GDPR and Customer Emails

No one can escape the fact that GDPR is coming into force next month, meaning that all businesses that hold personal data on individuals based in the EU will need to comply with the new regulations on or before 25th May.

What does this mean from a marketing standpoint, and, in particular for email marketing?

Under GDPR there must be a valid and lawful basis for processing a person’s data. There are six to choose from, and for any form of direct marketing, such as an email newsletter, our view is that consent is the most valid basis.Consent is the legal justification as to why you are sending someone an email, and under GDPR you will need to prove you have an individual’s consent, by demonstrating the following:

  • Consent has been freely given, and that an individual has not been misled, intimidated or negatively impacted by withholding consent. A service must still be provided even if consent is not given.
  • The consent is specific - consent will be required for each activity you wish to undertake. If you have several brands from which you send out marketing newsletters, then consent needs to be given for each of those brands.
  • The individual has been informed, and fully understands what they are going to get and why. Make sure you have an up-to-date privacy notice that is easily accessible to an individual when consenting.
  • The language used is clear, simple and unambiguous.
  • Your request is clear and affirmative. Under GDPR pre-ticked boxes are no longer allowed.
  • You have proof, and are keeping clear records of a person’s consent demonstrating that they knew what they were signing up for and agreed on that basis. You also need to regularly review your list and records, to ensure that consent remains appropriate and valid.
  • That it can be easily withdrawn, so in the case of a marketing email, the person must be able to easily unsubscribe at any given time.

So, how should your marketing department prepare for GDPR? We recommend including the following areas in your approach to GDPR compliance:

  1. Thoroughly audit all the data that you hold within your business.
  2. Ensure that you have adequate records that demonstrate that you are already complying with all the GDPR consent criteria above, and can you prove it.
  3. If you can’t prove that you do have consent from everyone on your list, then consider sending an email asking for each person to re-consent to receiving your emails. Remember, that from 25th May, if you can’t prove consent, then you can’t send that person an email!

For B2B companies, if you are sending marketing emails to another business, you will most likely have to look at the GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR), as you will need to know whether you are sending emails to corporate subscribers or individual subscribers, more detail on this can be found in the ICO’s Guide to PECR.

Failure to comply could result in a fine, and no one wants the hassle and inconvenience of an investigation into non-compliance.

We have only touched the GDPR here by just focusing on direct marketing. If you require further information or guidance on how GDPR may affect other areas of your business visit the ICO.