The General Data Protection Regulation: GDPR Implementation Tips

Get the best GDPR implementation tips.

The General Data Protection Regulation (GDPR) takes affect on May 25, 2018. This is a big deal for marketers at companies of all shapes and sizes.

The impact of this law is so significant, it’s important to not only understand the GDPR basics, but also GDPR implementation. With that in mind, we put together these tips and practical solutions for executing the stipulations of this regulation.

update compliance policies and agreements

As a part of implementing GDPR, you’ll need to update your website terms & conditions, privacy policy, cookie policy, and any other compliance policies and agreements.

What’s important to consider when constructing an email campaign is whether your privacy policy is well written, whether the consent mechanism you choose conforms to the definition of consent in the GDPR, and how to keep a record of these new consents (when, how, what etc.).

The website terms and conditions, cookie policy, and privacy policy are the easiest way to communicate the key information to data subjects (which you’re required to communicate at the time they share their personal data with you).

This will include:

  • The type of the personal data and source from which it is obtained.
  • The purpose of and legal basis for processing the data including all legitimate interests pursued by the controller (including the condition[s] in which legitimate interest has been relied upon).
  • Whether data provision is a statutory or contractual requirement or a requirement necessary to enter into a contract including whether the data subject is obliged to provide the personal data and the possible consequences of the failure to provide the data.
  • The period and/or criteria for which the data will be stored.
  • Any countries the data is held and/or transferred to, as well as safeguard methods to protect the data (and related process[es]).
  • The existence of any automated decision making including profiling; the logic involved; the significance and consequence[s] this poses to the data subject.
  • The existence of the right to withdraw consent that has been provided previously.
  • The existence and scope of an individual’s right to access, rectify and/or erase their personal data; as well as their right to restrict or object to processing, and the right to data portability.
  • Details of the right to complain to the Data Protection Authority.
  • The identity and contact details of the controller; and where applicable, the controller’s data protection officer.
  • Any additional information needed considering the circumstances in which the data is or is to be processed.

retain all evidence of consent

You must be able to provide reasonable evidence that demonstrates you’ve complied with the GDPR if requested. This includes demonstrating what you told the subscriber when they gave their consent.

Document what subscribers were told and the process they took to provide their consent.

  • Method (e.g., opt-in form)
  • Accompanying explanations
  • Accompanying compliance docs

This might include the content for the consent form, your privacy policy, terms and conditions and any context around the consent form.

Because being able to store and access all evidence is so important to the GDPR, we are adding features to support this in the WhatCounts 13.0 Product Release coming soon.

Primarily, we’ll be adding a Form Versioning feature to our Sign Up Form Builder and Preference Site tools. Every time you make a change to a form, this feature will save a record of that change. You can access these versions of the form at any time to recall and prove what information was asked of subscribers at that point in time.

reason for re-permissioning

Does your database contain contacts who opted-in to one type of communication, but have been inserted into other lists?

Where existing data doesn’t meet the standard required by the GDPR, you’ll need to ask for re-permission / re-consent.

If you cannot prove consent for all of your existing subscribers, you should send a re-permission campaign.

The goal of a re-permission campaign is to refresh or update your subscribers’ email consent.

A re-permissioning campaign is a series of emails asking subscribers to confirm they’d like to stay on your list and continue to receive messages from you, as well as alerting them to your intent to stop sending them emails if they don’t re-consent.

opt-in form

Re-permissioning will require an “unambiguous indication of the data subject’s [opt-in consent] by a clear affirmative action”. To accomplish this, you must understand the user experience for opting in. Likely this will be via an opt-in form.

Key elements you need to include:

  • Clear explanation of what the user is signing up for
  • If warranted, a form element for opt-in options or acknowledgements that require an active action (e.g., an unchecked checkbox)
  • Brief explanation with hyperlink for each applicable compliance policy, agreement, etc.

Here's an example of a good re-permission opt-in form.

The design of your form is going to directly impact the conversion rate (the number of people who submit it).

How can the form’s design compel form completions? How should multiple opt-in options be presented? How can you make it seem effortless?

Here are some helpful suggestions to consider.

clear benefit

Explain what subscribers get by opt-in in — emphasizing the benefits’ value, rather than simply asking them whether they want to “subscribe” or “receive notifications”.

Design interactive elements to appear enticing

Use color, larger fonts, icons – whatever it takes to draw the eye.

social proof

Using social proof is a proven tactic to motivate someone to opt-in. This might be in the form of:

  • Review, rating and customer testimonials
  • Social media stats (e.g., number of followers)
  • Performance stats (e.g., users served)
  • Customers’ logos (e.g., well-known brands)

directional cues

Use intuitive visual elements to catch the user’s eye and direct the path they should take to complete the form (e.g., small arrow adjacent to each section). This is especially important when the form is longer and asks for multiple actions to be taken.

required fields

Ensure that required fields are easy to identify (e.g., with an asterisk). This will help prevent failed form submissions and mitigate an otherwise frustrating user experience.
Be mindful of the user experience. Overzealous form elements could be alarming or cause form fatigue — reducing opt-ins.

design interactive elements to imply that a selection is required

Studies suggest a subscriber is likely to be more engaged when they’ve made an ‘active’ decision to opt-in.
Present form elements in a way that require an action regardless of their opt-in choice.

  • both a yes and a no option are presented
  • with neither selected
  • and, the field being “required”

When presented this way, people are more likely to agree than decline.


The GDPR requires an unambiguous, clear affirmative action be carried out by the subscriber to indicate consent. It doesn’t dictate specific tactics to accomplish this, such as adding (unchecked) checkboxes to your opt-in forms. However, a checkbox is a straightforward way to achieve this.

transparent language

Be up front about what the user is opting into. Use clear language that’s easy to understand. The GDPR requires this.

links to policies

It should be clear to the subscriber how their data will be used, processed, maintained, etc., and their rights. Be sure to include a brief explanation with hyperlinks for each applicable compliance policy, agreement, etc. — especially sensitive/special data.

ala carte cross promotion

The GDPR requires consent be freely given by subscribers and can’t be bundled with unrelated actions. This means users should be given the option to consent to one thing and not another. One example of this is where you have multiple promotional marketing efforts (e.g., weekly coupons, monthly newsletters, etc.).
Subscribers should be able to consent individually to only those promotional marketing efforts they are interested in. Incorporate an appropriate form element for each opportunity (e.g., an unchecked checkbox).
If you’d like to share subscribers’ data with other parties, you should use a checkbox to allow them to give their consent freely.

submit button text

Using the word “submit” as the CTA results in lower conversion rates than any other wording. Lesson: Don’t use default copy in your CTA buttons. Get creative instead.

It makes a big difference what CTA language you use.

conclusion: take GDPR implementation seriously

The GDPR affects all companies, and email marketers should be wary of making sure to implement this law. There’s no time like the present – if you haven’t already, your entire team should be making sure GDPR implementation tactics are in place and working before the May 25th deadline.

More to explore...

Introducing Coupon Manager

The WhatCounts team has been hard at work on a new feature, Coupon Manager, which streamlines using coupons in campaigns. Instead of using a generic

Read More »

Ready to See WhatCounts in Action?

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again.