What Does GDPR Mean for Email Marketing in the UK?
GDPR — the General Data Protection Regulation — has been in force in the UK since 2018 and continues to apply post-Brexit via the UK GDPR framework. For businesses that use email marketing, it sets out clear requirements around consent, transparency, and data management. Failing to comply can result in fines, but more practically, it undermines the trust your email list is built on.
The good news is that GDPR-compliant email marketing and effective email marketing are largely the same thing. The regulation essentially codifies best practice: ask permission before you email people, tell them what they are signing up for, give them an easy way to leave, and do not hold their data longer than necessary. Businesses that follow these principles consistently outperform those that buy lists and blast unsolicited messages.
Consent and Lawful Basis
For marketing emails, the standard lawful basis under GDPR is explicit consent. This means the subscriber must have taken a clear, affirmative action to agree to receive marketing emails from you. A pre-ticked box does not count. The subscriber must tick the box themselves, and the wording must make clear what they are consenting to and who will be contacting them.
There is a separate basis called "legitimate interests" that some businesses rely on for B2B marketing, particularly for follow-up emails after a meeting or event. This is more nuanced and carries conditions — the marketing must be genuinely relevant to the recipient’s professional role, and they must have a reasonable expectation of receiving it. When in doubt, explicit consent is the safer and cleaner approach.
What You Must Include in Every Marketing Email
Every marketing email you send must contain a clear and easy way to unsubscribe. This is a legal requirement under both GDPR and the Privacy and Electronic Communications Regulations (PECR). The unsubscribe link must work, and the unsubscribe must be processed promptly — within a few days at most, and immediately if you are using an automated platform that handles it in real time.
Your emails must also clearly identify who is sending them. The sender name and email address must be genuine — not a no-reply address with no route back to a real person or organisation. Your physical business address should appear in the email footer. These requirements protect recipients and give them the information they need to make an informed choice about whether to continue receiving your emails.
Data Storage and Record Keeping
Under GDPR you must be able to demonstrate that you have consent for everyone on your marketing list. This means keeping records of when and how each subscriber signed up, what they consented to, and how that consent was captured. Most email marketing platforms log this automatically — check that yours does and that the records are stored securely.
You should not hold subscriber data indefinitely. If a contact has not engaged with your emails in a long period, consider running a re-engagement campaign and removing those who do not respond. Data minimisation — holding only the data you need for as long as you need it — is a GDPR principle that also makes practical sense: a leaner, more engaged list performs better than a bloated one full of people who have lost interest.
Common questions.
Can I email people who have bought from me without asking for consent?
What happens if I get a GDPR complaint about my email marketing?
Does GDPR apply if I am sending emails to people in other countries?
More on web design & ux.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.