GDPR Compliance – A Message to our Clients

As I’m sure you are well aware, the new data regulation (GDPR) comes in to effect on May 25th 2018 and in light of this we are contacting all of our clients to ensure that you know what to consider with regards to the data being used for your email marketing.

If you need more background information about GDPR in the context of Email Marketing, we have produced a practical guide with our legal partners Stephens Scown. You can download your free copy here if you haven’t done so already.

As the Data Controller, you are responsible for ensuring that the data being stored and processed by Jarrang (the Data Processor) is compliant with the current data regulations, which means, amongst other considerations, you have the right permissions to send them email marketing communications.

As the Data Processor, Jarrang will ensure that your data is stored and processed in a compliant manner, however we are not responsible for choosing which data is processed, the legal basis under which that data is processed, or the content that is sent to the data subject.

We cannot provide legal advice so if you need it, we do recommend that you speak to a legal professional or data privacy practitioner to discuss your individual needs and establish your policies for data management and processing.

That said though, we are happy to share with you what’s going on across our client portfolio, which may help to guide your decision making.

Typically speaking, there are two key legal bases under which you can lawfully process data for email marketing purposes: Legitimate Interest and Consent.

The majority of clients working with Jarrang send email marketing communications to their customers (people who have ‘transacted’ with them in the past, and in the course of that transaction, have supplied their email address). This data was collected legitimately under the current laws and they can prove the transaction e.g. date of sale; or date of last stay.

Most are using Legitimate Interest as the legal basis under which they will continue to send email marketing communications in the future. Apart from cleansing their current customer database by removing unnecessary data fields and unengaged contacts, they can usually carry on using this data with very little further action.

Some customers are asking us about sending ‘Re-Consent’ emails to ask their database to Consent to receiving future email communications. This is typically only necessary where the source of the data cannot be proved i.e. it is not clear if the data subject has been a ‘Customer’, or if they haven’t engaged for a very long time.

It should be said here that different data sets within a database can be processed in different ways so the majority of data could continue to be used under Legitimate Interest, but other data sets may need to use Consent. Only the data needing Consent, will need to be sent a ‘Re-Consent’ email.

We do suggest that customers think very carefully about sending ‘re-consent’ emails to a customer database because once this has been sent, one cannot simply decide to go back to processing data under Legitimate Interest, particularly if the response is very low.

On a purely pragmatic level, if a business already has Consent, or can use another legal basis, such as Legitimate Interest, to send email communications to its clients, why would they want, or need, to ask for this again?

Businesses sending re-consent emails have decided that they do not want, or cannot use, Legitimate Interest as the legal basis. They also accept that there will be a very low click-through rate on their re-consent emails and may see their database size fall by as much as 90%.

On a Commercial level, there should be a serious conversation about the impact such a reduction may have the on the revenues from the email channel. If Legitimate Interest can be used for customers, it could be favourable to do so.

So once you have confirmed your legal position what are the practical things that can be done next to cleanse the email marketing database that Jarrang holds for you? We have put together some thoughts:


Only store the fields on your email marketing platform that are necessary for you to process the email marketing communications.

For example, you may wish to keep the email address (obviously!), post code and date of last purchase, but do you need to keep first last names, postal addresses, or date of birth? If there was a data breach, you need to demonstrate that you have minimised the amount of data that can be leaked and the damage that leak might cause.


Decide how long you want to keep a contact on your database after their last engagement with you (an engagement might be an “open’ of your email).

Typically speaking, most of our clients are keeping their data for two years after the last engagement and deleting anyone who hasn’t engaged within the same time frame. This will not only help you to be compliant but it could potentially save some budget on email volume. Database sizes will be lower, but the levels of engagement, as a percentage, will be higher.


Decide how frequently you should communicate with your database and ensure that you stick to a regular sending pattern.

For example, ensuring that each of your customers receives an email once a month will help you to keep your database fresh, especially if you are removing unengaged contacts on a rolling monthly basis too.

With this in mind, we also recommend removing the previously popular ‘engagement segments’ from your campaigns to maximize engagement potential and to aid data maintenance.


  • We can’t send emails, even ‘re-consent’ emails, to people who have previously unsubscribed
  • You can use both Legitimate Interest and Consent depending on the data sets within your database
  • Bought-in data is pretty much a no-no for B2B email marketing (it’s always been ano for B2C)
  • If using Legitimate Interest, only send content relevant to the original purchase
  • Moving forwards, the ICO is advising that prize draws and competitions must be open to all, without the entrant being automatically subscribed to ongoing email marketing.


Hopefully this information and our Practical Guide to GDPR and Email Marketing has already helped you, and although we can’t give legal advice, we do have services to support you with some of these changes to the way in which data can be legally processed:

  • Data Cleansing Project – We can remove unnecessary data fields and identify and remove unengaged contacts.
  • Ongoing Data Management – We can maintain your database on a regular basis by removing unengaged contacts and ensuring the database remains compliant with your policies.
  • Sending Schedule – We can work with you to create and implement a regular sending schedule to ensure that you’re demonstrating a regular sending pattern.

If you would like us to support you with any of these tasks, we can give you a quote for a project or update the scope of our contract with you.