GDPR. We’re sure you’ve all heard of it by now. It’s an acronym that’s enough to strike fear in even the most experienced marketers.
Here’s a quick recap: The EU General Data Protection Regulation (GDPR) came into effect on the 25th May 2018. GDPR has been described as: “the most important change in data privacy regulation in 20 years. The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.”
Does GDPR affect me?
GDPR applies to all company sizes. Whether you’re a one-man-band or a multinational, you still need to comply with the regulation if you collect store, and process customer data. If you’re based outside of the EU, but you operate within the EU and have European customers, the regulation still applies to you.
However, smaller companies that process less data and are not processing sensitive data have fewer obligations to follow. For example, not every company has to appoint a Data Protection Officer or carry out a data protection impact assessment.
“A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
A company established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.”
Email marketing campaigns involve the processing of customer data and fall under the jurisdiction of GDPR. If you’re not sure about whether this applies to your business, you can read more on what constitutes data processing here.
Why should I comply?
We’ll keep the answer to why you should comply short and sweet: to avoid hefty fines.
Several high-level cases are ongoing and could cause fines of up to 4 % of the annual of a business
A social network operator has been fined €20,000 for failing to secure users’ data
Google has been fined €50 million in France for a lack of consent on its ads
In fact, according to news site The Register: “European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced last May, from more than 200,000 reported cases.”
Those are some very strong reasons for doing what you can to make sure your email marketing campaigns comply with GDPR.
How can I make sure my email marketing is GDPR compliant?
While GDPR doesn’t mean you have to throw out your old contact list and start a new one from scratch, there are some cases in which you will need to ask customers for their consent again.
Here is what the EU has to say on the matter: “Your company/organization obtained consent from clients a few years ago using a system of pre-ticked boxes online. It’s now clear that this manner of obtaining consent will not be valid as of 25 May 2018. Your company/organization will have to obtain consent again if it wishes to continue processing the data.”
To gain this consent, all you need to do is send customers an email asking for it. Nothing more than that.
However, if you’ve checked that gathered consent to send emails in writing and complied with all the requirements of the GDPR then you don’t need to ask again.
When you first start collecting customers’ personal data to use in an email marketing campaign, you must tell them clearly why you need the data, how you’ll be using it, and how long you intend to keep it. There is also a range of other information you must provide customers when collecting their data.
This means that using soft opt-in tactics such as assumed consent (for example, sending someone email newsletters after they downloaded your eBook) are no longer allowed. The best practices for email marketing and GDPR is to get double opt-in where you ask customers to confirm their subscription via email (or text message/push notification).
Using data collected for other purposes
If you collect customer data for one purpose (with permission) then you cannot automatically use this data for another purpose; you have to ask the customer for their permission (again) to use it for this second purpose.
You also cannot forward this data to a third-party without asking for your customers’ permission again.
Customers’ right to ask you to delete their data
Under GDPR, customers can ask you to delete the data you hold on them at any point, and it should be as easy to withdraw consent to store and process their data as it is to give it. This concerns unsubscribing from email newsletters.
The EU gives this example: “You’re providing an online newsletter. Your client gives their consent to subscribe to the online newsletter that allows you to process all the data on their interests to build a profile of what articles they consult. One year on, they inform you that they no longer wish to receive the online newsletter. You must delete all personal data relating to that person collected in the context of the newsletter subscription from your database, including the profile(s) relating to that person.”
There are a few exceptions to this, which you can find out more about here.
Next steps for email marketing and GDPR
If you have yet to take steps to ensure your email marketing is GDPR compliant then you should first audit your contact list, noting where your customers are located and how you acquired them (and when).
Once you’ve ensured that your current email list is compliant, you need to put procedures in place to make sure that all customers are fully aware that you are processing their data, and that they can ask to have their information removed at any time.
As a small business, you might not have the time or expertise to do this in house. Marketing automation software platforms have this kind of functionality built-in, which gives you peace of mind that you are treating customer data properly, and that you won’t be liable for hefty fines.