GDPR final checklist for email marketers + FREE GDPR privacy policy templates

Ok, so we’re on the last lap now before GDPR comes into effect on 25 May! Relieved? Here’s the final GDPR checklist of things you should have done to keep your email marketing on the right side of the new law:

GDPR final checklist


1. Update your privacy policy


You can find free templates for GDPR privacy policies here  or here  and the privacy notice here.


2. Inform your subscribers about the policy update


Yes, send this annoying email now. 


3. Adjust your subscription forms, sign-up boxes and pop-ups


…on all your landing pages. Remove any pre-ticked checkboxes and opt-outs and replace them with opt-ins (buttons or unticked checkboxes) to make sure that the new subscribers sign-up through ‘affirmative action’. Also, make sure your privacy policy is linked on the forms – you can read more about GDPR-friendly subscription forms here.


4.  Make sure you have a process for how you store and protect user data in place


Have a clear description of the process (how the data is processed in your business and what for).


5. Make sure your business has a designated ‘data processor’ and ‘data controller


– a natural or legal person who is responsible for processing personal data in your company and for controlling the process respectively.


6. Keep a clear record of how you obtained consent from your current subscribers


When, how and why (what for) you obtained their data – timestamp, wording, source.


7. Send a re-permissioning emails


If you don’t have a clear evidence of consent obtained through subscribers’ affirmative action for all your contacts on your mailing list, send a re-permissioning email asking them to re-subscribe. You can find templates for GDPR re-permissioning emails here.


8. Give people an opportunity to unsubscribe


…that can be easily found in each newsletter.


9. Ask your subscribers to update their preferences


If you are sending newsletters with multiple types of content (e.g. editorials, promotions, affiliate links) then ask your subscribers to update their preferences.  They should opt-into receiving each type of content through separate affirmative actions (ticking separate checkboxes etc.) to comply with the ‘one purpose, one consent’ rule.


10. Make sure that the sender of the newsletter is always clear


…and is the same as the subscribers have given their consent to – i.e. if you have subsidiary companies or lateral businesses to yours, you will not be able to send emails from them to the subscribers in your existing business without their separate consent.


Good practice (although not required by law per se) – introduce double opt-in for your subscriptions.


In conclusion, GDPR is not as scary as it seems for email marketers. Even if you lose some of the subscribers that never open your newsletters in the first place (and hence lower your email marketing ROI) – it will be only good riddance. 😊 As Neil Patel saidIf you are chasing quantity over quality when it comes to your email newsletter list, then you are wasting your time.’ 

GDPR puts an end to (at least legal) nuisance of having your email sold to third parties, and being surreptitiously subscribed to several mailing lists while doing online shopping just because you overlooked the option to opt-out.

It promotes good, engaging content that people actually *want* to read. Engagement is everything – it doesn’t matter how many subscribers you have if 95% doesn’t even open your emails.

So, keep calm & love GDPR 😉

Keep Calm and Love GDPR




  1. Jessie Leslie says:

    Thanks for the article, great points! I honestly feel ready, but still feel like after a few days I’ll find out some stuff that will be totaly new for me. for example here they say that you even need consent to see and save their IP information and such, and so much more. So I mean they disagree with cookie policy? Too bad then, can’t follow ’em anymore. Tough luck really.

    • Emilia says:

      Thanks for the kind words Jessie! Ugh, yes, IP information is personal data in the light of GDPR. But I think accepting the cookie policy notice (check if the notice text has to change as well to conform with GDPR, I’m not a cookie expert to be honest 😉 ) will make it all legit. Good luck with implementation! 🙂

  2. Anke says:

    I do not send emails from my website yet as that was not possible through my old website, so I send emails from my computer without using MailChimp and give an unsubscribe option. As this is about privacy laws and I have no info to be stolen or passed on and I do not live in Europe , should I do anything now?

    • Emilia says:

      Hey Anke! It’s not about how you send your emails, it’s about whether the people you are sending them to agreed to that in the first place (and whether you can show some evidence for that 😉 ) In practice, if you have a small email base that you are able to send emails to manually, I bet you have an established quality relationship with them = you should be fine 🙂 Oh but why not try email marketing tool then? Get a Newsletter is a lot easier to use than MailChimp – you can use it for free with a small client base too –

Leave a reply