GDPR and Email Marketing: What you need to know

Cognism shares its expertise on GDPR compliance and its effects on email marketing practices.

On 25th May 2018, the General Data Protection Regulation (GDPR) came into force across Europe.

The new legislation was designed to strengthen Europe’s data protection laws, and give European citizens greater control over their personal information.

While undoubtedly a good thing for the individual, GDPR has meant that many B2B marketers have suffered sleepless nights. And not without good reason. Digital marketing is changing!

The regulation has a particular emphasis on email marketing, and how companies can and can’t use customer data. But is this concern from B2B marketers justified?

The GDPR wasn’t drafted to make email marketing harder, but to provide extra protection for consumers and the businesses using their data.

In this article, we offer our advice for email marketers to make sure their outbound emails are always GDPR compliant.

How to generate leads post GDPR.

What does the GDPR require email marketers to do?

A year before GDPR was implemented, the Information Commissioner’s Office (ICO) published draft guidelines on consent.

The guidelines presented seven amendments to the way companies must collect, manage and store personal data. These amendments impact on B2B marketers and how they carry out email marketing campaigns.


Asking for consent should be separate from other terms and conditions, so it’s clear for individuals to see what they’re signing up to.


Under GDPR, pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.


If personal data is to be used in a variety of ways, the ICO recommends that organisations ask for separate consent to each. The idea is to give the data owner as much control as possible over their data and how it’s used.


Individuals must be told who your organisation is, and the names of any third parties that their data will be shared with. Any organisation that the data will be shared with must be named.


The following information must be recorded and stored: what the individual has consented to; what they were told at the time; and the method of consent.


It should be easy for individuals to withdraw their consent. Organisations must put in place simple and fast methods for withdrawing consent. Individuals must be told about their right to withdraw consent.


Consent must be freely given (not forced) by individuals.

By sticking to these seven rules, it should be easy for B2B marketing teams to conduct email marketing campaigns in a GDPR-compliant way.

After all, the punishments for non-compliance can be severe. The legislation states that any company in breach of the rules will be fined 4% of their turnover, or €20 million – whichever is greater!

5 GDPR Tips for Email Marketers

As mentioned above, the GDPR was not designed to stop B2B marketers from sending emails.

Under the legislation, organisations can lawfully process personal data as long as they can demonstrate “legitimate interest” (i.e., having a clearly defined and necessary reason for processing that data).

So B2B marketing teams can continue sending email campaigns, as long as they state their reasons for doing so.

With that in mind, here are 5 top tips that will make sure your marketing emails are always GDPR compliant:

1. Don’t worry about smaller lists

One of the biggest concerns for B2B marketers is that the GDPR allows consumers to opt-out of email lists, or have their data erased entirely. However, smaller lists needn’t be a bad thing. Do you really want to keep contacting customers who aren’t interested in your product, or are unresponsive to your message? Smaller lists can lead to increased engagement and deliverability rates, as your emails are sent to only the most interested prospects or customers.

Consider segmenting your customers into even smaller lists (you could sort by age, gender, location etc.) and try adapting your email content to meet the needs of those different groups.

2. Explain the legitimate interest in your email copy

Always explain in the body of your email why you are reaching out, and why your offering to relevant to that prospect. This will ensure that your email marketing is always compliant with GDPR, as you have clearly demonstrated legitimate interest. The prospect should be made aware of why you have targeted them. Here are some examples of how you can explain a legitimate interest in your emails:

  • Check the prospect’s LinkedIn profile to see if your product or service would benefit them.
  • Has your prospect received any recent investment or funding? It’s a legitimate interest if your product or service would support their growth.
  • Have you dealt with any similar clients in the past? If you have, mention that in your email to explain your legitimate interest.
  • Has the prospect been referred to you from someone in your network? If so, that is also a legitimate interest.

3. Collect only the data you need

To stay GDPR compliant, only collect data if it’s strictly necessary to do so. A good way of thinking about this is to ask yourself: am I going to use this data for a specific reason? If not, then don’t collect it!

So, if you don’t plan on calling a prospect, don’t ask them for their phone number! If you don’t plan on sending a letter to your prospect, then don’t ask them for their mailing address! Make sure the data you collect is necessary and relevant to your business.

4. Make sure your opt-ins are GDPR compliant

When it comes to opt-ins, transparency is the name of the game. Here are some ways to maintain GDPR compliance with your opt-ins:

  • Always specify what your prospect is signing up to. If you want them to subscribe to a newsletter, then make sure that is totally clear. Use simple language that is easy to understand.
  • As before, don’t ask for any unnecessary personal information. If you don’t need a prospect’s mailing address, date of birth, phone number etc., then don’t ask for it!
  • Include tick boxes if you want the prospect to sign up to any third party communications or mailing lists. Never use pre-ticked boxes.
  • Consent must be given for each use of your prospect’s data. For instance, if you want your prospect to sign up to two different mailing lists, then you must give separate consent requests to each.
  • Always keep your consent requests separate from other terms and conditions. They must be visible and easy to read.

5. Make it easy for people to unsubscribe or opt-out

Opt-outs are just as important as opt-ins. Here are some tips for making sure your opt-outs are always GDPR compliant:

  • Always inform your prospects about their right to a restriction (you can store their data but not use it) and their right to erasure (you must delete their data entirely).
  • Include an unsubscribe button at the bottom of your email. This automates the process and keeps to GDPR compliance.
  • It’s also good practice to put a line in your email copy asking the recipient if they would like to be removed from your list or database.

Of course, it almost goes without saying – if someone wants their data deleted, then you must delete their data!

How Cognism Stays GDPR Compliant

Cognism is an innovative SaaS start-up that provides GDPR compliant data to power sales and marketing campaigns. Our mission is to become Europe’s leading GDPR-compliant data company.

Since data is at the core of our business, we have taken the arrival of GDPR very seriously, and we have worked hard to ensure compliance in every part of our business. We are proud to share our experience with others.

These are the ways in which Cognism is GDPR-compliant:

  • We acquire data from a variety of public and private sources, always under legitimate interest. Cognism does not scrape websites, use bots, or violate other websites’ terms and conditions.
  • We are a B2B company – we do not collect or store any personal email addresses or phone numbers. The GDPR specifically mentions B2B marketing as a legitimate interest.
  • We are committed to only gathering the information we need to. The data we collect is both public and B2B.
  • We are able to provide accurate reports on how and why a person’s data has been collected. Any data we collect is stored safely and only for as long as it’s required.
  • If someone on our database withdraws consent, their data is immediately deleted.
  • Cognism partnered with the top UK law firm Sheridans, to build a data privacy compliance engine into our service. This has ensured effective and safe cold B2B outbound.
  • Cognism is registered with the ICO and we are an Official Corporate TPS list cleaner.

Cognism believes that GDPR represents new opportunities for B2B marketing, rather than a challenge. We want to help others understand the legislation, and how it can be used to power effective email marketing in a post-GDPR world.