With the GDPR deadline approaching quickly, we’ve been trying to assess what the new regulations will mean for marketers. In fact, we’ve written a number of blogs that you might find useful including “What Does The GDPR Mean For Digital Marketing?” and “GDPR Check List – The Basics“.
What about email though, what are the do’s and don’ts of the GDPR and email marketing?
Do Continue To Follow Email Marketing Good Practice
Just because the deadline is next year (May 2018) doesn’t mean that you can carry on with your bad practice until then. There are already safeguards in place, including opt-in to protect consumers from email marketing they don’t want. Are you sending email marketing to people who haven’t opted-in? It would be an opportune time to stop and sort your database out.
Don’t Use The Deadline As An Excuse To Spam Your Entire Database
Steve Eckersley, head of enforcement at the Information Commissioner’s Office (ICO) recently said:
“Businesses must understand that they can’t break one law to get ready for another.”
In particular, he was referring to the temptation to email your entire database to gain consent for future emails. Trying to regain consent from people who have already said “no” is not a wise idea, as Morrison Supermarkets found in June when the ICO fined them for “deliberately sent 130,671 emails to people who had previously opted out of receiving marketing related to their Morrisons More card.”
Do Prepare Your Opt-Ins Processes In Advance
The methodology of “opting in” is changing. Sneaky tactics used by email marketers, where people didn’t know if they were opting in or out, are being tackled by the GDPR in the new standards for consent. It’s therefore worth considering your current opt-in/consent process in light of draft standards which are:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: give granular options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: consent will not be freely given if there is an imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
Yes, the new process has a lot more elements for consideration which is why you should not be leaving your preparation and implementation to the last minute but what about your existing sign-ups?
Don’t Leave It Until The Deadline To Re-Permission Consent
Let’s face it, with the clock ticking at some point there’s also going to be an almighty rush to re-permission your customer records so they are fit for the GDPR. Making your data GDPR-ready means re-contacting your customers in order to gain the correct opt-ins. Can you imagine what’s going to happen in April 2018 as the deadline looms? A deluge of email re-permission forms arriving in inboxes.
We’ve seen some great examples already of re-permissions emails and have reviewed them in our “How To Get Your Current Email Database To Opt In” blog. As you will see from the blog many companies have already started the re-permissions process, so don’t be left behind.
Do Be Aware Of the Resources To Help You
There are many resources on the GDPR available already, the ICO has announced that it will produce its final guidance in Dec 2017. With elements and clarity emerging all the time we’d recommend keeping abreast of developments. We’ll report on these in our SocialB blog but don’t forget to check out the ICO’s guidance and also organisations such as the DMA.
Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.