GDPR & Email: 10 Critical Questions & Answers for Compliance

May 24th, 2018

GDPR, the General Data Protection Regulation which asserts and enforces protections on the personal information of EU citizens is on everyone’s minds these days. This is because it impacts any company anywhere in the world that interacts with citizens of the European Union (EU), even if that only means sending email messages to them. The kicker … if you are found to be in non-compliance you could earn yourself a fine of 20 million euros or 4% of your gross annual revenue, whichever is higher.

As an email security company, we receive a lot of questions around the intersection of email and GDPR. There is a whole lot of confusion out there and ambiguity in the regulations. In this post, we answer 10 of the most prominent and important questions on GDPR and email that we have seen. The answers are at times surprising and even enlightening.  However, if you are unaware of the answers to these questions, you are almost certainly out of compliance with GDPR.

These GDPR compliance questions are answered through a consultation interview between Erik Kangas and Brian L Tuttle. The answers you see are the synthesis of this interview discussion.

Brian L. Tuttle is a Nationally Renowned Compliance Consultant whose web site is  He is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), Certified HIPAA Administrator (CHA), Certified Business Resilience Auditor (CBRA), Certified Information Systems Security Professional (CISSP) with over 19 years’ experience in Health IT and General Compliance Consulting.

With vast experience in health IT systems (i.e. practice management, EHR systems, imaging, transcription, medical messaging, etc.) as well as over 19 years’ experience in standard Health IT with multiple certifications and hands-on knowledge, Brian serves as compliance consultant and has conducted onsite and remote risk assessments (HIPAA and now GDPR) for over 1000 medical practices, hospitals, health departments, insurance plans, and business associates throughout the United States.

Email Marketing and GDPR

1. Many companies have existing email marketing mailing lists which include EU citizens. In order to be in compliance with GDPR, what do such organizations have to do?

GDPR applies not only to the data which is currently maintained of EU citizens, but also to the data that was collected before. The bottom line is, unless your current consent from these individuals already meets the requirements of GDPR, new consent forms will need to be drafted and agreed to in order for you to continue marketing to the EU citizens in your database. Alternately, you could remove all EU citizens from your email marketing databases.

2. It is quite common to allow people to opt into email marketing email when they fill out an online form.  How does GDPR change this process?  

One of the core tenants of GDPR is the “right to be forgotten.” In marketing terms this means that if the individual requests to be removed from a mailing list, that individual not only has the right to be taken off the list, but also the right to be entirely deleted and removed from the database of the marketer. This can be accomplished by updating consent forms to provide individuals the right to “unsubscribe to a particular marketing campaign and/or all communications” and also to have the ability to contact your marketing group via email or phone. My recommendation would be providing a link for users or perhaps a check-box.

Additionally, GDPR reaffirms the need for any email marketing to be explicitly opted into. It would be non-compliant to send marketing email to an EU citizen just because s/he filled out a form or purchased something from you … unless that person also explicitly opted into receipt of the marketing email. This is different from the US CANSPAM act which allows email marketing to people with whom you have an existing business relationship but who have not explicitly opted into such emailings. That is not permitted under GDPR.

3.  If I am sending marketing emails to EU citizens, how does that change what I have to log / track / record?  

Logging and tracking records, which is known and “profiling” under GDPR, is acceptable with some requirements. The system used for this must provide the individual the right to “be forgotten” as previously discussed, the right of “data portability” which means using a common format, the right to “object,” and the right to “halt” unless the data “controller” can demonstrate there is a legal or legitimate reason to maintain the information. Note: profiling to minors is not allowed under GDPR.

What you should absolutely record is information about how and when each EU citizen that you are marketing to actually opted into your mailings.

How does it change what I have to include in the email messages themselves?

In my estimation, a privacy link or an opt-out link should be included in all marketing campaign emails.

4. How do the GDPR “rights to be forgotten” and “to have control of your information” apply to email marketing?

Individuals have the right to be not only removed from current marketing campaign (upon request) but also to be completely deleted “forgotten” upon request.  Specific opt-out links should be applied to all outbound marketing emails which cover both “remove from current campaign” and/or “delete my information.”

Note that the right to be forgotten means deletion of all records of this individual from your current and historical systems. This includes names, addresses, email addresses, IP addresses used, and any other possible identifying information in your mailing lists and databases.

General GDPR Questions

5. How do you identify if an interaction with someone falls under GDPR if they do not identify themselves as an EU citizen? 

This can be tricky and there is not any clear guidance on understanding exactly who may be in the EU within the campaign. However, a data inventory must be conducted per GDPR and it would be advisable to sort the email lists based on email domain extensions, such as where it is clear the address is an EU address (e.g., *.DE for Germany) – those individuals should be notified of new privacy requirements.

6. Individuals have rights to information about their data (e.g., removal, correction).  Companies have rights to not disclose information about people for privacy considerations. What is a best practice to confirm that a GDPR request is from the legitimate individual and not a social engineering or fraud attempt? 

A general email account relating to a company (e.g., is not covered under GDPR but an individual working for the company who may be part of the email list is covered under GDPR (e.g., Emails should be sent to mailing list explain the new privacy policy of the direct marketing company which includes the aforementioned ability to be “forgotten.”

In a case where a call is received demanding information about the customer based on GDPR, this release is not permissible. Information cannot be given unless the customer has authorized this release. Such an authorization could be made by the customer by, for example, logging into the company’s web portal using login credentials granted to that customer and then making the request as an identified individual. In cases where this is not an option, a two-tiered verbal authentication should be used to validate (i.e.,  two pieces of information that you know, like a date of birth and address). Yes — the individual does need to provide you with information to verify his/her identity in order to make requests about his/her information … even to request to be forgotten!

Business Email and GDPR

7. If you are sending a business email message to someone in the EU, how does GDPR apply to that message?   

This applies to GDPR as it is an “individual of the business” and should be treated the same as any other personal email address.

So, I guess I was looking for a list of things I should consider/do before I send a non-marketing email message to an EU citizen. E.g., the CEO of some company in Spain that I want to talk to.   Can I just email him per “old normal” rules of emailing… or what is now different under GDPR?

Outside the scope of marketing directly to an EU citizen there are no restrictions based on an email between a CEO in the USA and a CEO in Spain. I.e., sending individual business email messages continues per the normal.

Consider the reverse, where an EU citizen sends us a business email…?

If an EU citizen proactively reaches out to an American company (via the website for example) and that company is actively marketing to the EU, this information falls under GDPR and the EU citizen should receive the privacy policy as link to follow-up email.

8. Should my business email messages contain disclaimers and/or privacy statements/links now? 

Absolutely – GDPR is a “principle based” law, this means there are some grey areas but we must show a strong effort has been and is being made to comply.

9. Many US businesses archive all inbound and outbound email messages for business reasons and/or compliance reasons. Archival by definition is supposed to be immutable. How should US companies regard requests to be forgotten by EU citizens under GDPR … where email to or from such people is in email archives?

Unless there is a “legal’ or “legitimate” reason to maintain the information, the EU citizen has the right to be forgotten and the information would need to be removed. A “legal” reason to maintain information would be if another law (i.e. HIPAA) requires health records be maintained for x-number of years. A “legitimate” reason would be the information maintained would have no undue impact on the data subject – however, we must clearly document why this information is needed to be maintained and what the identifiers are (i.e., my understanding is that archives of data are generally acceptable based on legitimate need but it must be documented why this is a legitimate need for the business).

Many US businesses are involved in providing services to the healthcare sector. These interactions fall under HIPAA which requires keeping records of interactions and copies of data for a long time (i.e., 6+ years). This appears to be in direct conflict with GDPR’s requirements for allowing people to “be forgotten.”  What is the proper reconciliation?

HIPAA would be a national law in the USA which would trump GDPR under the “legal” reason to maintain the information. However, this needs to be assessed and documented when responding to such a request.

10. What else does GDPR imply about using email going forward that everyone should be aware of?

Bottom line is, this is a new and evolving legislation which, in the end, represents best practices. Remember, GDPR is a “principle based” law, like HIPAA, and there are many ways to achieve compliance.

The core Privacy Principles under GDPR:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Do you have more questions about email security and privacy? Ask us!