How to Ensure Your Email Marketing is GDPR Compliant


The GDPR has just come into effect across the EU and already the changes are being felt. The GDPR places a new onus upon businesses to gather informed and unambiguous consent for the way that they collect and use data from their users. At present, the GDPR doesn’t have an equivalent in US law, meaning that many businesses who operate internationally are scratching their heads trying to determine their compliance.

Wherever you are based, if your business is trading in the EU, you are required to abide by the provisions that are set out in GDPR. These new regulations have a direct impact on many common marketing practices in the EU. In some cases, they will necessitate a virtually total rethink of a business’ marketing strategy; in other cases, only a few minor tweaks are needed to bring them into line with GDPR.

How Does GDPR Affect Email Marketing?

The most prominent effect of GDPR is to require more open marketing practices. Recent events, culminating in the Facebook/Cambridge Analytics data scandal, have shone the spotlight on some of the opaque data collecting and analysing practices that have become common tools for marketers.

Anyone who is concerned about how GDPR will affect their marketing will want to act quickly to audit their current setup. This is certainly a situation where it is better to be safe than sorry. If you are in any doubt at all about your compliance, you should consult with a marketing firm.

For many businesses, email marketing under GDPR will remain largely the same. In some instances, businesses will have to change the way that they communicate to their customers, both before and during any email marketing campaigns. This is because GDPR mandates that consumers freely, knowingly, and willingly, give their consent for their data to be used for marketing purposes.

Compliance is now judged according to three criteria. First, there are the new consumer opt-in permission rules. These stipulate that consumers must opt-in to marketing; consent should not be assumed. Businesses must also hold proof of the consent that they have obtained; this proof must be securely stored and accessible upon request. Finally, businesses must provide a mechanism by which a user can have their personal information removed from the business’ network.

For most businesses, the biggest change is going to be moving away from a soft opt-in or soft opt-out process, to one where users give their explicit consent. Most businesses who are making the switch are going to note a drop-in circulation, but do not be disheartened! Remember, those who are on your list now are the ones who have chosen to be there.

How Can I Ensure Compliance?

The GDPR should not prevent any business from being able to conduct marketing campaigns, but it will require that everyone treads carefully until we are all familiar with the new rules. As long as you are careful, and think things through, you should be able to market via email without falling afoul of GDPR.

The first thing to do is to take an audit of your current database. You need to ensure that you have all the relevant records of consent for every name in your database. Be prepared to scrap it and start again if necessary. This might be painful now, but the database you build won’t have the same flaws.

You need to make sure that any contacts you have in it have been acquired in a manner compliant with GDPR. For example, ask yourself if you were using a suitable opt-in practice at the time they signed up. GDPR requires that you keep a track of where contact information is coming from, and that you have accurate records of when users submitted information to you. Under GDPR, you should always consider whether you can prove permission for any information you do have.

Rebuilding Contacts

If you find that you have to discard most or all of your existing customer database, this can be very disheartening. Your first instinct might be to email all of your old database members, asking them to provide you with the necessary consent. Because GDPR applies retroactively, if you do not have the appropriate permissions from an individual contact, you cannot legally email them any marketing materials.

If you want to repopulate your mailing list quickly, you need to make sure that the way you do it complies with GDPR. For example, you are still free to buy contacts lists if they are being offered, but the names on the list you buy must all have consented to their information being passed on.

In the long run, most people agree that GDPR is going to be good for consumers and businesses. These regulations will help to restore trust and confidence, which has been shaken in many people by the recent Cambridge Analytica scandal.