Ok, so unless you have been hiding under a rock, by now you will have heard of GDPR and if your anything like me, perhaps you have been burying your head in the sand, hoping it will go away.

The bad news is, it’s not going to go away and as the 25th May draws ever closer, NOW is the time to understand it and take the necessary actions.

Now, I’m not a lawyer and this blog post is what I have learnt when doing my research, that being said, many professionals have different opinions on GDPR and how it’s going to impact business.

In this blog post, I answer several questions I had in relation to building my email list, marketing to that list, as well as what actions I need to take with my existing list.

I hope this helps you in your business. 🙂 – Ok let’s dive in!

What is GDPR

GDPR stands for General Data Protection Regulation, and it will come in to force on May 25th, 2018. It’s a European law but effects anyone who collects and holds data from anyone in Europe.

What activities are covered by the GDPR

 GDPR comes into effect anytime you are processing personal data (fancy word for doing anything with data) GDPR covers everything from the moment you collect the data, right through until it is deleted. So basically, anything you are doing with data, collecting, using and storing, is included. GDPR only applies to personal data which is anything that is associated with or related to a person who is identified, or you can identify. IE Name, email, address, telephone number etc. However, it also includes any kind of processing of information that you are adding to your contact database, so if you have quizzes, or if you have tagging or segmentation within your CRM database, all of that’s included, because, what you’re doing is effectively monitoring what people’s behaviour, and if your monitoring what people are doing, that’s included and covered by GDPR.

Who Does the GDPR apply to?

 The best way to think about it is anyone who is involved in a paid commercial relationship or a free commercial relationship and is in the European Union, it applies. An important thing to remember is, it’s not citizenship or residency, its where they are when you’re interacting with them. What this means, functionally is, if you are an online marketer and you are in the European Union it applies to everything you do in your business. Every interaction, every piece of data we touch is covered by the GDPR. If you are outside of the EU it applies to you whenever you are interacting with or collecting data from people in the EU.

6 Principles of the GDPR

 1: Data shall be processed “lawfully, fairly, and in a transparent manner.”

You have to be upfront about what you are collecting the data for.

2: Data shall be “collected for specified, explicit and legitimate purposes.”

You can’t collect data without explaining how you are using it, and those purposes have to be legit.

3: Data processing shall be “limited to what is necessary” for the purpose.

You can’t collect all kinds of data on a person if all you need is an email address (like for a lead magnet). You may only collect the minimum amount of data for the purpose you are collecting it for. Once you have collected the necessary data, you can only use it for its intended purpose.

4: Data shall be accurate, kept up to date, and corrected.

Doesn’t really apply to us. This is more for the Google and Facebooks of the world.

5: Data shall be kept so it identifies a person “no longer than is necessary.”

You should not keep data about people forever if there is no reason to keep it.

6: Data shall be “processed in a manner that ensures appropriate security.”

You have to take reasonable steps to protect the data. We should all already be using SSL certificates and other ways to actually make sure that we’re protecting the data, (Data should be stored behind a secure wall (password collected).

How You Will Need to Change the Way You Collect Email Addresses from Potential Leads in Your Marketing Efforts:

 We are going to have to change the way we go about collecting information from our leads, at least from a marketing perspective. The only lawful basis that’s going to give you the right to market to someone under the GDPR for any long period of time, is if they give you consent.

GDPR requires that consent is freely given, specific and unambiguous.

What that means is we can’t get anyone who signs up for different lead magnets and add them to our general marketing email list because they have not freely given us specific and ambiguous consent to send them those marketing emails.

So, what we have to do is get a separate consent to add them to our marketing list. And don’t think you can get around it by saying they only get your freebie if they consent to join your marketing list, that’s a no-no under GDPR. The GDPR says you cannot say you only get the freebie if you’ll consent to something else. What we have to do instead is we have to find a way to try and sell to our prospects why they want to be on our list and convince them that they want to sign up voluntarily. The other big part you need to understand, and a lot of people aren’t thinking about why you need to be taking action now is because this new consent standard applies to your existing list. If you can’t show that you have the right kind of consent for people who are already on your list and to whom the GDPR applies you have to stop emailing them, come 25th MAY 2018. So, action needs to be taken between now and then to ensure you are compliant.

Can I send a nurture email sequence after someone opts in for my lead magnet under GDPR?

This is one of those ‘grey’ areas associated with GDPR.  From my research, I have found that is there is a good argument for us to be able to send a nurture email sequence but it’s not crystal clear. The GDPR has a provision which talks about expanded processing, basically, processing data beyond the original purpose for which you collected it, and it gives a list of factors you would consider in deciding whether that’s ok to do the expanded processing. So, one of them is – the link between the purposes of collection and the purposes for the expanded collection – so, is there a clear link between why they gave you their info and why you are sending this later email? The next one is the context in which the data is collected. (not sure what that means, but likely to be that the data has been provided freely) The nature of the personal data that’s collected is another one. So, when collecting info for a lead magnet we are not collecting sensitive data, it’s a name and an email address another factor is the consequences of the expanded process and for a nurture sequence, what’s the consequences? They get 3-4 emails from you, that’s probably not something that’s that bad. The last factor is whether you have appropriate safeguards in place.

What do I need to do for list building?

1 – Existing list – Figure out who you need to get consent from then figure out how you are going to do it. Segment your list to those who are in the EU, those who are not and those who you can’t identify whether they are or not.  Then send a re-engagement campaign to those in the EU and those who are unidentified to try to win them over. (Note: This is only applicable If you are based outside of the EU if you are based in the EU then this applies to your whole list, so no segmenting required.)

There are two parts to the re-engagement campaign, they get extra value, so, for example, say you send one email each week advising of your latest blog post or your podcast, you could send an additional email each week and give something away. You could give them your new lead magnet without asking them to opt-in. Shower them in value. Then ask them to consent to stay on your list and anyone who has not done that by 24th May, delete them from your list.

When people do consent, by clicking on a link then tag them so you have proof they have consented to stay on your list! The good thing about this is it’s a great opportunity to tidy up your list, and if people don’t interact with your emails between now and then, they likely are not your ideal customer anyway, so delete on May 24th.


1 – Build ‘good will’ by delivering amazing value to your list between now and 25th May. Sit down and map it all out, its going take time so give it the time it needs. Go above and beyond – Make the content so good that people will not want to miss the opportunity to stay on your list.

2 – Segment your list so you know who you need consent from. For us in the EU, it’s our whole list, for those outside of the EU it will be those who are on your list and are in the EU and those who we can’t identify whether they are in the EU or not! Also, those who have signed up to be on your newsletter are ok to be on your list as they have already consented.

3 – Run a re-engagement campaign to those who need to consent (that’s our full list for us in the EU) sell them on the benefits and do this in your own style. Good copywriting is key here, you know your audience and you know how they will want to hear from you. Plan a series of emails with interesting subject lines so people don’t miss them.

4- Anyone who doesn’t give consent come 24th May is to be deleted form your list because storing and deleting are covered under GDPR so this needs to be done before 25th May.

You’re doing great, I know this is not the most engaging of subject, although it is necessary! Now its time to move on to look at how to work things once GDPR comes into effect.

What do I need to do moving forward with my list building efforts?

 Now that we can’t just add people to our list because they sign up for a lead magnet or a webinar or something like that. We have two choices, we go back to the old, ‘join my newsletter’ OR we continue to use lead magnets but get consent somewhere else along the way. If you want to build your list with people in the EU, you are going to have to get consent from them somewhere along the way and that consent will be good as long as you tell them you’re going to send them marketing materials and try to sell them things’ and you can do this with a Privacy Policy.

With that, what would the workaround look like?

The good news is, we can still deliver our lead magnets via email. That’s allowed because they consented us to do that, but we are also fulfilling a contract which is one of the lawful reasons to process data. So, between them opting in for the lead magnet and actually delivering it, where can you get the consent in?

Here are a couple ideas:

1 – Put something on the opt-in page, i.e. a checkbox or a drop-down menu. You have to make sure that they take an action that’s affirmative! Remember it has to be clear why they want to join your list and it has to be their choice to do it, so you can’t make it that they have to be on your email list to get the freebie and you can’t default the choice to ‘Yes’ they have to be the ones who tick ‘yes’ to be on your mailing list.

You can, however, force them to answer a question – so you could have a drop-down box which asks if they want to be added to your list and they have the two options, yes or no, but make it clear they are going to get the freebie no matter what. If they say ‘yes’ you add them to your list, if they say ‘no’ they don’t get added to your list.

2 – Have an additional page in the opt-in process – Have a page after the ‘Opt-In’ but before the ‘Thank You’ page which is completely devoted to getting their consent. Advise you want to add them to your newsletter list and then sell all the benefits to them, use great copy and explain all the reason why they want to be on your list. On that page have an option where they click, Yes or No then they move on in the funnel.

Treat it like a sales page, have bullets and great copy, then have a button where they can click yes or no which moves them appropriately to the next step.

3 – The delivery email itself –  This is an opportunity to gain consent once you have delivered their freebie.

You could send your normal delivery email and add a section saying something along the lines of:

As someone who is passionate about starting their own business (you add the relevant info here, so it is consistent with your audience and your product/service) I want to invite you to join my newsletter.

The rest of this email is a sales piece. Don’t make it long or drawn out but talk about the benefits of being on your list, tips tricks and strategies, and have a piece about how you won’t spam them or sell their info and then give them access to your privacy policy. From there you can ask them if they want to stay on my list and you will have a button or link for them to click which takes them to a stand-alone opt-in page which directs them to your newsletter or you could tag them, whatever you want to do that proves they have consented to be on your list.

4 – Put something in all of your lead magnets – Add a short paragraph that invites them to your list and again talk about the benefits and have a clickable link.

The role of the Privacy Policy related to GDPR

 Part of what GDPR says is that when you are going to collect data from people you have to inform them at that point of certain things and you do this via using a Privacy Policy.

What do you need to include in the Privacy Policy?

 You have to give them all the relevant information for all the relevant people, this includes you or your company and if you have a data protection controller then you need to identify them and give their contact information. Then you need to share what you are collecting from them and on what basis you are collecting it. You also need to share why you are collecting these things and what is the legal basis, for example, you use data analytics to improve the performance of your website (which is the standard language most people have been using.) Then you have to talk about what you do with the data, e.g. – if you consent I am going to send you emails and it will include promotions. You also have to disclose if you are going to share the info with others. You might think you don’t share the data, but you do! For example, my data is held by an email autoresponder software, as will yours if you are list building! Also, it’s worth noting, if you are using any other platform you are sharing the data with those systems too. Luckily you don’t have to identify them all by name. There are certain rights under the GDPR that you have to list. These are specific, it’s things like the right of erasure, the right to withdraw consent etc

Where do you put the privacy policy?

You should have a stand-alone page on your website where you just literally paste the privacy policy and that’s it. You should do the same thing with all the other legal policies on your website. Have links to the privacy policy page in your footer navigation bar, you do the same with any outside services, i.e. lead pages or click funnels if you don’t have a website. You need to do the same with the opt-in pages too, you need to say you are going to treat the information consistent with your privacy policy and put a hyperlink on ‘Privacy Policy’ so anyone who wants to can go and get access to it. This applies to purchases too, anywhere where people are giving you their personal data make sure you supply a link to your privacy policy.

I hope you have found this short post beneficial and it has helped you understand the GDPR a little more.

Now it’s time to get to work and ensure you are compliant!

Have a wonderful rest of the day…