Share this article

The General Data Protection Regulations came into effect in all European Union countries on 25 May 2018. It was created with the objective of giving the European citizens a greater control over their personal data. Personal data, means any information that can be used to identify a person directly or indirectly, using his personal credentials.

With this in mind, email addresses, profession, age, and gender, all come under the umbrella of personal data for the purposes of the GDPR. I will try to answer the question in three parts, where I will talk about what GDPR is all about at first, then look at the consequences of GDPR on email marketing and finally lay down some actionable insights that you could be looking to implement to become GDPR compliant.

What is GDPR all about?

Let’s talk about what this law is all about before we tackle how it affects email marketing. Under the GDPR, the service providers and subcontractors are held accountable for any data that they handle. This means that it is necessary for them to clearly communicate to customers how they plan to use their personal data. And not only this, they must be transparent about the customer’s rights such as requesting the restriction of access to, erasure of personal data and / or rectification of the data. Any contact should be allowed to easily cancel and request the erasure of personal data as quickly as possible.

And at the same time businesses must take preventive measures in order to protect the personal data of the clients.The businesses are now required to inform the customers of any data breach or leakage that occurs on their end. If a business is found to be in violation, it faces fines, ranging from 2% to 4% of their revenue or up to 20 million euros, whichever is higher. You can read more about GDPR regulations here.

The GDPR actually mandates certain businesses to bring on a ‘data privacy officer’ or a DPO in order to ensure compliance. However, this requirement is only for specific cases as below:

Public company

Companies whose core function is the regular and systematic processing of data

Companies dealing with sensitive data such as information on past convictions or criminal charges

Now that we have a bit more understanding on what the GDPR is and how it is going to affect businesses, let’s look at the consequences of the GDPR for email marketing.

GDPR consequences for email marketing

Opting-in: The most important thing to keep in mind for email marketers is that there’s a new definition of providing consent or opting in. The consent to the processing of personal data must be now given in the form of a clear ‘affirmative action’ (opt-in as opposed to opt-out or passive opt-in). Additionally, businesses will need to have a proof that the contact has affirmatively opted in. And yes, this also means an end to the passive opt ins where one could acquire contact information that included making opt-in feature default.

Opt-out: You can no longer store the data of customers that have previously unsubscribed and have opted out.

In other words, you can only legally use the lists that are 100% opt in- and only if you can prove that these lists are opt-in. Hence, for most ESPs (Email Service Providers), you will need to show a proof that your list is indeed opted-in, meaning that you would need to re-confirm the consent of your contact again.

Profiling: Moving on to the topic of profiling i.e the use of automated processing of personal data in order to analyse, evaluate or predict user characteristics. The new law shields people from any automated decisions that are based on their profiling. You must now be thinking about your marketing automation workflows and how does this affect them. Well, you can still use the marketing automation workflows, provided that you do the following:

Notify your contacts

Give your contacts the option to opt out of the profiling up front

Moving on to the final part of the answer that covers some actionable steps that you can take, if you have not taken them already, in order to become GDPR compliant.

How to become GDPR compliant ?

Evaluate if your current list is GDPR compliant

Did your contacts give their consent through opt in forms?

What was this consent given for? You can not use the data for reasons other than what the user gave the consent for

Did you keep precise and secure records of all the opt ins you received?

The law states that minors under the age of 16 may not give their consent without consulting with parents. This requires you to review the personal data to identify minors. It is necessary to check that they have consent of their parents.

Make sure you’re respecting your customers’ rights: Do you have procedures that give users up to date access to their own personal data? Here are some things that you should consider:

Review your confidentiality agreement for opting in. And make sure that users are clearly informed about how you plan to use their data.

You need to set up a form, contact page, or link in your newsletter. This makes it easy for contacts to request a copy or modification of their personal data. The data on your server belongs to the individual.

Set up a process for candidates to easily refuse to have their data used in profiling or automated decisions.

Make sure your work tools are GDPR compliant

The new law places a common responsibility on businesses and their service providers to be in compliance. To avoid getting penalized as a result of one of your work tools not complying with the GDPR, you should do the following:

Make a list of all the cloud services that host your customers’ personal data on their servers.