Skip to main content

So often people will throw around the letters GDPR when talking about email marketing. It’s often a form of fear mongering to stop people taking action or to make people feel bad for taking action.

It very rarely comes from a place of actually understanding GDPR.

Because for the first instance, GDPR is not actually the be-all and end-all when it comes to email marketing, that’s actually governed by PECR…

This blog does not constitute legal advice – this is a starting point for understanding these terms so that you can take action intentionally and with due care and attention.

GDPR – General Data Protection Regulations

GDPR sits alongside an amended version of the Data Protection Act 2018.

It sets guidelines for how personal information is collected and processed by companies in the EU and the UK.

Personal Data relates to anything that can be used to identify an individual, so if you run a business and you have clients names & contact details, you need to have a GDPR policy.

There are very few businesses that are exempt and realistically, there is no reason for you to not follow the guidelines!

Focus on;

  • HOW & WHY you collect personal data
  • WHERE you store the data and how SECURE this is
  • HOW LONG you hold it for and why
  • What HARM is could cause the individual if it were hacked

Top 5 GDPR Tips for small businesses;

  1. There are 6 lawful basis for processing data – you need to do a proper risk assessment to make sure you are using the right one. It is not a one size fits all option unfortunately!
  2. The regulations are not there to make things harder for you, just to make you treat other peoples data with the respect you want for your own!
  3. Don’t rely on excel spreadsheets to store customer details, there are a lot of reasons why a CRM system is a valuable investment but GDPR compliance is one of the main ones!
  4. Be careful with mass emails sent direct from your account – if you accidently include all addresses in CC rather than BCC it counts as a breach.
  5. You need to review and update your policy at least once a year as things will change!

PECR – Privacy & Electronic Communications Regulations

Although they ae not talked about anywhere near as much as GDPR, PECR guidelines have been around since 2003 following the European E-Privacy Directive.

These are the guidelines that regulate who you send direct marketing to and whether this is solicited or unsolicited. So if you have an email marketing list, these apply to you!

Direct Marketing

Advertising/marketing material sent to particular individuals

Unsolicited Messages

Messages not specifically requested, even if a customer has “opted in”


A freely given, specific, informed and unambiguous indication of wishes

Legitimate Interest

Your business gains a benefit from processing data that is not overridden by the customers rights, interests and freedoms

Top 5 PECR Tips for small businesses;

  1. If someone requests information, makes an order or you are emailing them about something directly related to a service you are providing them, this is not marketing and PECR does not apply.
  2. PECR regulations are strict when it comes to consent, so someone has to opt in to receive marketing from you.
  3. If someone is an existing client of yours however, you can consider this a soft opt in to receive further marketing about your services/products.
  4. If you are doing Business to Business marketing and you are emailing an address with no personal data OR you’re emailing a named contact but have no further personal data besides their name, legitimate business interests can be used to justify your email.
  5. For cold prospect Business to Customer you need clear unambiguous consent – an opt in – so if they’ve never heard of you, don’t email them!

Leave a Reply