gdpr Archives - UP for Digital | dpc | Digital Marketing Agency | Guildford, Surrey

Six simple steps to build a compliant database

Six simple steps to build a GDPR compliant database

By Blog posts
Six simple steps to build a compliant database
arrow left
Back to news

Six simple steps to build a GDPR compliant database

Email marketing is dead. No, it’s alive. Actually it’s dead. Whatever. Email marketing isn’t going anywhere, so let’s end that debate here and now.

With an informed strategy behind it, email marketing can be your very best asset. It can:

  • Nurture leads to paid up customers
  • Create sales opportunities
  • Keep your customers engaged with your business
  • Drive web traffic

But that’s just the thing. It needs to be done well. If you send random emails as and when you like, to people who don’t know your business, full of typos, broken links and a whole host of other catastrophes, it can be a lethal weapon (cue 80s hair and saxophone music).

If email isn’t your jam, we can help. As a digital marketing agency with in-house email marketing nerds, we know our stuff.

You can’t have a successful email marketing program without a GDPR compliant database. But where to begin?

#1 CRM database

Before you can do anything, you need a compliant database home that is secure. Enter CRM systems, check your Excel spreadsheets at the door please! Many email service providers will come with something built in, and all will integrate with the big players such as Salesforce and Microsoft Dynamics.

Your CRM platform should have the data fields mapped so that it collects and stores exactly what you need. This should also include the date and time that your subscribe signed up and confirmed their opt-in intention.

#2 Sign up forms

With the GDPR bursting onto the scene in May 2018, a lot changed about how you can collect, process and store data (you can read about that here). But if you start out with all the elements in place, it need not be such a headache.

First things first, make sure your form has a transparent description. Simply saying Sign up for our newsletter just won’t cut it anymore. Your wording should include:

  • Sending frequency
  • Your content
  • What you’ll be doing with any data (if it’s more than simple name and contact details)
  • Contain a link to your privacy policy
  • Have an unticked (yep, that’s important!) tick box as a statement of intent to sign up

A great example is this below from dog food brand EUKANUBA. Let’s examine:

GDPR compliant email marketing sign up form

  1. Sign up for monthly expert tips and incentives – an overview of what and when
  2. Track your dog’s development… – reason for collecting additional data (e.g. breed size and age)

When you create your form, it’s also a good time to have a think about anything extra you need to collect to run your email program. Ideally, you want your form to be quick and easy to complete, otherwise you won’t get many conversions. You can always collect more data at another time, with specific campaigns.

#3 Form placement

So you’ve got your form, now it’s time to place it. If you have just one sign up form, it is best placed in the footer of your website, as it’s easily accessible.

If you have multiple forms (e.g. for gated content downloads or to sign up to different lists perhaps), those should be embedded only on the relevant pages.

You can also consider pop ups where you have reason to believe the website visitor is primed to sign up. This could be based on session duration, pages or something else. The key here is balance, so that you don’t annoy your subscribers.

#4 Purchasing data..?

One of the biggest debates in marketing. It’s a big no no for consumer goods. It’s slightly less contentious for B2B, but you need to have a decent prospect workflow to make it work.

If you’ve made the decision that you want to buy data to bolster your lists, it is absolutely essential to make sure it is verified, compliant and up to date. We can help direct you to trustworthy database consultancy services.

#5 Keep that list clean!

Most spam laws now mean that having a double opt-in mechanism on your database is standard. This means that once a person signs up to your list they’ll receive an email asking them to click to confirm they meant to sign up. This is the first step to a sparkly, clean and compliant list. This should also mean that your subscribers have a timestamp against their confirmed sign up in your CRM platform.

Keep an eye on bounces. Most email service providers will have automated rules in place that after 2 or so bounces, email addresses will be removed from your list.

Hubspot says:

Bounce rates are one of the key factors internet service providers (ISPs) use to determine an email sender’s reputation, so having too many hard bounces can cause them to stop allowing your emails in folks’ inboxes.

Whatever you do, never ever scrape websites for email addresses. It’s really not cool and is the lowest of lows, not to mention illegal. No further explanation needed (hopefully).

You can read more about list hygiene here.

#6 Sender info

When you’re setting up your email marketing platform, you’ll be required to set a subdomain of your website. This is so that should anything go sour, it won’t affect the infrastructure of your website and internal email addresses. It’s usually a case of appending “newsletter.domain” or something similar.

Not only this but it’s really important to set up an inbox where you can receive replies to your marketing – automated and actual responses. Make sure it’s not someone’s existing email address for reasons above, but it must be monitored. GDPR law states that manual unsubscribes are mandatory, as well as information requests (e.g. how did you get my data).

It’s really poor show, not to mention against data laws, to send using a “noreply@domain” address!


Making sure your email database is compliant really can be that simple, provided you know what to do. While it is a big task, if you break it down into these fail-safe steps, you’ll have it under control in no time.

If the thought of organising your existing database (or starting from scratch) gives you a burning feeling in the pit of your stomach, fill out your details below. And, probably go see someone about the stomach pains… it doesn’t sound healthy!

  • This field is for validation purposes and should be left unchanged.
GDPR in a nutshell

GDPR in a nutshell

By Blog posts
GDPR in a nutshell
arrow left
Back to news

GDPR in a nutshell

Not half as exciting as a hero in a half-shell… but extremely important. Here’s our lowdown on everything GDPR.

What is GDPR?

Back in May 2018 the data protection rules and regulations for the UK and EU changed. Essentially the General Data Protection Regulation (GDPR) modernised the laws around the protection of personal data.

In a nutshell, it meant that any company marketing (email, post, SMS, phone calls etc.) without proven consent could be fined up to 20 million euro or four per cent of the offending businesses turnover. Prior to this, the ICO could only fine up to £500,000… so just a bit of a step up.

Wired summarises the seven key principles laid out in article 5:

“Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.”

So if it was a law passed in 2018, why are you talking about it now?!

Great question! A lot of smaller businesses still haven’t taken the steps to ensure they are acting compliantly with this regulation. Probably a combination of thinking they won’t be pulled up on it and a lack of understanding of what needs to be done. But with fines like these, do you really want to risk it…

If we’re leaving the EU, does it really matter?

Yes. The ICO (Information Commissioner’s Office) states that:

“The GDPR will be brought into UK law as the ‘UK GDPR’, but there may be further developments about how we deal with particular issues such as UK-EU transfers. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review”

You can read about it in full here on the ICO website.

Ok, how do you prove consent?

Firstly, by making sure all sign up forms are crystal clear on what you’ll be doing with that individuals data. For example, if it’s an email database, you’d need to state frequency, content and if you share your database with any third partners.

Once you’ve done that, you’ll need to do the following:

#1 First and foremost, you must ensure all data is kept securely and only those who need to access the data can. As a company, it is also your responsibility to ensure your staff understand GDPR to minimise any violations.

#2 Set up your sign up forms to have a double opt-in mechanism behind them. Most email service providers will now have this as a standard practice, but some don’t. What this means is once someone submits their data on your form, they’ll receive an email asking them to confirm they intended to sign up to your database.

#3 Once they have confirmed their intent, your CRM or database should store the date and time stamps the sign up.

#4 Have a clear unsubscribe link in every communication channel. This also means an inbox that is monitored so if for any reason the link doesn’t work, you can be contacted directly. This doesn’t need to be a personal inbox but one that is monitored regularly.

What data can I collect?

Basically only collect what you need, and be prepared to explain why you’re using it. For example, if you’re collecting date of birth in sign up forms be clear as to what you’re doing with it. It might be to track a child’s development, send age appropriate nutrition recommendations for a pet or simply to send birthday discount codes.

If you can’t explain why, then you shouldn’t be collecting it. End of story.

What do I need to do to make sure my website is compliant?

So we’ve summarised what you need to do with data collection, but what about the legal statements you need on your website.

#1 Your cookie policy and consent banner

Over the last few years, you’ll have gotten used to seeing banners across the top of bottom of all compliant websites. They’ll ask for you to consent for cookies to be collected on your session and sometimes beyond.

The banner will link to your cookie policy, which will outline all the cookies you’re using on your website. This includes:

  • Essential cookies: these are required for the operation of the website, such as logins and sign up forms (e.g. direct data capture)
  • Analytical cookies: you guessed it, anything that allows the web team to analyse how the website is used. It helps them make improvements based on usage.
  • Marketing cookies: these allow the web team to personalise content for you, remember your preferences and log things like pages you’ve previously visited.

#2 Privacy policy

You’ll need to outline exactly what you’re doing with data you’re collecting, how you’re handling it if you’re sharing it with any third parties, why and who they are.

Basically, you need to be absolutely transparent about what you’re doing with any data and why.

How do I make sure my database is compliant?

Stop. Storing. Data. In. Excel. There. Ok, actually there’s more to it than that. But it’s a start! And yes, we know for a fact this still happens and it shakes us to the core.

You can do it in four simple steps:

#1 Store your data in a secure, cloud based CRM.

#2 Minimise access to only those who need to handle it. For example, finance teams will need to see customer data, but not marketing information. Sales and marketing teams will need analytical data and opt-in, but won’t need access to financial records. Simple.

#3 Don’t leave yourself logged in to databases when you’re not using them!

#4 Only send marketing collateral to opted-in subscribers.

Do I need a legal team to review my documents?

Probably. It’s not for us to say, but it’s often a good idea to have someone with a recent legal background or a data protection officer review what you’ve done and make recommendations if you’re not quite there. If you don’t have one, have a look for a legal team with GDPR compliance experience.


Any website designer/developer or marketing agency worth their salt should know how to make sure your website is compliant. If you’re working on a redesign or refresh, they should make sure that your new data collection forms, privacy and cookie policies all meet the regulations set. And if you have further questions on what you need to do, just ask them!

  • This field is for validation purposes and should be left unchanged.