"Helping Businesses Create, Optimize & Grow."

Vorbly Blog


Digital Marketing Best Practices.

Learn How To Grow Your Business.


Is Your Business GDPR Ready?

With changes in the global regulatory landscape, being an entrepreneur and starting a business can be daunting. Recently, the European Union introduced the General Data Protection Regulation (GDPR) to protect the privacy of EU consumers.

This article aims to help you to evaluate your business and website compliance with GDPR regulations. And how to make your business GDPR compliant?

What Is GDPR?

The General Data Protection Regulation (GDPR) came into effect on 25 May, 2018 and aims to protect the fundamental right to privacy and the protection of personal data of European Union (EU) citizens. 

How Does It Affect Your Business?

The GDPR regulations affects any business (including websites) that processes the personal data of any EU citizens. Whether or not your business is located in the EU, if you have an EU visitor or your marketing campaigns target EU customers, GDPR affects you.

In this article, we will provide you with a GDPR checklist to help your business comply with these regulations. We will cover the following topics:

  1. Privacy Policy

  2. GDPR Consent Forms

  3. Email Marketing Templates

  4. Third Party Apps

Important Notice: Any information contained herein is not legal advice and we recommend that you seek legal advice to fully understand and comply with the GDPR regulations.

1. Privacy Policy

A privacy policy or privacy notice is required under the GDPR regulations.

GDPR Articles 12, 13 and 14 outline the need to provide privacy information to data subjects (website visitors).

According to GDPR, the information provided must be:

  • Concise, transparent, intelligible and easily accessible;

  • Written in clear and plain language, particularly if addressed to a child; and

  • Free of charge

We have prepared a privacy policy template for your reference.

What type of information do you collect?

Detail the type of personal information you collect from your website visitors. Personal information may include, name, email, IP address, billing details and identification number.

The information collected may be provided directly by visitors (e.g. web form) or collected automatically through tracking tools (e.g. Google Analytics).

Sample: "We receive, collect and store any information you provide on our website, including personally identifiable information (including name, email); payment details (including credit card information), comments, product reviews and personal profile. When your access our website, we may collect and record usage information, including geo-location, IP address, device type, browser information and web log information and all interactions through our website. We may also collect supplemental information (including demographics) obtained from third parties for marketing, data analytics and other purposes."

How do you collect personal information?

You should clearly explain the process for collecting personal information from your website visitors. For example, when visitors subscribe to your newsletter.

Sample: "When you conduct a transaction or complete a form on our website, we collect personal information that you provide us, such as your name, email address and address. Your personal information will be used for the specific reasons stated."

Why do you collect personal information?

You need to explain why you collect personal information from your website visitors. For example, you might collect email addresses for marketing campaigns.


"We collect both non-personal and personal Information for the following purposes:

  1. To provide products and services to our users;

  2. To provide users with customer assistance and technical support;

  3. To contact our users with general or personalized notices and promotional messages;

  4. To aggregate statistical data and other non-personal Information, which we use to improve our services or provide to our business partners;

  5. To comply with any applicable laws and regulations."

How do you store, use, share and disclose personal information?

The privacy policy must detail how you store, use, share and disclose the personal information collected. You should also inform your website visitors if, when and how their personal information will be shared with third-party services and/or local authorities.


"We use personal information for the purpose of providing our services, enhanced user experience and your security. For example, we may use the information collected to setup an account, reset password or authenticate user's identity. We will ask for consent before using any personal information for any purpose other than those stated in this Privacy Policy.

We may store and process personal information on servers in different jurisdictions around the world. We retain information for as long as it is necessary for our operations. Information from closed, deactivated, inactive or suspended accounts will be retained to comply with the law, prevent fraud, collection of fees, dispute resolution, enforce our Terms of Service and other actions permitted by law.

We will not sell or rent your personal information to third parties for their marketing purposes without the user's explicit consent. We may integrate your personal information with information obtained from third parties to improve and personalize our solutions, content and promotions."

How do you use cookies on your website?

If your website uses cookies to track website visitors, you must make this clear. Detail what tracking tools (e.g. cookies, web beacons) your website uses, what personal information is collected and how the information is used.

If you use third-party services (e.g. Google Analytics), applications or plugins that uses cookies or tracking technologies, read their privacy policies to understand what and how personal information is collected.

How can visitors withdraw their consent?

You must explain how your website visitors can withdraw their consent for collection and use of their personal information and how they can access, update or delete this information.

Sample: "If you wish to update, access or delete your personal information we have collected, please contact our customer support team at <your email> or <phone number>."

Privacy policy updates

We recommend that you inform your users of your right to change or update your website's privacy policy.

Sample: "We reserve the right to modify this privacy policy at any time and such updates will be available to users on our website. Any revisions to the privacy policy will take effect on the effective date."

Any Questions?

Finally, provide site visitors with multiple channels to contact you, in the event they have any questions about your privacy policy or their personal information.

Sample: "If you have any questions about our privacy policy or would like to access, update or delete any personal information we have collected, please contact our customer support team at <your email> or <phone number>."

2. GDPR Consent Forms

If your business uses lead generation forms, email newsletters or sends marketing communications, you will have to include GDPR consent in your web forms.

We have several examples with various consent options and UX designs for your reference.

Unbundled Consent

Permission for SMS, email, mail and telephone communications are all lumped together into one consent option. Although it is clear and easy for users to select either "Yes" or "No" options, users do not have the option to select their preferred channel of communications.

Granular Consent

Users are required to consent to each contact method separately (e.g. SMS, email, call). The Granular Consent method allows users to consent to certain communications, rather than nothing at all.

Group Consent

Some businesses may be part of a larger group and if you want to share customer data across different entities within the group, users need to consent. For example, Waitrose asks users to consent to receiving communications from Waitrose, myWaitrose, John Lewis and John Lewis Finance.

3. Email Marketing Templates

Now that the GDPR regulations are in effect, what do you need to do? Contrary to popular belief, it is still legal and effective to send marketing emails.

If your existing website and forms do not collect the necessary customer consent, you will need to send a repermissioning email to your customer base.

How do you design repermissioning emails? Here are some great examples to help you.

If you are already GDPR compliant, then great! Let's review your email marketing campaign and consider the following factors:

Allow customers to opt-out

Add an opt-out option in your email marketing templates. And if a customer or subscriber requests to be removed from your email list, you must remove them from future marketing campaigns.

Allow customers to access their data

GDPR gives consumers the right to access personal data collected about them. The personal data collected can range from an email address (for newsletters) to millions of customer touch-points in a CRM or marketing database. Business will need to be able to find this information and provide it to the user upon request.

Allow customers to delete their data

GDPR gives consumers the right to delete personal data collected about them. If customers ask for all their data to be deleted, they should also be unsubscribed from further email campaigns.

What if customers unsubscribe from your email campaign? All unsubscribe requests have to be kept in an email suppression file to ensure the email is suppressed from all future email campaigns. But companies need to explain to customers that it has a legal requirement to store the email address (to exclude email from campaigns).

4. Third Party Apps

Now that you have spent the time and effort to be GDPR compliant, case closed? Under the new GDPR rules, any third party processors you use is now directly and legally obligated to comply with the regulations.

What is a third party data processor?

An entity that processes personally identifiable information (PII) on behalf of a controller. A controller is defined by the GDPR as an entity that determines how that data will be processed and for what reason. Third party processors include Email Service Providers (ESPs), Customer Relationship Management Systems (CRMs) and many others.

Who is responsible?

Experts believe that it is the responsibility of the data controller (your business) to assess and monitor third party vendors and work with them to be GDPR compliant. Businesses will have to ensure third party vendors properly collect, store and process personal data.

What can you do as a controller?

Discuss with your third party partners and read their privacy policies. For new vendors, thoroughly review their privacy policies. Check to see if vendors have the proper certifications and ensure they have the tools to retrieve and delete user data.


With increasing global regulatory complexities, businesses need to take necessary steps to comply with these regulations. From country specific data protection laws in Japan and Australia to the EU GDPR rules, privacy and the protection of personal data is here to stay.

By reviewing your processes, website and marketing campaigns, business can implement best practices to comply with regulations while retaining a great UX/UI website design.

Vorbly | Marketing Made Easy

Email Marketing Services For Small Businesses