9 Questions That You Are Afraid To Ask About The GDPR

Published on:

Moosend recently held a free webinar on how to tackle GDPR compliance. In this webinar actionable strategies to assist your endeavors towards becoming GDPR compliant were discussed and thoroughly explained. Here are 9 key facts you were too afraid to ask:

Increasingly, over the past few weeks, a lot of questions have surfaced regarding EU’s GDPR. Of these, some questions might have been easy to ask, but we know there are some that you might be too afraid to ask (or too afraid to find out the answer).

We asked the Head of Content at Moosend, which is an email marketing software with advanced features, and the invested-in-GDPR marketer provided answers to what has been daunting businesses and marketers all over the world.

Before we go deep, let us set the foundations for this enlightening discussion:

#1 What does EU stand for?

EU is the acronym for European Union which is the political and economic union that 28 member countries are part of. The EU is governed by an established set of laws that all 28 members of it have to abide by.

Since the inception of the EU, the aim of it is to provide free movement of people, goods, and capital among the member states.

#2 Is GDPR an Enemy or a Friend?

To answer this questions, let’s start with this: If you are a marketer who has not bought or scraped an email list, you are on the right track for GDPR compliance. In case you are not, then there’s still hope for you.

GDPR is going for the enforcement of a coordinated data privacy law in place of various data privacy laws across all European countries.

Destined to protect privacy for individuals and empower them over their personal data, GDPR is granting users complete control over who processes this data and in what way.

At the same time, GDPR compliance requires businesses to reshape their approach to data privacy. Essentially, it requires businesses to re-evaluate what they do, instead of exploiting data.

#3 Why do we need GDPR compliance? GDPR is all about personal data.

Personal data is defined as any piece of information that can be linked back to a certain person, basically allowing them to get identified.

Under the General Data Protection Regulation, users are now empowered over their personal data. Essentially, the new regulation requires that businesses bake data privacy settings into their product, and improve their ways of requesting permission to use this data.

This way, the law ensures that businesses do not exploit personal data to leverage their marketing communication strategies and campaigns.

#4 Is company data considered personal?

Company data are not considered personal.

For example, VAT number, billing details, general email addresses like (hello@domain.com) or other business-related information is not considered personal.

Which employee data is considered personal? Some of the most common employee data is their position in the company, their email as well as their billing information.

#5 Our clients are companies. Are we in for GDPR compliance?

If you can be sure that you only access, process, and store company-related data, then GDPR doesn’t affect you.

But this is a rather improbable scenario because anything that relates to one’s personal, professional, or public life is considered personal data.

Even if within your company records you have a single email from a person from another company, then this is personal data. For example, a signature of, say, a general manager on a contract can be considered personal data because it shows that this individual holds the GM position in the company.

#6 Is it necessary to re-gain customers consent for the existing lists?

Well, can you vouch for the practices previously carried out at your business? Are you sure that your mailing lists are complete with users’ consents? And if so, did they grow this list organically?

Then, you have nothing to worry about.

On the other hand, if you haven’t been with the company since forever and are unsure of the processes through which your predecessors obtained these emails, we recommend you try to get consent through soft double opt-in or double opt-in.

Remember, it is not compulsory to have double opt-in for GDPR compliance purposes. As long as you can prove users’ consent, then you can have certain mailing lists as single opt-in.

#7 How to run GDPR-compliant giveaways on social media?

A practice that that many companies use in order to grow their user base as well as capture valuable data from their fans (e.g. emails) is that of giveaway contests on social media.

Is GDPR putting an end to that type of engagement? Check below on how to avoid running into issues with your giveaways:

  • With GDPR you cannot enforce users to subscribe to your newsletter.
  • Including consent to receive further communication in the same box as age certification.
  • All boxes should come un-ticked.
  • Do not add pre-ticked boxes as they do not explicitly define the conscious choice of the
  • Assigning further communication as a mandatory field or box to check. This cannot be a
    condition to participate.
  • Do not have users check a box to opt out, instead of opting in.
  • Simply put, you cannot have consented to receive emails as a starting point.

What is the best way for your fans to enter your competitions? To enter the competition, users will need to:

  • Provide a username and email and provide you with the correct answer.
  • Choose whether to tick the box of further communication or not.
  • Read an explicit message about terms and conditions for the competition and a data privacy disclaimer.

#8 What is the third party to certify us for GDPR compliance?

The fact of the matter is that there is no GDPR compliance certification per se. However, what might seem like a gray zone to some, is really straightforward: render your processes as transparent as possible.

For example, if the Marketing Manager requests the graphic designer for the credentials of an online design tool, you must have a record of this request.

With respect to Email Marketing, when your users must sign up to access information on your website, then you should not use this email address in another mailing list to send them more content.

Unless they have specifically checked a box that they wish to receive further communication from you, you should only send them emails that are of interest to them.

To that extent, an email preference center might be of help.

In essence, subscribers will not unsubscribe from all of your lists at once, rather they will be able to update their profile and customize it accordingly.

Data controllers (B2B and B2C businesses collecting and holding personal data of users) and data processors (processing large-scale personal data of clients) must take as many actions as possible to ensure that their actions are transparent.

GDPR compliance is essentially a sum of best practices around user experience and privacy.

#9 I’ve heard that “Unsubscribe” is different from “Delete” – do you support email delete request?

You got that right: deletion of data is different from the Unsubscribe link when we send an email marketing campaign.

Now, when a subscriber hits Unsubscribe, then the action taken automatically on the platform is to remove them from the list.

A user will have to specifically ask for deletion of their data (aka “right to be forgotten) for you to remove it from your records. But – there is a but.

When the user asks for the deletion of their data, you should stop all communication. In the meantime, you don’t generate new data or process existing data.

But, utterly deleting this data is another story. You see, it might not be entirely up to you to delete this data altogether.

  • As a case in point, there could be a regional law that this data must stay with the company for X months before they can delete it, as it could pertain to it serving as evidence, for legal claims or other purposes.
  • Another example is that you may need this data as proof of compliance or non-compliance with the company terms and condition or the anti-spam policy etc.

So, you should delete the data as soon as it’s certain that there is no reason to keep it.


GDPR should be seen as a positive development in the field of best practices for email marketing and whitehat email marketing.

The new regulation is bound to raise the bar for quality content and, in the meantime, do consult with an attorney to ensure your business is legally covered.

*This article is not a legal instruction. This information is supplied without liability.*



Sharing is caring!

Part of this article was first published on Moosend.