If Your Company Has An Email List, This New Regulation Will Change Everything.

This morning I received a promotional email from a company who I had signed up with saying that they had some new T&Cs and a new privacy policy and that by receiving this email they had complied with a new European regulation that is designed to protect consumers.


Unfortunately they had stated that “Remember that by continuing to use [company X], you signify that you agree to our Terms of Service and Privacy Policy.”


Essentially this equates to, “if you do nothing you are implying consent to Company X. However, the new European ruling – General Data Protection Regulation have clearly stated that this is not adequate.


Having been involved in developing customer acquisition strategies for companies of all sizes this ruling will have a significant effect on every single company, no matter how large or small, that has an email list.

Why is GDPR important?

Two key questions to ask yourself: 

  1. Can you categorically demonstrate to a new regulator how you obtained an email address / personal data under the GDPR guidelines?
  2. Can you categorically demonstrate that you know if they are a EU citizen and if so that their data is compliant with the GDPR?

In this article I will articulate why this is important, the financial impact it will have on your company today if fined and what you can do about this.



One of the largest game changers will be that of consent and how it is provided to those who may sign up.


As the ICO states:

The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.”


Consent is one lawful basis for processing, and explicit consent can also legitimise use of special category data. Consent may also be relevant where the individual has exercised their right to restriction, and explicit consent can legitimise automated decision-making and overseas transfers of data.

Genuine consent should put individuals in control, build trust and engagement, and enhance your reputation.

Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to large fines.


Significant Fines For Non Compliance


Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines.


The first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher.


The second is up to €20 million or 4% of annual turnover of the previous year, whichever is higher. Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine.


3rd Party Access


Until the GDPR was introduced it was acceptable to simply infer that the personal data could be used by 3rd parties that the company deemed appropriate. The repercussions of this is that data was shared with 3rd party organisations who may use that data for selling to you their own services.


This, of course is common practise however, under the new GDPR any third party controllers will need the consent of the individual to be approached “cold”.


In other words, paid for email lists and databases obtained without directly asking the permission of each individual will put the company at risk.


GDPR will allow for any individual to ask a company for details on their personal data and have the right to have this removed – hence why Facebook and other large tech companies who have relied on implied consent are frantically rewriting their policies.


New Opportunities


While some may consider this a significant risk to their operations there are also significant opportunities.


On Friday 25th May 2018 the GDPR will come into full force across the whole of Europe and every company in the world that has customers or contacts in Europe will need to comply with immediate effect.


And while some companies are fully compliant, many are facing the prospect of starting Monday 28th May 2018 with a significantly reduced customer list.


At Social Media Thunder we have already been working with a number of clients of varying sizes to establish new customer acquisition strategies that are GDPR compliant.


We have witnessed first hand organisations deleting millions of contacts that they have collected over the years where the data was obtained in such inconsistent manners that now pose too great a risk to their company and needed to start over again.


A corporate GDPR lawyer explained it this way “remember the mis selling of mortgages scandal that caused the depression. Now imagine that this same scandal and number of lawsuits multiplied by every company that have ever held an individual’s personal data, even just one email”.


Level Playing Field


Now consider that some of the largest companies in the world will be starting again to validate, gain consent and develop a relationship with individuals again.


There has never been a better opportunity to develop a strategic customer acquisition plan that is proactive and compliant. Many of our clients have already started to develop and implement strategies in a tactical, professional manner but from experience I know that not all will survive.


The time of vague, ambiguous use of data is closed and a profitable new opportunity has opened. If you would like to discuss how we may be able to support your customer acquisition and retention strategy or marketing and comms strategy please contact me at Ross@SocialMediaThunder.com


Ross Kingsland

Managing Partner, Social Media Thunder

Social Media Thunder is one of the fastest growing digital agencies who work with companies like Starbucks, Uber, World Travel Market, Malmaison Luxury Hotels, Korn Ferry, Harry’s, UBM, Brothers, Lamborghini, Virgin and Accenture.

PS. Also, here are the official links to the GDPR pages.


GDPR portal



The GDPR at a glance:

  • The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
  • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
  • Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Explicit consent requires a very clear and specific statement of consent.
  • Keep your consent requests separate from other terms and conditions.
  • Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
  • Be clear and concise.
  • Name any third party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.
  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent to processing a precondition of a service.
  • Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.