Are Your Email Marketing Practices GDPR-compliant?
Summary: With almost the deadline for implementing GDPR closing in, marketers are having mixed reactions about it. In this article, the Monks shine some light on the benefits of being GDPR-compliant and the steps email marketers need to take in order to be GDPR-compliant.
Disclaimer: The information provided here are only for better understanding of the different regulations collectively implemented as GDPR. This is just for knowledge sharing purpose only and is not to be considered as legal advice. You are requested to consult an attorney before implementations to avoid any legal hassles. By reading this article you indemnify EmailMonks of any legal implications and cannot hold it responsible for any action pertaining to the information shared in this article.
The General Data Protection Regulation (GDPR) was adopted on 27th April 2016,and it’s (most-feared) bindings is soon to come true – effective from 25th May 2018. While many are cool about it, most marketers have been discussing about the consequences of not following it.
While the penalty for companies not abiding to the GDPR have a huge price to pay (a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover), email marketers who have been following the best practices of email marketing don’t need to break a sweat.
What is GDPR and how will it influence email marketing globally?
GDPR is a regulation that is set to replace an already outdated Data Protection Directive that was implemented in 1995 for European Union. The GDPR was formulated to monitor and protect the personal data of European Union citizens.
The global influence of GDPR is significant since it is a regulation instead of a directive. GDPR is legally binding and hence extends the scope of protection and scrutiny to any company that collects/deals with EU personal data, even if the company may or may not be based in the EU.
The influence of GDPR in email marketing domain lies in the definition of personal data. Any information that could be used, on its own or in conjunction with other data, to identify an individual is considered as personal data. Which means the name and email address that you have collected from a signup form entitles your Company to be bound by GDPR policies.
What are the key changes implemented in GDPR that affects me?
Obtaining consent: Whenever you are collecting email addresses for adding to your mailing list, the subscriber needs to provide unambiguous consent for it. This means you need to educate the subscriber about what you shall do with their email address, even if it means you shall be monitoring the metrics. And once they agree with a ‘clear affirmative action’, only then you can send them an email. To make matters worse, you also need to get similar permissions from existing email addresses in your mailing list that were collected before 25th May 2018.
Right to access: The subscriber has the right to obtain the confirmation as the data collected is being solely used for the purpose it was collected for. Additionally, the copy of data needs to be provided free of cost in an electronic format.
Right to be forgotten: On being requested to be forgotten, any personal data pertaining to the subscriber needs to be erased. This includes all the data sources including and not restricted to backups and non-production storages also.
Breach notification:In a situation that your data is breached, it needs to be notified within 72 hours of being aware of data breach. Additionally, data processors need to notify their customers and controllers without undue delay.
Territorial-free jurisdiction: As stated earlier, all the above stated pre-requisites are all applicable on you as soon as you process personal data from any EU resident. This is not restricted to organizations that are in EU but those outside EU if they offer goods and services to EU residents.
What are the steps that I need to take?
Preparing for GDPR is exhaustive but not difficult. To set the proverbial ball rolling, you can follow the following steps:
- Sift through your existing mailing list:
Deeply comb through your mailing list and weed out your inactive subscribers, especially those belonging to EU countries. Second, send an email to your active subscribers asking for their consent for being enrolled into a mailing list. Only when they have provided affirmation, you add their consent into a log / records that can be presented on investigation and send them a confirmation email. This makes them eligible to receive your emails. Silence or no reply from your subscribers means that no consent was given, and they should not be mailed.
- Keep a clear record of your email marketing practices:
Maintain a record of all the emails that you collect in future. The record should have following information:
- Adopt the newly implemented changes for those who subscribe from this day further:
Once the onboarding process for your existing subscribers are streamlined, implement it for your newer subscribers. In no case should you buy a list (which has been a strict no-no even before GDPR was adopted) or use misleading terms to collect email addresses.
- Provide an easy gateway for subscribers wishing to unsubscribe:
You can’t impress everyone all the time. For those who no longer wish to be a part of your mailing list, a visible unsubscribe link should be provided in each marketing email where your subscriber has the option to:
- Unsubscribe to this marketing communication
- Unsubscribe to all your communications
- Implement data security best practices to avoid data leaks: As stated earlier, data breached needs to be notified immediately, but by implementing best practices to avoid any data leaks and make use of pseudonymization solutions.
- Ensure that all tools that you use are also GDPR-compliant: Unless you have an in-house solution for your email marketing, you need to ensure that your CRM, lead-forms creating tools, ESPs and many tools that you rely on are GDPR compliant.
Few Examples of brands implementing GDPR
Sainsbury provides a clear cut optin on whether the subscriber would like to hear from there.
PageFair lists out detailed information about the data right a visitor has when they subscribe to the services. Additionally, they also provide informative links about their rights as well as whom to contact if they feel their data is being misused.
Center of Developing Child, which is a department of Harvard University, sent emails to their existing subscribers and promoting them to re-confirm their subscription.
Why GDPR implementation is good news for you?
|Your subscribers shall appreciate the transparency that permission-based marketing brings with it. The transparency translates into brand trust and subscribers will feel empowered when the power of choice is in their hands.|
|After implementation of GDPR practices, your mailing list shall be pruned and will only consist of those subscribers who are genuinely interested in engaging with your emails. This will greatly improve the list quality as well as substantially reduce the unsubscribes.|
If you have further inquiry about GDPR, consult an expert and attorney before you move ahead with your email marketing practices.
Some more Reference to gain knowledge of GDPR:
- Forbes.com – GDPR: Is Your Company Ready?
- What does GDPR mean for B2B marketing
- Monster Terms of GDPR
- ReturnPath has compiled a list of GDPR related article: ReturnPath GDPR
- eConsultancy – GDPR: 15 (good & bad) examples of repermissioning emails & campaigns