An email marketer’s guide to GDPR changes
Changes to the General Data Protection Regulation (GDPR) were announced in May 2016 and, if you are an email marketer in the UK, it’s time to listen up! The new GDPR becomes effective as of 25 May 2018 across all EU member states leaving four months to review and update your email program. But don’t panic! Here’s a breakdown of what you need to know to ensure you’re well prepared for the changes to come.
What is the GDPR privacy law?
The GDPR is a new set of rules around data protection that aims to harmonize the current patchy rules around privacy laws across all EU member states. Put simply, it will give email marketers a much clearer piece of legislation that’s designed to give individuals better control, access, and security over their personal data. The goal of the legislation is for EU individuals to have more say over what organisations do with their data.
GDPR applies to all EU-based businesses, regardless of size or industry, that handle personal data. It also applies to international organisations not based within the EU if you offer goods or services to, or monitor the behaviour of, EU individuals. The GDPR definition of personal data is broader and more detailed than it was previously. It includes online identifiers such as IP addresses and other unique online or device IDs, identification numbers and location data, as well as encrypted or hashed personal data.
Why is this so important for email marketers?
Well, for starters, failure to comply could mean up to a €20 million fine or 4% of your organisation’s global turnover, whichever is greater. YIKES! Clearly, no marketer wants that.
The biggest change is that the GDPR has made the definition of consent stricter. This has the knock on effect that the consent required to send marketing emails to people has also become stricter. This means that you may need to review your existing marketing consent mechanisms and ensure that any consent you have obtained is clear and unambiguous (e.g. an opt in tickbox). You’ll also have to give them information about why you’re collecting their data and what you will do with it. GDPR also focuses a bit further on parameters around the age that is required for a person to give consent to use or access their personal data.
So, what can I do to get ready?
First, you need to be clear that your brand has obtained the address from the recipient and what you plan to do with it. One way of doing this is with subsequent opt-outs. This has always been an EU requirement and even dates back to CAN-SPAM. Recipients must be provided a method of opting out of receiving further marketing communications. And, this method must be simple and clear to the user. A second way is to remove recipients who have withdrawn consent and consider removing recipients who appear to have stopped engaging with your brand. Consent to send messages is not forever and this is one of the easiest ways to maintain a good reputation with major mailbox providers.
The GDPR might seem like bad news for email, but the new rules can actually be a benefit to your organisation when it comes to engagement and overall email deliverability. In the final months leading up to 25 May 2018, it’s a good idea to take appropriate steps to adjust for it now. And, in any audits of your email program, remember that you can still offer a lot of value to your recipients and obtain a high ROI for your organisation even when following the strictest guidelines.
Note: This is for general informational purposes only and is not intended to constitute legal analysis or legal advice. You should contact a lawyer to find out more about your particular obligations under the GDPR.