We use cookies to enhance your experience. By clicking "Accept", you consent to our use of cookies.

Policy

GDPR, DORA, and Email Compliance in 2026: What Marketers Must Know

GDPR, DORA, and Email Compliance in 2026: What Marketers Must Know

The Compliance Stakes Have Never Been Higher

Email marketing sits at the intersection of three converging regulatory forces in 2026: the mature but still-evolving GDPR enforcement regime, the newly effective Digital Operational Resilience Act (DORA) with its implications for technology vendors, and a wave of national data protection authority (DPA) enforcement actions that have made large fines a routine rather than a headline event.

The numbers are no longer theoretical. In 2025 alone, European DPAs issued over €1.8 billion in GDPR fines, with several explicitly targeting marketing departments for unlawful consent practices. In 2026, with DPAs now fully staffed and enforcement tooling mature, the question is not whether your organization will face scrutiny — it's whether you'll be prepared when it comes.

This isn't just a legal department problem. Marketers are the ones who design consent flows, manage subscriber lists, configure data retention rules, and choose the technology vendors who process subscriber data. Understanding the compliance landscape is now a core competency for any serious email marketer.

GDPR in 2026: What Has Changed and What Hasn't

The Consent Standard Has Tightened

GDPR's requirements for consent haven't changed in their fundamental text, but enforcement interpretation has shifted significantly. The “freely given, specific, informed, and unambiguous” standard is now interpreted very strictly by most European DPAs. In practice, this means:

  • Pre-ticked boxes are unlawful everywhere — this was always the rule, but DPAs are now actively fining organizations that use them
  • Bundled consent is increasingly challenged — consent for email marketing cannot be bundled with consent for terms of service or other purposes
  • Proof of consent is your responsibility — you must be able to demonstrate exactly when, how, and to what a subscriber consented. Vague records like “signed up via website” are no longer sufficient
  • Legitimate interest for B2B is narrowing — while B2B email still has more flexibility, the “soft opt-in” interpretation is being challenged in multiple jurisdictions

Data Subject Rights Enforcement

The right to erasure, the right to access, and the right to data portability have been statutory requirements since 2018, but in 2026 data subject rights requests have become a practical operational challenge for marketing teams. Automated handling of these requests is now a functional requirement — manual processes at scale are not compliant in practice, even if technically the law doesn't mandate automation.

Key operational requirements for 2026:

  • Erasure requests must be honored within 30 days, including in all backup systems and any third-party systems where subscriber data has been shared
  • Access requests require you to provide a complete picture of all data you hold on a subject — this includes behavioral data, engagement scores, and any inferred attributes
  • Data portability means providing structured, machine-readable exports — a PDF export is not sufficient

Data Retention: The Overlooked Compliance Gap

If there is one area where marketing organizations are most consistently non-compliant in 2026, it's data retention. GDPR's storage limitation principle requires that personal data be kept “no longer than is necessary for the purposes for which the personal data are processed.” Yet most organizations have email lists containing subscribers who consented years ago, have never engaged, and for whom there is no legitimate reason to continue storing data.

Compliance Warning: Retaining dormant subscriber records indefinitely is a GDPR violation. A defensible data retention policy for email marketing typically specifies: active subscribers (regular re-consent refresh every 24 months), lapsed subscribers (12 months post-last engagement, then deletion), and hard bounces (immediate deletion or strict suppression-only retention).

MailerBit's compliance features include automated data retention scheduling, so you can configure deletion rules that run automatically — ensuring your list stays clean and compliant without manual intervention.

DORA: What Email Marketers in Financial Services Need to Know

The Digital Operational Resilience Act entered full effect across the EU in January 2025, and its implications are still being worked through by compliance teams. DORA primarily targets financial entities — banks, insurance companies, investment firms, payment processors — and their ICT (information and communications technology) service providers.

How DORA Affects Email Marketing Operations

If your organization is a financial entity under DORA, your email marketing platform is classified as an ICT third-party service provider. This has concrete implications:

  • Vendor due diligence: You must conduct formal risk assessments of your email service provider, including their resilience, security practices, data handling, and incident response capabilities
  • Contractual requirements: DORA mandates specific contractual provisions with ICT vendors, including audit rights, service level agreements, data location requirements, and exit strategies
  • Incident reporting: Significant ICT-related incidents — including major email delivery failures or data breaches at your email provider — must be reported to regulators within strict timeframes
  • Concentration risk: Financial entities must assess and manage the risk of over-reliance on a single ICT provider, including email service providers
DORA Practical Checklist for Email Marketers in Financial Services:
  • Is your email platform documented in your ICT third-party register?
  • Does your contract with the email provider include the DORA-mandated clauses?
  • Have you assessed the provider's data center location and resilience capabilities?
  • Do you have an exit strategy if the provider fails or is acquired?
  • Are major email incidents included in your ICT incident reporting workflow?

MailerBit operates with EU data hosting, which simplifies DORA compliance for European financial entities by ensuring data residency within the EU and supporting the contractual documentation requirements that DORA mandates.

Audit Trails: Building a Defensible Compliance Record

In any regulatory investigation or enforcement action, your ability to demonstrate compliance depends on documentation. For email marketing, a defensible audit trail includes:

Consent Records

For every subscriber, you should be able to produce: the exact date and time of consent, the IP address at time of consent, the specific consent language presented, the version of your privacy policy in effect at that time, and the mechanism through which consent was given (specific form, API source, etc.).

Campaign Records

Retain records of every campaign sent: who received it, what the content was, when it was sent, and what the stated legal basis was. In the event of a complaint, you need to be able to reconstruct the exact email a specific subscriber received on a specific date.

Data Processing Records

Under GDPR Article 30, most organizations must maintain a Record of Processing Activities (ROPA). Your email marketing activities — including data flows to your ESP, any behavioral tracking, and data sharing with ad platforms — must be documented in your ROPA.

Deletion Records

Paradoxically, you must keep records of deletions. When you honor an erasure request, you need a record that the erasure was completed, when it was completed, and what systems were involved — without retaining the personal data itself.

Practical Compliance Roadmap for 2026

For most marketing teams, achieving and maintaining email compliance in 2026 means addressing these priorities:

  1. Consent audit: Review how consent was obtained for every segment of your list. Identify records where consent documentation is insufficient and either re-consent or delete.
  2. Retention policy: Define and implement clear retention rules. Configure automated deletion for inactive subscribers beyond your retention threshold.
  3. Vendor assessment: If you're in a regulated sector, formally document your ESP in your third-party risk register and ensure your contract meets current requirements.
  4. DSR workflow: Implement automated handling for data subject rights requests. Ensure deletion requests propagate to all connected systems, not just your email platform.
  5. Training: Ensure your marketing team understands the practical compliance obligations. Compliance failures in marketing are rarely malicious — they're usually the result of teams that haven't been trained to ask the right questions.
The Penalty Reality: GDPR maximum fines are €20 million or 4% of global annual turnover, whichever is higher. DORA non-compliance carries additional regulatory sanctions for financial entities. But beyond fines, the reputational damage of a publicized enforcement action — and the operational disruption of a DPA investigation — are often more damaging than the financial penalty. Compliance is not a cost center; it's risk management.

MailerBit has been built with European compliance requirements at its core: EU data hosting, full consent timestamp logging, automated retention management, GDPR-aligned data subject rights tooling, and the contractual transparency that regulated-sector customers require. Compliance is complex, but your infrastructure doesn't have to make it harder.

Back to Blog