GDPR – General Data Protection Regulation Practical Guide for Email Senders


GDPR General Data Protection Regulation will be brought into effect on May 25, 2018. It’s still a few months ahead, but it’s good to learn right now how the regulation will affect you and your business. Especially if you send any kind of business emails. You could have already read some articles summarizing GDPR, but if you still don’t know how it will actually affect you in practice and what to do to be GDPR compliant, check out this post.

Disclaimer: You should treat this post as a guide that will help you understand the principles of GDPR. Please do not treat it as legal advice. If you’re looking for legal advice, contact a lawyer after reading this post and ask them for advice and answers to specific questions about your case.


Some GDPR basics to learn for starters

Download GDPR Compliance Checklist >>

What is GDPR?

It’s a legal regulation issued by the EU. More specifically by The Council of the European Union and The European Parliament. It’s main purpose is a better protection of personal data.

So it’s not about emails, or about SPAM. It’s about personal data protection. But since sending emails would not be possible without processing personal data (email addresses), it will naturally affect business email senders.

Who does it apply to?

The Council of the European Union designed GDPR to protect the personal data of natural persons who are European Union citizens.

It means that it will be binding for you:

as a person (to protect you):

  • if you are a European Union citizen,

as a business:

  • if your customers are European Union Citizens, or
  • if your email subscribers are EU Citizens, or
  • if your potential cold email recipients are EU Citizens, or
  • if, in any part of your business, you deal with any kind of personal data of EU citizens.

What does GDPR mean by the term personal data?

A piece of personal data that allows one to identify a specific person. That’s the shortest and most practical definition. Is email address a piece of personal data, then?

According to this definition:

[email protected] is not a piece of personal data, as it isn’t assigned to a specific person at a company. It doesn’t imply who the owner of the address is. It points to a company, not a person.

[email protected] is a piece of personal data, as it is assigned to a specific person at a company. It does imply who the owner of the address is, or at least it gives you enough information to identify a specific person at a company.

[email protected] is a piece of personal data, as it is assigned to a specific person.

Whether you work within a B2B or a B2C domain, you probably administer or process some kind of personal data. It’s most probably the data of your clients, your prospects, your users, your email list subscribers, or your employees.

Remember that GDPR is not about regulating email sending. It’s about regulating the ways in which you administer and process personal data of EU citizens in general. Email address is just an example here. In various contexts data like telephone numbers, addresses, identification numbers etc. may be treated as personal data as well.

Is GDPR a completely new regulation?

No, it’s not. It’s a reform that is supposed to clarify, specify, and enhance the EU laws considering personal data protection. Most of GDPR principles were already expressed in some previous legal regulations. Only some of the principles are new. All principles mentioned in GDPR are described, with some practical examples, in the further sections of this post.

Why is it important?

According to Eurobarometer, 75% of surveyed EU citizens declared that they want to exercise their so-called ‘right to be forgotten’ (more details below). 90% of the survey respondents believe that it’s necessary to standardize the rights concerning personal data protection (source).

In short, data protection really matters to people of the EU. Especially in the light of the technological revolution which led to exchanging tremendous amounts of data online.

Because there’s such a vividly expressed need to tidy up the law and clearly state what’s OK and what isn’t when it comes to processing personal data, The Council of the European Union took the matter very seriously. In GDPR they’ve reformed the control organs, and now the organs will have real power (and commission-driven motivation $$$) to put serious fines on companies who obstinately ignore the GDPR principles.

All in all, personal data has a great value. If you risk the security of the personal data you process, or if you ignore the rights of the data owners, you may pay for your irresponsibility. Literally.

No worries, though. If you respect your clients’/prospects’/subscribers’ personal data and their wishes regarding processing the data, everything will be fine. Play fair, stick to the rules and you’ll be safe from unnecessary trouble.

How do we know all that is written in this post?

Oh, one important thing for you to know: I wouldn’t write this post if it was only my “I think so-and-so about GDPR.”

All the information you read here has been prepared for me by our Head of Customer Support Margaret Sikora, who is also a lawyer (LL.M in International and European Law). She has read the original version of General Data Protection Regulation from start to end, and what’s most important, she actually understood it… as she speaks lawyerish.

She also read a couple more books for lawyers devoted to the topic, and attended some legal training sessions focused exclusively on GDPR. All that helped her prepare a presentation with some real-life examples to help all of us at Woodpecker virtually understand what GDPR is all about. We can only hope we’ll be able to help you understand it as well, and most importantly, abide by it.

Download GDPR Compliance Checklist >>

Formal steps to take before May 25

1. Appoint a Data Protection Specialist at your company.

We unanimously nominated Margaret for our Data Protection Specialist.

It should be a person who will officially take care of data protection at your company. Note that Data Protection Officer and Data Protection Specialist are two separate roles with different sets of competencies and responsibilities.

If you process sensitive data or there is a high risk when processing personal data at your company, you’ll be obliged to appoint or hire a Data Protection Officer. In all other cases, appointing a Data Protection Specialist will be enough to simply help you keep your company data processing policy coherent and applicable.

2. Review your Terms of Service, Privacy Policy etc.

It’s a good idea to review all the documents specifying the ways you process personal data in your company. According to GDPR, they should all be written in a clear language understandable to anyone.

If your terms or privacy policy sound like something only a bunch of lawyers could understand, make sure you change that.

Every person whose data you’re processing, or will be processing in the future, should be able to easily find in those documents:

  • the way(s) you process their personal data (what do you do with the data and what kind of data are processed);
  • the list of third-party services you use to process their data;
  • clear instructions on how they can make changes to their data, or complete request removal of their data from your database/email list/contact base (according to the right to be forgotten).
  • clear instructions on how to report to you a violation of GDPR principles that affected them, no matter if you are their data administrator or data processor.

3. Prepare a risk assessment for your company

… or ask your Data Protection Officer to do so.

It’s just a kind of a map that will help you improve data security. In the risk assessment, you should point out:

  • what data you process,
  • in what ways you process it and why,
  • who can access it,
  • and what may be a result if something goes wrong.

While working on the risk assessment, don’t forget to ask yourself these crucial questions:

  1. What’s my role in processing data: data processor? data administrator?
  2. What should I inform my customers or prospects about?

The roles and duties of data administrator and data processor

Data administrator

You probably obtain personal data from various sources. You collect email addresses from people who read your blog, or who visit your landing pages (inbound sources), you look for prospective B2B customers on LinkedIn and other platforms and build lists of contacts for cold emailing (outbound sources).

However you obtain the data you collect, have access to it, and process it in specific ways. Thus, you administer the data. That makes you data administrator in the light of GDPR. This role makes you responsible for the purpose and the range of processing the data. You cannot just treat the data as some random lists of email addresses you collected for your own unspecified purposes.

People who signed up for your list have given you permission to process their data in specific ways. You can’t use their data in any other way than you promised them to once they’ve signed up for your list.

But what if they haven’t signed up at all? People whose data you’ve collected yourself should be carefully chosen prospects whose websites, social profiles, comments on various platforms, etc. include clear signs that they could actually benefit from whatever it is that you’re going to offer to them in your cold emails. More about that in the section about relevance, below.

Data processor

If your business is a SaaS or a platform to which its users upload any kind of personal data, you become data processor as you don’t administer the data yourself, but enable data administrators to process personal data they obtained for a specific purpose.

As a data processor, you are not responsible for the range and the purpose of processing the personal data used by data administrators. However, if someone alarms you that your users (data administrators) have violated some of GDPR principles, you are obliged to react to such a violation.

It’s a good idea to prepare your company for such a scenario and clearly describe, in your Terms of Service or Privacy Policy, what actions you are going to take once you get notified of a GDPR violation.

You can be a data processor and data administrator at the same time. For instance, at Woodpecker we administer the data of Woodpecker users and email lists’ subscribers. In this light, we are a data administrator. On the other hand, we don’t administer the prospects’ lists uploaded to Woodpecker by our users we only allow processing of the data. In this respect, we are a data processor.

There may be some more duties assigned to the role of data administrator and data processor specific for your country within the EU. It’s a good idea to do some research and learn about those country-specific responsibilities, or get some legal advice from a native lawyer specializing in personal data protection.

General Data Protection Regulation principles, and how they should affect your email outreach

After this longish intro and clarification of some basic terms and notions, let’s get to practice. This section will help you understand what steps you should take to respect GDPR while sending emails.

GDPR lists a bunch of principles which you should abide by when processing personal data. Stick to those principles, and you’re GDPR compliant.

I’ve listed the principles below and tried to explain what they’re all about in practice. I’ve focused very much on the context of email outreach, as this is vital to Woodpecker users. But even if you don’t use Woodpecker, but some other tools automating email sending, or you still send some cold emails manually, this section will help you understand what GDPR is about.

1. Lawfulness, fairness, and transparency

Those first three principles are very much about obtaining the personal data you’re planning to process. All the actions you take to build your email lists (either by opt-in or by collecting the data yourself) should be legal, fair, and transparent.

What does that mean in practice?

You should be able to clearly answer the question:

“how did you get my email address?”

… and “I’ve bought an email list.” is not a full and satisfactory answer to that question.

I’ve been enhancing the importance of building your own lists for over 3 years on this blog now. GDPR only enhances my enhancements. If you have an email address on your sending list, you should know exactly why it’s there. Even if you hired someone else to get your list for you, you should be fully aware of the data collecting process to be sure it’s been fair towards the data owners, and above all legal.

Cold emailing lists

While building a list yourself, in case of cold emailing, you need to be sure that each and every person on the list is likely to benefit from your business-related offer. Moreover, the purpose of your email or the offer you make in the message should be clearly connected with the business of your prospect. But more on that in the section Adequacy, relevance, and limitedness, below.

In other words, your answer to the question “how did you get my email address?” should be more like:

“I’ve found your comment about tools for content marketers on LinkedIn in Content Marketing Group and it made me think you may be interested in checking out our software for content writers. I checked your marketing agency website and confirmed that you are a content writer. Then, I invited you on LinkedIn, you accepted my invitation, and I downloaded your email address from my list of connections.”

And no, you probably won’t have to write that kind of a message to each and every one of your prospects. It’s just about having in place a transparent process of obtaining personal data (email addresses, in this particular case) and being able to describe it in detail if someone ever asks you to.

To sum up, if you’re able to justify why you chose a specific person to be on your cold emailing list for a specific cold email campaign, you’ll be able to clearly answer the question “how did you get my email address?” And that answer should present your process of obtaining lists as legal, fair, and transparent.

Opt-in lists of subscribers

You can also have an email list including addresses of people who opted-in for it. The most important rule to follow while collecting email list signups is to be transparent or, simply put, tell people straight what exactly they are signing up for.

If you’re asking for an email address to send someone an ebook, the subscribers who decide to provide you with their email will expect you to send them the ebook… Just the ebook. Not an ebook first, and then 3 emails a week for half a year. I’m sure you know what I mean.

If you’re planning to send them more than just the ebook, they should be informed about your intentions before they decide to sign up. Tell them what they are going to get, how often and/or for how long. Put this information right next to the subscription form in easily comprehensible words.

GDPR stresses the need to simplify the language of consents, so that every person who is about to give a consent to process their personal data is fully aware of what he or she actually agrees to.

Also, if your subscription form involves some checkboxes, leave then unmarked by default. According to GDPR, your subscriber should express their intentional consent to process their data in specific ways. They will intentionally agree by marking such a checkbox themselves.

This is something I had to change our form at Woodpecker trial signup form.


2. Adequacy, relevance, and limitedness

The personal data you collect should be adequate and relevant to the purpose of its processing. You shouldn’t collect any data that is unnecessary to you as data administrator or data processor. Additionally, if possible, the personal data you collect should be pseudonymized in order to ensure the highest possible level of its security.

What does that mean in practice?


Don’t collect personal data that you don’t need

Firstly, you should collect only the personal data that you’re going to use in your cold email campaign. If you’re not going to call your prospects, don’t put their phone numbers on your prospect list. If you’re not going to send them anything via traditional mail, don’t put their company addresses on your prospect list. Keep things simple. Don’t collect any data that you don’t have a clear plan for.

If you stick to that, not only will you be GDPR compliant, but your prospect base will get lighter and more accessible to you. It’ll be easier to work with it.

In this post, I described a way I’ve used myself while building a database for cold emailing and writing your email copy at the same time. The process will help you avoid wasting time on collecting the data you don’t really need.

In the cold email, inform your prospect about their data processing

According to GDPR, you should inform the person that their personal data is being processed. An easy solution here is adding a disclaimer at the very end of your message. The disclaimer should contain 3 pieces of information:

  • a statement informing that you process your prospect’s data;
  • a short explanation why are you processing it;
  • an instruction on how they can change the data you process or request removal of their data from your list

Here’s an example of such a disclaimer (it’s not the only correct official form, you can use different words to express the same):

I chose to contact you because I have strong reasons to assume that you can benefit from what I present in this email. I’m processing your name and email address only because I wanted to send you this message. If you want me to change the data I used to contact you, or remove your data from my list, hit reply and let me know.

You can also use an ‘unsubscribe’ link, if you want to. But you don’t necessarily have to use the word ‘unsubscribe’. The important thing is to give the prospect an easy way out of further correspondence and from your contact list.

Enough of the “spray and pray” target carefully

“Throwing spaghetti on the wall” days are officially over. I’ve been convincing readers of this blog, since its very beginnings, that the quality of their prospect base matters and that its quantity should never be their concern as much as accurate targeting. GDPR supports that approach as well.

Sending hundreds and thousands of cold emails to a random list of email addresses is something that violates GDPR.

Therefore, you should pay more attention to carefully choosing your prospects, segmenting them, and customizing your email campaigns. Your prospects should not be wondering why you’re emailing them. They should immediately understand why you chose them as your addressees. That’s possible if only you take a proper care of your targeting and crafting good email copy.

If you make an offer in your cold email, the offer should be clearly connected to the specifics of your prospects’ business. Let me explain what that means with examples:

Example 1 – GDPR compliant offer-business match

Company X produces an email server security solution. The company finds Woodpecker online and confirms that Woodpecker is an email automation software. They find out on LinkedIn the personal data of our Head of Integration and Deliverability. They contact him via cold email offering their software.

A company producing email automation software could definitely be interested in an email server security solution. In this case, the offer would be clearly connected with a specific business activity declared in the company statute.

Example 2 – GDPR non-compliant offer-business match

Company Y offers web development services. The company finds Woodpecker online and confirms that Woodpecker is an email automation software. They find out on LinkedIn the personal data of our Head of Marketing (yours truly). They contact her via cold email offering their services.

You see, just because someone has an online business and they have a website, you can’t assume they may be in the need of web development services. Of course, in marketing, we do produce websites. But it’s not an activity that’s a part of our company statute.

So, when would it be justified for a web development company to send a cold email offering their services? For instance, if they were contacting other web development companies to offer their support. Or, if they were contacting digital marketing agencies declaring that they handle web development as well. To sum up, the business activity of your prospect’s company has to be clearly connected with the offer you put into your email. That’s what makes the offer relevant.


Do you recall the last time you got interested in an ebook and actually wanted to download it?

Then the next thing you got into was a 12-field subscription form, in which except for your email address and first name, you obligatory have to enter your surname, the country you come from, your title, your phone number, your gender, your company name and website, the number of employees at your company, your dog’s name…, etc.

Well, that’s not what the company will need to send you an ebook. First of all, please don’t do that to your subscribers.

Second of all, you shouldn’t ask for all this data without clearly justifying what you need it for right next to the subscription form. And I saw companies writing that they need all this info to improve my browsing experience, personalizing the website for me, and sending me only valuable content…

But hey, they don’t need my phone number to do all that. They need it so that one of their salespeople could call me once they classify me as a potential customer. But this is not what they tell me right next to the subscription form. And according to GDPR, they owe me at least that information if they require my phone number to download an ebook.

They also owe me at least a hint that the ebook will not be the only thing they are going to send me. If they plan to send me 1, or 2, or 3 emails a week after I sign up for the ebook, they are obliged to inform me about that, so that as a subscriber I knew exactly what I’m just about to sign up for (again, fairness and transparency).

Ok, that was from subscribers’ perspective. Now let’s get back to being marketers: according to GDPR, your forms should ask for only as much data as required for the processing purposes that’s what the limitedness means. If you ask for more data, you need to explain what you need the information for how it will be processed and for what purpose.

3. Accuracy

You should make sure that the personal data you process is accurate and up to date. To make that possible, the data owners should have a clearly described and easily available option to change their personal data. They should also be able to exercise the right to be forgotten and the right to assist in data deletion.

What does that mean in practice?

for cold email senders

As we already established, being a cold email sender you should inform your addressees in what way they can exercise their right to be forgotten or their right to assist in data deletion. That’s about giving them a clear way to opt out (nothing new, it’s always been a rule in cold emailing).

You can use an unsubscribe link mechanism if you want to. But you can also simply write in your email, what they should do to have their data removed from your prospect base. It could be for instance:

If you want me to change the data I used to contact you, or remove your data from my list, hit reply and let me know.

Again, that’s not an official formula. There’s no official formula. In fact, if you use any formula, it should not be official, nor should it sound lawyerish. You should use as simple words as possible.

Once someone expresses their will to delete their data, you should respect that immediately, remove their data from your prospect list, and make sure they won’t be contacted again.

For email senders using opt-in lists

If you email people who signed up for your list, you also need to give your addressees a clear way to opt out. An ‘unsubscribe’ link in every message became a standard in this case, as well as a link where your subscriber can edit their data by themselves. It’s also a good idea to include a short reminder in your email footer about how your subscriber got on the list in the first place.

We use MailChimp for sending our marketing emails and product updates, and the formula we use there looks like this:

I like it because it’s clear and simple. You know who you got the email from and why, and you can change your data or unsubscribe right there with one click. Make sure the email marketing tool you use offers the same options to your subscribers. If it does, you’re all set.

4. Storage limitation

You shouldn’t process personal data longer than it’s necessary for the purpose of its processing. Therefore, you should enable your prospects/email list subscribers to exercise the already mentioned right to be forgotten and the right to assist in data deletion.

The storage limitation is a new principle introduced by GDPR. At the same time, GDPR does not specify the exact time which is “necessary for the purpose of processing personal data.” In practice, the time will depend on: how you’ve obtained the personal data, in what way you process it, and what relation you have with the data owner.

What does that mean in practice?


We’ll be advising all Woodpecker users who send cold email campaigns to clear their contact bases from contacts of people who haven’t responded in any way for more than 30 days. The time period has not been specified in GDPR, but it’s a reasonable time to wait for an answer. Lack of any answer over this period will suggest that the prospect is probably not interested, hence as data administrator, you won’t have any reason to process their data any further.

We will add some functions in Woodpecker that will allow you to select such non-responsive prospects easily and mark them with a proper status to stop processing their data.

If a prospect replies to you with a positive response, the time of processing their data will naturally depend on your further relation or lack of it.

FOR EMAIL SENDERS addressing OPT-IN LISTS of subscribers

If a person expressed their will to subscribe to your list and their consent to process his or her personal data, technically you are entitled by this consent to process their data until they withdraw the consent.

If someone becomes your client, he or she involves in a business agreement with you. This gives you the right to process their data for all the time of the agreement duration, and after that as well. The time you can process your client’s personal data, in this case, will be specified by the law of your company’s native country.

5. Integrity and confidentiality

As data administrator, you are obliged to take a proper care of the security of the personal data you process. You should never share with third parties (other people or companies) the personal data you process, unless you have a clear consent of the data owners to do that.

What does that mean in practice?


Whether you send cold emails or email marketing messages to opt-in lists of subscribers, the rule works the same: treat the personal data you process like something you borrowed.

It’s not yours to manage freely. If you plan to share it with someone else, the data owners should be clearly notified about your intentions and you should have their consent.

So, if you organize a webinar in partnership with another company, you can’t just exchange the lists of subscribers each of you collected, unless the subscribers are previously informed about who’s going to process their data and they agree to get emails from both of your companies.

Again, these are not just files with random data that belongs to you. Contact lists including email addresses and other types of personal data are valuable assets and GDPR stresses that they should be guarded as such. Both as data administrator and as data processor, you are obliged to take proper measures in order to provide the greatest possible level of security for the data you process.

Moreover, you should be able to prove that you took those measures in case of a control. A safe solution to that would be to prepare documents stating who at your company can have access to specific types of personal data that you process.

For instance, HR people will probably require access to personal data of all employees, but it may be totally unnecessary to sales reps. The marketing team will have access to a list of blog subscribers, but HR people may not need that access at all.

Think of who can access various types of data at your company. Then, regulate and document that. If a controller asks you who can access what, you should be able to tell them (or better, show them a document, as supposedly they love flicking through papers).

You should also openly inform your users, customers, and subscribers where their personal data is physically stored. So if you have servers in France and Canada, like we do, you should officially inform about their locations in your Privacy Policy or another document. We do that in the Safety & Security document on our website.


I know, it’s a long post. But it probably doesn’t cover the topic in its whole anyway. Hope it will help you understand the basic principles mentioned in the document and take some actions to be compliant with it.

Hope it will allow you to understand that GDPR is not a regulation that is supposed to kill cold emails or newsletters. It’s a document that is supposed to enhance the value of personal data, and the rights of EU citizens to full control over processing their personal data.

Download GDPR Compliance Checklist >>

What to take away from this post

GDPR does not forbid to send cold emails.

  1. It only regulates that you should have a strong reason to contact a person who hasn’t expressed their consent to process their data. The offer you put in your cold email should be logically connected with their business statute.
  2. So if you send cold emails spend some serious time on a more precise targeting of your campaigns. Quit spraying and praying. Customize and personalize your email copy and send it only to people at carefully chosen companies matching your own business. Make sure both sides are likely to benefit from such a potential business relationship.
  3. You should obtain any personal data for your prospects’ lists in a legal and transparent way, and be ready to explain how and why you decided to process personal data of specific EU citizens.
  4. GDPR introduces a new principle of data storage limitation, which does not allow you to process personal data longer than it’s necessary. The specific time period is not specified in the document. We advise removing the data of non-responsive cold email addresees after 30 days from your first contact.
  5. In case of opt-in lists, you can process the data in clearly specified ways the data owner has agreed to, for as long as they granted you their consent, or until they express their wish to withdraw it.
  6. Any kind of data you ask for should be justified by the purpose for which you want to process it. Don’t ask for a phone number if you want to send someone an ebook. And if you do want to collect their phone number, tell them straight that you may want to call them.
  7. Give your cold email recipients as well as your opt-in list subscribers a clear way to opt out from further correspondence, and an instruction on how to change their personal data, or completely remove it from your list. The ‘Unsubscribe’ link mechanism is a popular one, but it’s not the only one you can use for that.
  8. Update your Terms of Service and Privacy Policy docs, if necessary. Simplify the language you use in those documents. Make sure everyone can understand it without a degree in law.
  9. Remember you don’t own the personal data you process. Don’t share it with other people and companies like it was your property. Make sure the data is secure while you process it.

References & additional resources

This is a list of resources that helped us write this post. If you feel like more thorough research on your own, this may be a good point to start from:

General Data Protection Regulation full original version of GDPR in English (other language versions available here)

European Commission – Protection of personal data

European Commission – reform of EU data protection rules

European Commission – Data protection reform for small businesses

Lexology Blog post about consent

EU General Data Protection Regulation (GDPR): An Implementation and compliance guide (Book)

The EU General Data Protection Regulation (GDPR): A Practical Guide (Book)


If you have questions about this post, or about sending emails in compliance with GDPR in general, please write the questions in the comments section below. If you have some other interpretations of the GDPR you want to share or laws specific to your native EU countries, please feel more than welcome to leave them in the comments as well.

We’re collecting the most frequently asked questions along with answers in this post:

GDPR Frequently Asked Questions >>


Margaret wrote an ebook for you to get even a greater grasp of the regulation.

You can download it here >>


We’re going to host a series of webinars about GDPR. Sign up for them to learn more about GDPR and ask your questions connected to it.

If you cannot attend at this time, sign up anyway, because you’ll receive the recording.

1. Webinar #1 in English on March 15th at 11 AM CET

Topic: GDPR in practice for SME

This one already took place on March 15th. The YouTube video is here >>

2. Webinar #2 in English on March 21th at 11 AM CET

Topic: How to Make Your Email Outreach GDPR Compliant

This one already took place on March 21th. The YouTube video is here >>

3. Webinar #3 in Polish on April 4th at 11 AM Warsaw

Topic: Jak prowadzić kampanie mailowe w zgodzie z RODO?

This one has already taken place. The YouTube video is here >>