How Email Marketing Will Be Affected By The EU GDPR?

How email marketing will be affected by the EU GDPR?

In may 2018 the General Data Protection Regulation (or GDPR as most of us call it) will come into effect. It will affect businesses of all sizes by changing the way data on EU citizens is collected and used. When they refer to data this means personally identifiable information; so any data that could be used to track or identify an individual (e.g address, name) will be covered by these regulations (and ‘Regulations’ have binding legal force throughout every member state so WILL affect the UK).

Email marketing depends on this gathering of data and use of it so we’re going to cover in what ways GDPR will affect email marketing and how any email marketer can become compliant.

The GDPR regulation emphasises that the controller (Essentially the party collecting data) shall be responsible for, and be able to demonstrate compliance with the 6 new principles; so first of all let’s clarify the 6 GDPR data requirements

1. Individuals data should be processed lawfully, fairly and transparently

2. Individuals data should be collected for specified, explicit and legitimate purposes and not further processed in a way that renders it incompatible

3. Data should be adequate, relevant and limited to what is necessary in relation to the purposes of its original collection

4. Data collected should be accurate and kept up to date when necessary, every reasonable step should be taken to ensure that personal data is accurate and inaccurate data is erased or rectified without delay

5. Data is only kept in a form that permits identification of data subjects for only as long as is necessary for the purposes for which they have been collected

6. Individuals data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Now in layman's terms what does this means:

1. Data should only be collected and/or stored if there is a legitimate reason

2. Information should collected for a specific reason and not processed for any other reason

3. Customer/Client data should be collected for the same reason they are asked to provide it.

If you say you're collecting names and emails for your newsletter, that’s all it should be used for

1. This one is simple, data should be accurate and if it’s not, it should be deleted

2. Once data has been used for the purpose it was collected, it should not be stored in a manner that will allow identification of individuals

If you’ve collected names and addresses for delivery purposes, this will have to be encrypted or otherwise altered so you can’t identify these names and address as belonging to any individual

1. Keep any stored data you have safe from hacking, loss or damage and accidently being used for the wrong purposes

The onus is on you to ensure any data you stored is not used for any other purposes than that which it was collected for...and to keep out hackers, mitigate the chances of it being lost or stolen by encrypting it and taking security measures with both hardware and software involved

So how will this affect email marketing?

Well if you conduct any form of email marketing, GDPR affects you directly as you’re using personal information. GDPR will affect the way in which you collect email addresses and additional information as well as the way you store and use it.

Collecting customer/client data in compliance with GDPR

When collecting user data these days marketers tend to try and make the process as succinct as possible and in the process this can mean not fully getting informed consent from users when collecting their data. This isn’t a case of intentionally misleading people, but more of cutting corners.

In order to be compliant with GDPR when collecting data it’s important to spell out exactly what a user's data will be used for, how it will be stored and for how long.

So in the instance of collecting user data for your businesses weekly newsletter, it’d be important to let users know their email address is being collected for “the weekly customer newsletter” and that you will not use this for anything else, and that they can of course unsubscribe from this at any point and request that their data be deleted.

Storing customer/client data in compliance with GDPR

When storing user data most businesses already know the importance of securing and protecting this, and not just because it’s the decent thing to do, but because this data is highly valuable to your business.

Ensuring your customer/client data is kept encrypted is a good start, however you may need to go a step further. Since the burden is on you to ensure that information cannot be used to identify any individual, it may be a good idea to use another level of security, by separating key information for each individual separate.

Take this example, a customer may be referred to as CDB1 in your customer database, it may be seen that they’ve made several purchases in the previous months, but nothing much else can be seen. In order to find out who this customer is, you would need to access a separate database in which you can search for who CDB1 is. This separation of information acts as a fail safe; if one database is compromised, not all data would be taken.

Using customer/client data in compliance with GDPR

When using data you have collected, in order to be compliant with GDPR you must stick to the purpose the information was collected for; if data was collected for a newsletter that is what it must be used for, and nothing else, (This means no cheeky retargeting lists based off of newsletter subscribers). It’s quite simple starting on the right side of this regulation means erring on the side of caution and ensuring you have informed consent for every use of customer data.

What about my existing database, how do i make it GDPR compliant?

This is simple, conduct an audit of your current database to assess if individuals have given informed consent, and to what. Separate out these databases as required until you only have accurate data sets of people who have signed up or given consent for each type of marketing activity, anyone who hasn’t should either be deleted or outreached to, in order to gain consent.

The next step would be security, ensure you review what encryption protection your stores have and where possible make use of pseudonymisation of the data so no identifiable information is readily accessible.

Finally, in accordance with GDPR, stick to the correct uses of this data, if you wish to use people's data for other purposes, gain their consent. This is an activity that is ongoing and will involve both your existing data and any newly gathered data.

GDPR on first glance can seem quite daunting, and it may seem as though much has to be done in order to stay on the right side of the law, however, it’s clear to see that some minor tweaks to your current practices is all that is needed. Contrary to what some will have you believe, GDPR will not be the end or death of Email marketing, this, much like any new change to cyber security or the economic world around us, will take some time to get used to, but will eventually be nothing more than a blip in the radar.