Stensul raises $34.5m in Series C funding

The Ultimate GDPR Checklist for Email Marketers

european union flag

What is GDPR?

“We value your privacy”. We’ve all heard this phrase before. In today’s world, it’s pretty standard for businesses to ask for very personal data and then turn around and say they value your privacy. The way sensitive data is stored, sold, and shared is a concern for many people. It’s as if you need a GDPR checklist. GDPR stands for General Data Protection Regulation. This regulation was passed to protect user opt-out data. It was passed and enforced by the European Union in 2018. Many people believe this regulation only applies to European citizens.

GDPR applies to any business that handles European customers, no matter where they are in the world. Even if your business only manages customers in the US, being GDPR compliant is not only encouraged but most businesses who want to build customer loyalty, follow suit.

In an age driven by targeted ads and information, email marketers might feel this regulation hinders their efforts and makes it hard to continue marketing to specific customers. However, being transparent and safe when it comes to how you process data, will not only keep your business from being fined but builds customer loyalty. Additionally, building customer loyalty ultimately makes marketing campaigns even more effective.

Before GDPR

Before GDPR, when the internet was in its infancy, the 1995 Data Protection Directive stood to protect users and their sensitive data. As the internet grew exponentially, people started realizing a major review needed to take place on how processed data was handled online. The GDPR was created to replace the 1995 Data Protection Directive. 

Even with a prior personal data regulation in place, companies had to take additional steps to become GDPR compliant after it became enforced. This speaks to just how necessary this updated data regulation was. Since 2018, 27% of companies have spent over half a million dollars to become GDPR compliant.

If your business is worried about being GDPR compliant, here is a checklist to follow:

GDPR Compliance Checklist:

1. Map, audit, and organize the data flow 

Make sure all of the information about your data subjects are going to the right spot. Keep an inventory of all the devices that are connected to your network and which ones have a part in processing personal data. In addition, don’t hold on to sensitive data that you don’t need. Keep an updated list of how your company processes personal data and handles data collection. 

2. Appoint a data protection officer

With something as serious as GDPR, appointing a data protection officer is a smart choice for businesses that can afford one. Being GDPR compliant is the ultimate goal for every business, but having a team member who is trained can be a good benchmark so your business can know exactly where they stand. A GDPR officer can also give legal advice as it relates to GDPR compliance.


Additionally, day-to-day concerns might arise that a GDPR trained official can handle and keep under control. GDPR policy states that if there is a breach in personal data, customers have to be notified within 3 days. Having a data protection officer who is monitoring this, can catch it quickly because they are trained to do so.

3. Transparent Privacy Policies

Your customers, team members, and leaders need to know their rights when it comes to privacy. Update your handbooks so HR managers and team members can have updated access to the new policies and review them accordingly. When it comes to your customers, your website should display clearly why their information is being stored, where it is being stored, and how it is processed. 


Your website should also note any third parties that might have access to it and at what point it’s being accessed. A Data Processing Agreement is also required and should be linked online for customers to see easily. This gives transparency to which third parties are accessing the data and gives customers peace of mind.

4. Informed consent and access requests

A well-informed customer is a powerful customer. Informed and explicit consent must be given for data processing and sharing of personal data. According to the GDPR website, “consent is defined as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”


In addition to informed consent, personal data can be requested whenever a customer chooses. If a customer chooses to request their data, a business must provide all of the personal data it has on a customer and dispose of it properly. Some entities are exempt from this request such as government entities, journalism entities, and hospitals.

5. Training

With any new regulation and policy, some training is required to make sure team members are up to date when it comes to data processing. Invest in extensive training so your team knows their rights and how their employer is protecting its team and customers. 


Team members should also be aware of what to do if there are data breaches and who to report them to. A data breach can be a huge setback for a company, so make sure you take the steps to prevent one from ever happening. This is a key element of being GDPR compliant.


 Email Marketing

Email marketing was created to create value in your brand by keeping customers updated on promotions and engaging them when they aren’t shopping. Email marketing is one of the main ways businesses market to their customers. Today, this popular marketing strategy is adjusted with specific guidelines for a business to follow to avoid the mishandling of personal data.

It’s been noted that “Email marketing under GDPR essentially means that, as an email marketer, you need to collect freely given, specific, informed and unambiguous consent (Article 32). To achieve compliance, you have to adopt new practices:”

  • New consumer opt-in permission rules
  • Proof of consent storing systems
  • A method through which consumers can ask to have their personal information removed.

These practices are designed to empower users and give them peace of mind when interacting with a business. If a customer trusts your business and can see you are transparent, they are less likely to mark your emails as spam and unsubscribe and more likely to continue buying your products.

Ideally, GDPR compliance shouldn’t decrease sales but ideally, become a revenue generator. Loyal customers are likely to remain if they can see your business is honest, transparent, and handles their data appropriately.


GDPR Compliance Checklist for Email Marketing

When it comes to email marketing, GDPR plays a critical role. Here is a brief checklist for GDPR compliance specifically for email marketers to follow: 

Transparent Websites

The first area potential customers will see before they sign up for emails is your website. How compliant your website is when it comes to GDPR is a huge deal. Your privacy policy must be easy to find and click on without navigating too much. 

Many sources suggest putting a link to your privacy policy in the footer of your website so it can be easily accessed. This transparency could be the difference between a customer continuing to browse on your site or losing trust and switching brands.

Double Opt-In Procedure

A double opt-in (DOI) procedure is a great way to truly give your customers transparency about what they are signing up for. Even after they type in their email address, a follow-up email is sent for them to verify their email address again and confirm they want to opt-in. 

If they never confirm their email address, they won’t receive any emails. This is a good strategy to keep your customers happy and avoid your emails being marked as spam.

Email Consent 

Before you can send any of your customers marketing emails, they must give consent. You must clarify what type of emails they will be receiving and make it clear they can opt-out at any time. Additionally, customers need to be able to unsubscribe themselves from marketing emails and adjust how often they are sent emails. 

Your website should clearly explain why you need certain pieces of information and what you do with them. Customers are more likely to be okay with receiving emails from your team if they know your intent. Take measures to ensure data protection and explain your intent before you ask for consent. Certain email creation platforms can help you do this as they are GDPR compliant and automated to save your business time and money.  

Common Questions for GDPR Compliance

Does GDPR only apply to European citizens?

No. Many people believe this regulation only applies to European citizens or businesses based in Europe. However, GDPR applies to any business that handles European customers, no matter where they are in the world. As stated before, businesses in other countries that don’t handle European customers are encouraged to follow GDPR guidelines and most do.

What are the 7 principles of GDPR?

These are the guiding principles that are at the heart of what GDPR stands for. Continue updating your GDPR standards and put these principles at the center.

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability



GDPR is aimed at empowering customers and giving them peace of mind when it comes to their data. Your team should work to keep GDPR compliance at the top of your priority list. Not only are you risking a huge fine for violating GDPR compliance, but your reputation and customer loyalty can be severely affected. 

The cost of non-compliance can be severe—up to €10M, or a penalty of 2% of the company’s worldwide annual revenue for larger companies. Additionally, loyalty within your customer base can take years to rebuild and a huge data breach could mean bankruptcy. Don’t risk any of these setbacks and make sure your business takes the steps to achieve GDPR compliance.

*The Ultimate GDPR Checklist for Email Marketers is meant entirely for educational purposes and shouldn’t be used as legal advice. You should consult qualified legal counsel before making any changes to your official communication policies.

Ready to see Stensul?

Recent Blog Posts