GDPR is a regulation that affects the management of personal data of all citizens and residents living on the European Union territory, even if it is processed or stored by companies outside the European Economic Area’s geographical borders. International companies that provide services or track activities inside the EU must also comply.
Personal data is any information that allows for direct or indirect identification of a person that doesn’t require sufficient time or effort. Some common examples include a phone number, an email address, ID, biometric and medical records, IP address, and cookies. For the purposes of email marketing, any customer data you are collecting most likely falls subject to that definition.
Personal data processing follows a set of principles. You can read the original text explaining them in Article 5. GDPR is essentially about:
Companies that fail to comply could face a fine of up to €20 million ($24.1 million) or 4% of annual global turnover, whichever is higher. The authority that is tasked with ensuring compliance is called the Information Commissioner’s Office (ICO). While there are more and more fines issued with time, the chances of them targeting your brand with an adherence check are still relatively low — they mostly follow up on headline-worthy data breaches. Of course, there remains a possibility of the ICO looking into your organization, so the best thing you can do is make the necessary changes now and continue with business as usual.
GDPR has a chapter dedicated to the data subjects’ rights in general terms:
The rights give individuals more control and understanding as to what happens to their personal data. You can learn more about how data subjects exercise their rights in the FAQ section on dealing with citizens on the European Union’s official website.
How does it apply to email marketing?
The common practices associated with GDPR rights during email marketing campaigns are:
GDPR is not only about how you handle data but what data and how you store it. Along with compliance, that means email archive optimization, since all unused messages and contacts will have to be removed. When working with a third-party mailing service, make certain that they are compliant with these policies as well.
Strictly speaking, GDPR does not list encryption as one of the mandatory practices but mentions it in several chapters of the regulation as an additional measure to mitigate security threats. You need to protect any personal information you collect, store, and interact with from unauthorized access and tampering. And encryption is one of the most reliable ways to safely transmit and store data.
There is a website that keeps track of GDPR fines with issue reasons. You can look at records under the corresponding article Art. 32 (1) (b) to see that the financial penalty is quite serious.
Keep in mind that hackers might try attacking even from within your company: most commonly, by sending out phishing emails to your employees hoping to steal their login credentials.
GDPR doesn’t give any exact information on how long you should retain emails. However, it does state that you must only keep any personal data for as long as it serves the original purpose. You should introduce an email retention policy or revisit your existing one to check that you are not keeping excessive amounts of data that can put you at risk. Consider archiving software to set automated retention rules and don’t forget to keep track of other retention period guidelines legally enforced for your industry.
Consent is one of the key concepts in GDPR, and it is essential for email marketing. All subscribers must give informed and unambiguous consent to receive emails. They have to know what exactly they are going to receive — promotional materials, weekly blog updates, monthly content digests, etc. — and be able to choose one or neither of them when leaving their contacts.
One of the best practices to achieve that is the use of double opt-ins: first, you need a user to actively tick a confirmation checkbox in the sign-up form, and then click on the link of a follow-up email to verify their intention.
As a first step, include an unticked checkbox in the email sign-up form. There are several ways to encourage subscription without tricking people into it, like email subscription forms on websites or social media posts. If a customer is leaving their email to download a guide or get a quote, you may add an optional checkbox with an invitation to subscribe, but make sure it does not stand in the way of them completing the original action.
Shortly after a user completes the form, send them a follow-up email asking to confirm their address. Keep it short and make sure it serves the single purpose of obtaining repeated consent.
Double opt-ins lead to lower subscriber conversion as some people end up skipping the additional confirmation step. Still, they’re not a limitation. At least, you won’t be spending money on inactive email addresses or random subscribers. Campaign engagement and deliverability rates will ultimately be higher. Look at consent as a way to create a long-term relationship with your customers by giving them transparent choices and continuous control over how you handle their personal data.
According to GDPR, requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”.
As most of us tend to skip Terms & Conditions altogether or simply glance over them before marking that checkbox, don’t leave any room for confusion. Make your consent form stand out with its own checkbox and, most importantly, separate the consent form from your Terms & Conditions.
Withdrawing consent is also a right under GDPR, so include that option in every promotional email you send. If your users have a subscription management section in their accounts, this is also a good place to notify them of that feature. Consider adding a permission reminder underneath the unsubscribe button, explaining why a subscriber received this offer in the first place.
If a user has trouble opting out, they may simply mark your emails as spam to stop seeing them in their inbox, which can hurt your deliverability rates. Unsubscribing isn’t a bad thing: people that are no longer interested in the products or services you offer are not your target audience anyway.
You need to keep a digital log of the date, time, and source for each email address in your database. Usually, the information comes from your sign-up form, but it also can be digitized from, say, filled-in questionnaires or business cards from offline events. Maintain any kind of an archive — in your CRM, mailing service, or other data management system with copies of relevant documents or data capture forms with appropriate timestamps.
GDPR doesn’t differentiate between your previous and current activities. Review all your subscription forms from before the regulation came into effect. Remove excessive fields that require users to provide data you cannot justify using. Get rid of pre-ticked boxes and add links to your updated privacy policy statement. Look at the do and don’t from this article as references for your opt-in forms.
Now that we’ve covered the general information on GDPR, we can look at steps you can take to ensure compliant marketing. For a comprehensive overview of the laws and regulations concerning email besides GDPR, you can refer to our dedicated article on email compliance.
GDPR is a set of legally enforced regulations on personal data processing that apply to all companies working with EU citizens or residents. Local and international businesses that send promotional emails to clients living in the EU also have to comply.
GDPR is not a limitation for your marketing efforts. If there are subscribers that do not want to receive updates from you, keeping them just for the sake of numbers is ineffective anyway. Stay compliant and focus on building customer relationships based on transparency.