An overview of GDPR and why you should care

What is GDPR?

GDPR, or General Data Protection Regulation, is a regulation declared in EU law that surrounds the areas of data protection and privacy. The GDPR is an essential component of EU privacy law and of human rights law, as it addresses the transfer of personal data both inside and outside of the European Union. The GDPR’s main focus is to enhance people’s control and rights over their own personal data, and to simplify the regulatory environment for international business so that all private information can be handled with respect and privacy. 

GDPR rules 

There are various rules, laws and regulations that are involved within the GDPR, all of which exist to help protect personal data and maintain the best levels of privacy and protection. Any incident that leads to personal data being lost, stolen, destroyed, or changed is considered a data breach. Unfortunately, breaches are more common than you may expect, despite GDPR working hard to crack down on those who ignore the regulations.  Violating any GDPR rules can leave your business in serious trouble, as the penalties are severe. To ensure businesses are more inspired to follow the law, and handle your personal data in a legal, ethical way, fines for noncompliance can actually be up to €20 million (or $23 million). 

Processor and controller compliance

The GDPR defines clearly that there are two differing levels of data handling – a ‘controller’ and a ‘processor’. This is simply to declare that not all organizations who handle personal data have the same degree of responsibility or should in turn follow the same rigid rules and regulations. 

Processor compliance

A processor can be a person, public authority, agency or other body that processes personal data on behalf of the controller. This way, they serve the controller’s interests instead of their own. A processor generally has more limited compliance responsibilities.

Controller compliance

A controller can be a person, public authority, agency or other body that, alone or combined with others, determines the purposes and means of the processing of personal data. As a controller, you would be responsible for complying with the GDPR wholeheartedly – you must demonstrate compliance with the data protection principles, and take appropriate measures to ensure all of your data handling and processing is done in line with the relevant GDPR.

What is defined as personal data by GDPR?

GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

What is the penalty for non-compliance?

As mentioned previously, General Data Protection Regulation provides those who do not comply with the regulations with a fine. Recently, a tiered approach to fines has been introduced, which in turn means that the severity of the breach will influence the size or value of the penalty. Within the GDPR, there are 2 different ways a penalty can be implemented against an offending company, agency or individual: 

  • Through the acts of the data subjects
  • Through the acts of the supervisory agency

The maximum fine a company can face regarding GDPR non compliance is 4% of their annual global turnover, or €20 million, whichever number is higher. Making less severe errors or mistakes like maintaining improper records or failing to notify of any breaches, can also be fined a maximum of 2% of their annual global turnover, or €10 million, whichever number is higher. It can be extremely difficult to try and claw back such large sums of money when you fail to abide by the rules and regulations of the GDPR. 

Any individual who has suffered either material or non-material damage as a result of a GDPR infringement has the right to receive compensation, from the controller or processor, for the damage that they have suffered or fallen victim to. Malpractice can be reported to the relevant agencies, and a full investigation will take place to properly identify any weak points or security breaches that might be putting data at risk. 

What are the GDPR rules for email marketing?

GDPR is something that should always be at the forefront of your mind whenever you are taking part in email marketing, as this is an area of business that could easily cause you to get a hefty fine as discussed above if you fail to respect your audience’s data and privacy. GDPR describes the following regulations related to email marketing that all businesses and individuals must follow: 

  • Ask recipients for an affirmative opt-in to receive direct marketing communications
  • Provide recipients with a clear, unambiguous way to opt-out of marketing communications
  • Offer a method by which customers can request the deletion of their personal data

It’s clear to see that the GDPR rules for email marketing aim to ensure that consumers receive direct marketing communications to which they’ve consented and that add value to their lives, and nothing more. Spamming an individual with email marketing materials when they have not consented to such communications can leave you in serious trouble, as can denying a person the opportunity to no longer receive your communications, so these are key areas that you must never ignore to stay compliant. Many businesses choose to include an ‘unsubscribe’ button within each marketing email that they send to their customers, as this way you can cover your back by providing people with the easiest opportunity to cancel their subscription. 

GDPR compliant features available with Instiller

Encrypted data

Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. Encryption is a procedure that converts clear text into a hashed code using a key, and during this process the outgoing information can only become readable again by using the aforementioned correct key. This in turn minimizes the risk of any incidents during data processing, as encrypted data is unreadable for those who do not have the correct key. Here at Instiller data encryption is something that we offer to all of our clients, so you’ll be able to maintain the utmost faith and confidence in the fact that no other unauthorized users can access and utilize the information that you store and handle. 

Right to Erasure

The right to erasure allows individuals to obtain and erase any and all personal data concerning them without undue delay. The right to erasure can be triggered for a number of reasons, including: an individual’s personal data is no longer needed for the original purpose, an individual withdraws consent meaning there is no legal ground for the processing, or if personal data has been unlawfully processed and therefore steps need to be taken to establish responsible and lawful handling. In many cases an individual can request the erasure of their data without giving a reason, as in reality they are the sole controller of their own data and can decide to withdraw whenever necessary to protect their personal information. Your customers will be able to erase their personal data with your company in a few simple taps when you utilize our expert services at Instiller.

Subject Access Requests

Subject Access Requests (SARs) are on the increase. SAR’s are an individual’s right, as all people can request to obtain a copy of the personal data a company or organisation processes and stores on them. Individuals can obtain confirmation that a company is processing their personal data, a copy of their personal data being handled or processed, and any other information like the purpose of the data processing, too. No reason needs to be given for a SAR, but your customers will be able to do this easily with our handy features at Instiller. 


Actively conducting audits and inspections of processors throughout the entire lifecycle of your business arrangement should always be a top priority if you want to stay compliant and avoid a hefty fine. It is vital for controllers to choose processors who are willing to cooperate in respect of auditing. Auditing investigates and validates your data handling and storage, meaning you’ll be able to put your customers minds at ease when you breeze through your audit with flying colors. Auditing should be done regularly, and that’s something we recognize here at Instiller. 

Consent for data processing, handling and storage must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how their data will be used and the purpose of the processing operations as a safeguard. 

It’s clear to see just how vital GDPR really is for businesses all across the globe, especially when it comes to email marketing. You should always channel time and energy into GDPR compliance, and our expert team at Instiller can certainly help you to achieve your data protection goals. 

At Instiller we provide email automation tools that are already trusted and utilised by countless major brands and smaller companies. If you are interested in learning more about our services, please do not hesitate to get in touch.

Ready to try Instiller out?

Take a free & unlimited 14 day trial of Instiller and discover
how our solution could work for your agency.

Free trial

There's no commitment and we don't ask for payment details.