What is GDPR-encryption and Why Did We Add It?

Woodpecker has committed itself to help you comply with the General Data Protection Regulation as evident in the GDPR compliance available on the main website.

To deliver on that promise, we’ve recently added a new feature to the Woodpecker app.

A feature that makes it easier for you to run a GDPR-compliant email campaign and safely process personal data of your prospects in Woodpecker.

As described here, GDPR introduced the storage limitation principle. It basically means that you can process personal data of your EU prospects as long as you have a well-defined purpose of processing.

Once that purpose is no longer valid, you’re expected to delete the data. You cannot keep it in your prospect base forever. And that’s even if you don’t contact your prospects ever again, because keeping data is still a form of processing.

When do you no longer have a valid reason for keeping the data?

Scenario #1:

One way that your reason for processing personal data expires is this one:

You finished sending a cold email sequence and you didn’t get any reaction from some of your prospects. They didn’t answer back to any of your emails. They ignored you.

That means that you no longer have a valid reason for keeping their personal data and therefore you should remove it from your prospect base.

Please note that GDPR does not specify the time period after which you should stop processing personal data. In case of cold email campaigns, we advise to GDPR-encrypt all the EU prospects within Woodpecker, that did not reply within 30 days since adding them to your prospect base.

Blacklisting the prospects isn’t enough. You will still be able to access their data after giving them a blacklist status and that’s processing. The new feature allows you to GDPR encrypt unresponsive prospects.

It means their personal data will no longer be processed, neither by you nor by Woodpecker. You’ll find more information about it later in this post.

Scenario #2:

Another scenario goes like this:

You’ve sent a cold email to some prospects who are EU citizens, and a couple of them ask you to stop contacting them and to stop processing their personal data. They have a right to do that. They can exercise their right to be forgotten.

So your reason for keeping their data in your prospect base expires. You need to delete them from your contacts.

However, how to make sure you won’t contact those people again?

A sound reasoning is blacklisting them in the Woodpecker app. But, as I mentioned, as long as you can see their data, it’s still processing under GDPR. So you feel like the right thing to do is just deleting them for good.


What if in a few months, you prepare a new campaign and you forgot who asked you to stop contacting them?

You fire up a new campaign, and you email some of the people who had previously asked you to remove their data.

This way, you’d also commit a breach of GDPR.

How can you prevent that without keeping their personal data somewhere? Again, GDPR encryption is a solution in this case.

Scenario #3:

Another example: you want to give your prospects a clear way to opt out of your cold email campaign. So you put an ‘unsubscribe’ link in your cold email copy. But what happens once they click on it?

Previously, if you didn’t want to reach out to a given contact in Woodpecker, you could have blacklisted them. That way, Woodpecker wouldn’t send them any more messages until you changed their status.

Yet, if the unsubscribed prospects are EU citizens, that’s not enough under GDPR, because you’d still have access to the personal data of those blacklisted contacts, which means you’d be processing their data.

For those reasons, we needed to add a new feature to Woodpecker: the GDPR encryption.

That feature is active for some time now, and I’m going to tell you how it works.

What is GDPR encryption in the Woodpecker app?

In order to respect the storage limitation principle, Woodpecker allows its users to GDPR-encrypt chosen prospects’ data. That means you stop processing the data.

Additionally, you get an option to choose if the ‘unsubscribe’ link, which you previously decided to include in the copy of your email, should allow the recipients not only to unsubscribe from further correspondence, but also have their data removed from further processing.

Keep reading to fully understand how it works.

How does it work?

Manual GDPR encryption

You can encrypt the personal data of any given prospect manually. Just go to ‘Prospects’, click on ‘Actions’, and you can apply GDPR encryption to any contact on your list you like.

The GDPR-encrypted prospects will not only be marked as ‘opt-out,’ but their personal data will be erased from the Woodpecker database. This way, you won’t contact them by mistake and you won’t be able to access the data hence, you’ll stop processing it.

GDPR encypt in Woodpecker view


This function will allow you to encrypt the data of the EU prospects who have not replied for more than 30 days. Check out Woodpecker’s help section for detailed instruction on how to use it.

Automatic GDPR encryption

Another option to have your EU prospects GDPR-encrypted is to switch to an additional option with the ‘unsubscribe’ link, which you may decide to include in your message.

Once the option is on, upon clicking the ‘unsubscribe’ link in your email, your prospects will be redirected to a landing page where they need to confirm their decision about what should happen with their data.

They may choose to simply unsubscribe from further correspondence, or request their data deletion. If they go for the latter option, their personal data in Woodpecker will automatically get GDPR-encrypted.



You can activate the automatic GDPR encryption in the campaigns message editor. Check out Woodpecker’s help section for a step-by-step instruction on how to set that up.

What will happen after the data gets encrypted?

Neither you nor Woodpecker will be able to process the personal data after that. You won’t be able to see the data. The data won’t be stored in the Woodpecker database anymore. In your Woodpecker panel, you’ll only see a string of bullet points instead of the personal data you entered. Even if you left a given cell blank, you’ll see bullet points.


In case you upload the data of previously GDPR-encrypted contacts to Woodpecker, they’ll still be marked as ‘opt-out’ in Woodpecker, so you can be sure won’t accidentally contact EU prospects who shouldn’t get contacted again.

How can I filter out GDPR-encrypted prospects?

You can filter out GDPR-encrypted prospects. Just click ‘More’ and choose ‘Show only encrypted prospects’ at the end of the drop-down list. If that’s the only filter you’ve chosen, you’ll see all GDPR-encrypted prospects. You can also filter out them further by Status, File name, or Tag.

What happens on the stats board?

The numerical data stays the same. When you click on ‘Campaign’, go to the ‘Prospects’ tab and click the GDPR-encrypted prospect, you won’t be able to see the content of your email. In its place, you’ll see a notification, “The message was deleted due to GDPR encryption.”

how GDPR-encrypt feature looks like in the app


Can you export GDPR-encrypted prospects into a .csv file?

Yes, you can still do that.

The only thing you’re not able to do is to create a new campaign for those prospects. Upon opening the exported .csv file, you’ll see a randomized sequence of signs in place of the actual personal data of a GDPR-encrypted prospect.

Summing up

The new feature helps you in running a GDPR-compliant email outreach. Thanks to that, you won’t process the personal data of prospects you don’t want to process. Take a few minutes to locate the new settings in the panel and test the new features in action when preparing your next cold email campaign for an EU prospect group.


GDPR – General Data Protection Regulation Practical Guide for Email Senders

GDPR – General Data Protection Regulation will be brought into effect on May 25, 2018. It's still a few months ahead, but it's good to learn right now how the regulation will affect you and your business. Especially if you send any kind of business emails. You could have already read some articles summarizing GDPR, but if you still don't know how it will actually affect you in practice and what to do to be GDPR compliant, check out this post.

Lean Approach to Email Outreach, or How Big Should My Cold Email Campaign Be?

Our users sometimes report to us that they couldn't find enough time to run their outbound campaigns. Yes, a well-thought-out cold email campaign takes some time to get prepared. But what we often observe is that cold email senders want to go large from the very beginning: have a prospect base including thousands of addresses, an 8-touch email sequence with A/B testing, and so on. In this post, I'm going to show you why it's more beneficial to start small. Check out what we call the lean approach to cold email, and why it's worth testing.

Should I Give My Cold Email Addressee a Way to Opt Out?

Some would immediately say Yes! to putting an unsubscribe link. Some would say No… The answer to this is more complex than it may seem, so whatever your first answer was, you may want to check this article for a non-radical but rather a common-sense approach to an opt-out in cold email.