confirm that you may add them to the list.

You need that evidence, too, in case the Regulator – ICO  – comes calling. Otherwise you can only provide the item they ask for, and no more. You can keep their data if you need it for a legitimate business reason – tax records for example – but again delete what is not necessary.

People have attended my event and registered via email or a 3rd party such as Eventbrite. Can I add them to my mailing list?

The same applies – not unless you have proper permission.

Think about the reason why the data came into your possession in the first place, and that is the reason you can use it. Without further consent, and clear evidence of that consent, no other purpose is really legitimate, and opens up your risk to a complaint by the data subject to the ICO about your processing.

You might want to consider asking attendees to sign up for your mailing list at the event.  You could also send one “Thank You for attending” email via Eventbrite and ask them to subscribe to your mailing list here. However, if they do not respond after this, delete their information and do not add them to your mailing list.

A person has signed up to my mailing list. Can I send them info about my other companies/services I provide?

Not unless they have consented and you have set out what other companies you share the data with – even if you own them and they are within a group or controlled by the same directors, this is a data share and you need to reference it in your privacy policy and be transparent when asking for the consent to share.

The current Facebook and Cambridge Analytica debate is all about what consent FB users gave to share such information with third parties, and if consent was given.

Top tips on collecting keeping data:

Here’s what the GDPR says should happen to personal data. Data must be:

  1. processed lawfully
  2. collected for a legitimate reason
  3. relevant and limited for a purpose
  4. accurate and up to date – and regularly reviewed
  5. secure and safe

The ICO website has some fantastic free resources on it – especially for small businesses:

Heather has also put together Stanford Gould GDPR Packs – Starter and Intermediate  which are available to help you:

Have you listened to our latest podcast episode? Our CEO – Mary Baird-Wilcock, CSEP helps you simplify in life and in business.

Find all our episodes here


Leave a Reply