Email Experts Series: GDPR, One Year Later

We still haven’t recovered from the anxiety of the onslaught of pre-GDPR emails asking for confirmed consent. But now, more than one year later, we started to wonder how the email landscape changed due to this first-of-its-kind legislation with an impact across the globe.

We asked our resident expert, Matthew Vernhout, director of privacy and industry relations, to help us wrap our minds around what GDPR changed for email marketers, for consumers, and what we should expect as time goes on. Check out the conversation in this edition of our Email Experts Series.

(We’ve found key timestamps and transcribed this video below.)

Total Run Time: 12 minutes

00:30 – Overview of General Data Protection Regulation (GDPR)
01:31 – One year later, how has GDPR impacted the email industry
03:15 – Review of GDPR fines and enforcement to date
05:10 – What’s next for GDPR moving forward?
06:44 – Trends for data privacy laws; how GDPR has become a global benchmark
07:35 – Overview and guided walk-through of creating BIMI record in DNS
08:21 – Ideas on how to change the culture around importance of data privacy

Listen and subscribe on your favorite platform:



Anthony Chiulli
Hi, everyone. Welcome. My name is Anthony Chiulli, and I’m joined today by my colleague, Matthew Vernhout. And we’re going to be talking about GDPR. We are one year plus into GDPR, and I think it’s an awesome opportunity for us to talk about this piece of legislation one year later and some of the findings, some of the fines, and what’s next for this piece of legislation. So Matt, just for our audience that may not be familiar with this piece of legislation, what is GDPR?

Matthew Vernhout
So GDPR is a piece of legislation that came from the European Union. So it covers all the different member organizations within the Union. And it really is a way, it’s a modernization, if you will, of privacy legislation, which the European market has a completely different viewpoint on in regards to personal privacy, personal rights for data privacy than much of the rest of the world, if you will, especially in North America. We tend to be a little more pro-business collecting data and–

A little bit more relaxed [laughter].

That’s a great way to say it. Yeah. So the legislation has sort of come out; it’s level-set privacy, to a degree, in the European Union, which is approximately 550 million people. So not a small chunk of people. But they really set out to standardize their privacy legislation and modernize it and talk about data rights and data access.

So as I mentioned, we’re one year plus, right. I think it went enforcement in May of last–

May 25th.

May [laughter]– you know the exact date?

I have a sticker. It says, “I survived May 25th [laughter].”

There was a big scare and a lot of anxiety and kind of a rush right before that enforcement date from many brands and senders who maybe– or rightfully so, were a little bit more laxed about getting their ducks in order before this enforcement date. How are things now?

I think a lot of businesses have sort of got through the rush. We saw the same thing happen when CAN-SPAM came out. We saw the same thing happen when CASL came out. We saw the same thing in Canada when PIPEDA came out for our privacy legislation. And it’s businesses that need to then build process, need to educate staff, need to change everything, potentially. And with GDPR, it was fairly significant changes. And I think a lot of the marketplace, at least outside of the European Union sort of was like, “It’s not going to really impact us,” and then six months to deadline was like, “Oh. It’s really going to impact us.” And everyone rushed, and there was sort of a mad dash. We saw the same thing with prior legislation. I think, any time we have big legislation changes like this, these types of things happen. And there was a recent study. You and I were talking about it as we were preparing for this that 57% of businesses surveyed out of 300 respondents feel confident in their GDPR process. So that 43% that’s left over is not insignificant. And I think, to a degree, most businesses have a process, but they maybe aren’t 100% confident in where they’re at and where they are going.

Let’s talk about some of the actual real-life examples of fines, enforcement of this. Because I think everyone, including myself, was waiting to see how serious this is going to be. And it sounds like there have been some pretty notable fines and examples recently.

Yeah. And I think everyone’s always worried, like, day one, someone’s going to get a huge fine. And that typically doesn’t happen. Because there’s always research. There’s always warning letters. There’s always negotiation. There’s always something that’s going on that sort of delays their enforcement action. But now that we’re a year in, we’ve had time for all of these things to happen. We’ve had a number of very significant data breaches happen. Looking at Marriott, the Starwood Hotel breach. That was reported at a €99 million or around $125 million penalty that was enforced by the European Union data protection agencies. We saw a hospital in the Netherlands that was fined €460,000 for not having adequate protection. So it’s not even a matter of, they were breached. They were deemed to not have adequate protection, at least according to the articles that I was reading. And then we’ve seen smaller incidences, still 400,000, big dollar values, for other violations in different legislations, so in France, or most recently, I read one in Romania. So they’re coming across the Union now, and I think, it’s just a matter of, we’ve hit that time where investigations have happened, breaches have been reported. And I think that’s where we’re going to see most of these violations. There’s also been big violations against Google and Facebook and things like that that are still in the process of being dealt with.

Talk a little bit about– in my mind, I think– maybe I’m naive, but I feel like a lot of marketers said, “Oh, we did this GDPR thing, check. Next,” right. And it’s like a taskless item. Like, “We’re good. We’re compliant.” Can you share your thoughts about that this is an ongoing piece of legislation that’s evolving? What’s coming for GDPR? What’s next?

Yeah. So I think there’s a lot of different ways that legislation gets created around the world. Some countries will write out, sort of, “Here’s the law,” and then wait for court decisions and things like that to come out with, “How does it get enforced? What type of guidance can happen to businesses and guidance that will be given to individuals and things as that progresses?” And we’ve seen a lot of that in Canada. That’s a very common model. Whereas in the US, you get more verbose laws that tell you, “Here’s what you do,” and it’s not so much dealt with in the courts. It is, but a lot of it’s enforced by the FTC under CAN-SPAM, etc. So every time we see a new decision come out, it’s getting more guidance or new guidance or a new decision to help us make more business decisions internally. And that should be used to continuously make sure your program is up to date. The hospital one is a key example of that where maybe they are GDPR compliant, but they didn’t have adequate security standards. “Okay. Well, let’s go back and check. Do we have adequate security standards? What can we change? Are we monitoring them? Do we keep them updated?”

And I think, GDPR, in my opinion, was kind of the benchmark that we’re starting to see, as you talked about, other pieces of legislation throughout the world, including here in the States, and in California, specifically, that are using that as kind of the new model, the new benchmark in data privacy and data governance. Do you think that trend will continue where we’ll start seeing more restrictive and more pertinent legislation being put in place to protect user’s rights?

Yeah. I certainly do. A good example of that is, Brazil has their GDPR version coming into force in 2020 as well. So it’s basically a copy-and-paste with some minor changes. Some things are slightly removed. But it’s very, very similar to GDPR. We have the CCPA in California, which is going to change a lot of business practices, not just in California but all over the US because it’s such a large population group that everybody does business in California. So it’s going to impact a lot of businesses. We’ve seen legislation come into Nevada and Washington and other states as well. So all of these things are an effort to keep up. And even back in Canada, we’ve now seen changes and a desire to update our privacy legislation that we have been pushing for as a community for a while, but at the same time, maybe never pushed as far as GDPR was going to go. But in order to maintain our adequacy within the Union, we’re going to have to move farther, maybe, than was originally asked, if you will, but to get close enough to maintain adequacy.

You shared with me a memorable statement while we were preparing for this about, this legislation that has come into enforcement is a result of people’s inability to self-regulate, right. So it’s almost been a requirement because as a society or culture, especially businesses, our inability to actually self-regulate data privacy. So to close us off, I’d love to know, in your opinion, what do you believe needs to happen to kind of change this culture where data breaches happen so frequently now that people just kind of are numb to it?

It happened again, right. Yeah. So there’s a number of different things. There’s a great program, Privacy by design, that talks about when you’re developing your platform, put privacy at part of the actual planning phase. Before you even start coding, you’re building privacy into the platform, so things like encrypted columns and data retention policies, data minimization, things to make it that much less useful, if you will, if someone does get in. So you’ve encrypted the data to a point where nobody can access it. Data minimization, it’s something that I’ve been spending a lot of time writing about. It’s something I’ve spent a lot of time internally pushing in regards to setting hard enforcement policies for data retention, data deletion, and things like that to make sure that if there ever is a breach within any organization, you don’t lose everything because you just didn’t keep everything. You don’t need someone’s birth date, don’t ask for it. Don’t keep it. And I think we see this a bit in CASL, the Canadian Anti-Spam Legislation where they’ve actually built into it and set enforcement for director liability. So the president of a company was just sued or just issued a $100,000 fine for violations of CASL. So I think, when you start to reach into the actual individual’s pocket as opposed to the corporate pocket, it gets the attention of other business owners and business management teams, to say, “Oh, we could be held responsible, not just the company?” That gets people’s attention as well.


It adds accountability, and that’s one of the key principles of privacy set out in the OECD privacy framework, originally, is accountability is one of the largest principles that a lot of people spend time on.

I agree. I think data privacy is such a complex topic that it’s not something easily solved. But it’s super-interesting times, I think, post-GDPR, keeping watch of other legislations, and kind of maybe a more restrictive shift into data privacy and its accountability. So I want to thank you for joining us today, and I wanted to thank everyone for tuning in. I encourage everyone to visit our blog and check out some of the articles and guides that Matt’s written about regarding CASL and GDPR and some other privacy legislation. Thanks for tuning in.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time