We are just a few months away from the General Data Protection Regulations being implemented; a new EU law which will revolutionise how customer data is collected, stored and processed. 




Although the primary aim of GDPR is to give greater rights to consumers on how their personal information is used, this demands greater responsibilities for organisations as a result. Significant sanctions will be imposed for those who fail to comply – penalties of €20million or 4% of annual turnover, to be exact. Taking this into consideration, it is essential for businesses to review their current process, making sure they are compliant with the new law which becomes effective from 25th May 2018. In summary, GDPR encompasses the right of individuals to: 

  • Access their personal data
  • Have their personal data forgotten 
  • Obtain a copy of their data in a ‘portable format’ 
  • Have personal data updated and maintained
  • Provide consent – ‘opt in’ rather than this be assumed 
  • Restrict where their data is used 
  • Be notified when there’s a major breach involving their data

GDPR is a broad topic, but in this post, we’ll cover how Episerver Campaign can help you be compliant with your email marketing. 

Please note the following information is advice only and should not be relied upon as legal guidance. We recommend you work with legal professionals to determine how GDPR might apply to your organisation. 


1. Obtaining Affirmative Consent 

Under the EU Privacy Directive, businesses were previously only allowed to send emails to people who have opted-in to receive marketing emails. With GDPR, this is still the case, but it has further specified the nature of consent required for sending marketing emails. When GDPR is in place, businesses will need to collect affirmative consent which is “freely given, specific, informed and unambiguous” in order to be compliant.



  • Freely given (a genuine choice which the individual can refuse or withdraw without "detriment" or loss of service)
  • Informed (information must be specific and unambiguous)
  • Statement or a clear affirmative action (silence, pre-ticked boxes or inactivity does not constitute consent)
  • Proof of consent (you should record the information on display, the date and how you obtained consent)

This means you will need to make sure the tools on your website which capture emails for marketing purposes and offline sign-up processes are compliant with the following: 

  • They are accurate and easy to follow;
  • You don’t use pre-ticked boxes or opt-out,
  • You don't force people to sign-up in order to get a service
  • Keeping a record of consent and capture forms

Once you have improved the user experience and ensured your capture forms are GDPR compliant, use the Episerver Connector to add any new GDPR compliant subscribers to your Episerver Campaign lists, where they can start the double opt-in process.


2. Double Opt-In Process

Double opt-in is nothing new and has always been considered best practice for new subscribers, however, now with GDPR it should be the only standard used.

Double opt-in helps to prove the person who signed up to your marketing emails has actually agreed to consent. With single opt-in process visitors could type in someone else’s email, showing clearly why double opted-in is essential.

The double opt-in process can easily be created in Episerver Campaign with the respective confirmation email. This email will have information on how to confirm subscription by clicking on the double-opt-in link. This link will take subscriber to a confirmation page (either created in Episerver or hosted by Episerver Campaign) and update their profile to start receiving marketing emails. 



3. Keeping a record of consent

You should ensure that you are keeping accurate records of consent given by your subscribers and contacts permitting you to send them marketing emails, store and use their personal data.

Episerver Campaign can help you obtain proof of consent by storing a record of your subscribers/contacts consent in your Episerver Campaign account. With the Episerver Campaign connector in place on your Episerver forms, you can easily add new subscribers and contacts to your account.

When capturing consent, you should record the following:

  • Consent statement
  • Date and time stamp
  • Source
  • IP address


4. Asking for re-permission

In simple terms, you need to get explicit permission from your EU email database to email them after the 25th of May 2018, when the new GDPR takes effect.

If you are unsure as to whether the consent obtained from your current “opt-in” subscribers complies with the new GDPR, or if it is out-dated, there is an opportunity to reach out to your lists, starting a new conversation with your data base while requesting consent again.

As best practice, subscribers who have not engaged with your emails in 6-12 months (including to your win-back campaigns) should already be removed from your marketing lists. Look to sign them up again from GDPR compliant forms on your site, social and offline channels.


Once you have created your re-permission campaign, take the time to A/B test your subject, content, call-to-actions and landing pages before sending to your entire database.

When this has successfully been completed, record this consent the same way you would for new subscribers and contacts, by using the Episerver Campaign Connector on your landing page.


5. Data Protection & Security 

Episerver has continuously invested in data protection, privacy and cloud security, and previously launched the Episerver Trust Center, highlighting security, compliance and privacy controls in one place to protect customers’ personal data.

Data protection and privacy is, by design, a core pillar in Episerver software development. Episerver are continuously reviewing and implementing new policies each week to ensure the software is not just GDPR compliant, but also to be industry leaders in information security, privacy and protection.

Episerver has taken a number of technical measures to improve its data protection and security for its clients; this includes:

  • Improving user control management, by restricting staff access to personal data to those who need to know
  • Using encryption everywhere including on mobile devices
  • Putting in place extra intrusion detection and prevention systems
  • Using real-time protection anti-virus, anti-malware and anti-spyware software
  • Episerver Campaign is certified under ISO 27001


6. Help comply with an individual’s ‘right to be forgotten’

On Episerver Campaign you can easily delete individual subscribers data upon their request at any time.


7. Help comply with an individual’s ‘right to object’

Subscribers have the right to object at any time to receive future email marketing. This can easily be done by clicking on an unsubscribe link on any marketing email sent via Episerver Campaign. No marketing emails are allowed to be sent via Episerver Campaign without an unsubscribe link in the body of the email.

Individuals can also contact the business directly and be asked to be unsubscribed. The business user can then manually unsubscribe the individual from all marketing in Episerver Campaign.

If you have a preference centre in place, you can also give a subscriber the option to stop receiving certain types of emails like special offers, newsletters, or personalised emails.


8. Help comply with an individual’s ‘right to rectification’ 

You may access and update your subscriber/contact lists within your Episerver Campaign account to correct or complete subscriber/contact information upon their request at any time.


9. Help comply with an individual’s ‘right to access and portability’

You can easily provide subscribers and contacts who contact you to access information that you hold on them and export at any time by accessing your Episerver Campaign account.


10. Update Privacy Policy and make visible on all emails and forms

You should ensure that your Privacy Policy is updated before GDPR is in place to inform individuals of their new rights. Your Privacy Policy should have clear instructions of user’s rights, and outline methods on how they can request information from you, how consent is obtained, and be able to request tasks like ‘the right to be forgotten’. 

Once you have updated your privacy policies, make sure you include a link on all your emails and forms. This can easily be done through the template kit editor in Episerver Campaign and on Episerver forms. 



How we're helping our clients prepare for GDPR

The changes surrounding GDPR have been at the forefront of our minds for quite a while. Similarly, our partner Episerver are placing great emphasis on preparation and providing access to information and resources we can use to better equip our clients.

Privacy by design is a key part of Episerver and our project process; with our UX and design team, and developers all ensuring that all forms and data entry points on site are compliant. On all websites, we make consent clear, affirmative and verifiable.

With the vast majority of organisations feeling unprepared for the change, we want to make sure this isn’t the case for our clients.

In bringing about a greater understanding on the changes taking place for the businesses we work with, we can continue to be confident in the platforms we build and create a sense of ease around becoming compliant with the regulations. We want to empower them to see GDPR as an opportunity, rather than a threat.

If you'd like to know more about how Made to Engage can help you prepare for the new GDPR, get in touch