GDPR: Double opt-in, Consent and right to be forgotten

Blog, gdpr

GDPR is fast approaching and according to the latest news, there’s still a high number of companies which are still none the wiser when it comes to what needs to be implemented, which cause a lot of pain should things go the wrong way.

Following our series of GDPR related blog articles which you can find here: we’re continuing our efforts to help make people aware of what is up coming and what you need to do for your business.

Double opt-in for email

Email consent is just one of the many areas within GDPR, but for marketing teams this is a crucial area to be considered as they generally interact with clients more than the rest of the business, and due to this they have to make sure that all of their processes are fully compliant.  Under GDPR you are no longer able to add people to your mailing lists without their consent, one of the easiest ways to comply to this is to ensure that people opt-in to your communications.

When GDPR comes into force on the 25th May 2018 it will give everyone greater control over their data by making significant improvements to the consent process.  Part of GDPR requires that consent is to be freely given and unambiguous. Not only this but consent on how and when this was given must also be recorded somehow.

Almost every business will have an email mailing list of sort, whether this is through a website or a link to a mailing list, having a process to allow double opt-in for your email subscribers is the best and easiest approach to ensure your GDPR compliance.

What is double opt in?

The double opt in process involves your contacts interacting with your signup / mailing list process, whether this is through posting a form, or clicking a box, and then confirming their instruction by clicking a link in a follow-up email.

By ensuring that your contacts perform two actions to sign up to a mailing list you are ensuring that they are “jumping through hoops” to sign up to your email communication.  This extra layer of work ensures that people who have signed up to your email communication want to be there and will also provide transparency of customer consent that will help marketing teams execute GDPR compliant campaigns.

An example of the process would be, that someone enters their email address into your website form, this goes off to your email mailing list, then you are automatically sent another email which says that you have subscribed to this mailing list, do you want to sign up?  This additional request is the double opt-in part and ensures that you want to actually sign up.

Just about every email marketing company utilises double opt in support for your email communications.

What if I don’t use a mail provider?

If you are managing your email communications with your clients manually through your email client and have a database of file of contacts, then it would be wise to start looking into migrating your mailing list to a more managed approach by using a third-party company.  Using providers such as MailChimp which offer a limited free version will help you utilise the double opt in process as well as recording and providing the necessary evidence.

You can find MailChimp here:


As mentioned at the start of this post, you must now receive consent from people to use their data, one pain point is that all the databases and mailing list which contain personal information from your customers now need you to obtain consent.  Under GDPR, consent must be given freely, be specific as well as informed and unambiguous.  As part of the consent process there must be a clear affirmative action of giving consent to their information being used, this can be through the double-opt in process.

Consent cannot be given through the use of pre-checked boxes on websites, inactivity and silence, which means if you send out email communication asking people to consent to your mailing list, anyone who doesn’t check in or reply must be removed from your database or mailing list.  This will cause a lot of concern for companies as a lot of people will have to clear out their systems to comply.

You must also only obtain the personal information of that person that is absolutely necessary to perform the action of the list.  For example, their email address is mandatory, however obtaining their name date of birth and phone number would be deemed un-necessary.  However, could be collected at a later date, if they choose to submit it.


As briefly mentioned above, when using website forms to allow people to sign up, any checkboxes which are automatically checked to opt-people in are now allowed, you must also inform people what their information will be used for and make it easy for the user to understand what there are signing up for.

A lot of existing sites and website companies are going to have to refresh their sites and processes to ensure that they are compliant.

Right to be forgotten

Under GDPR, the right to erasure, also known as ‘the right to be forgotten’, is enforced. This action allows an individual to request the deletion or removal of their personal data from your systems where there is no compelling reason for its continued processing.

If you work with third-party companies, you must inform them that you are deleting the personal information of the individual, failure to do this is in breach of GDPR.  The same goes for the third-party company, if they are informed of a right to be forgotten request, they must inform you to ensure the removal of data.

When does the right to be forgotten apply?

The right to be forgotten does not provide an absolute way in to be forgotten, however individuals a right to have their personal data erased and to prevent the specific processing of their information in the following circumstances:

  • Where personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • Personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
  • Personal data has to be erased in order to comply with a legal obligation.
  • Personal data is processed in relation to the offer of information society services to a child.

As a business, you do have some rights, the following circumstances where the right to erasure does not apply and you can refuse to deal with a request are:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims.

You can find more information about opt-in, consent and right to be forgotten here:

We hope that this helps you in your route to GDPR compliance.

Previous Post
Phishing attacks: How to recognise and what to do
Next Post
Why have a penetration test?

Related Posts

No results found.