GDPR in a Nutshell for Email Marketers

GDPR in a nutshell

After almost five years of work, the GDPR is set to modernise the European Data Protection Laws that have been in place since 1995. Do you remember what the world was like in 1995? The world is a very different place today than it was just over a decade ago.

GDPR will introduce new ways citizens can control how their personal data is used, with greater responsibilities on both data controllers and data processers. The idea is that it will make the data regulations united across the EU member states, and will apply to all data subjects within the EU. And regardless of Brexit, the ICO is committed to ratifying the European standards.

So, in a nutshell GDPR requires that personally identifiable information is processed lawfully, fairly and transparently. GDPR will have implications throughout your business, but as email marketing is our speciality, below are some of the key things that we feel email marketers need to understand. 

GDPR dictates that when information is collected, it is explicitly stated (“unambiguous”) what it will be used for and is taken for legitimate reasons. Additionally, it can’t be processed again for any other purposes beyond the initial reason. So your segmentation and targeting will become key. Perhaps consider introducing preference centres or a branded profile so that your contacts can be in control of what information they receive. By allowing them to subscribe and unsubscribe to particular communication streams you stand a better chance of keeping the contact in your container, rather than a ‘global unsubscribe’ where contacts simply unsubscribe from all your emails.

With the GDPR, the person who the data relates to (“data subject”) now holds a lot more rights over their information and how it is being used. Any personal data that is kept on file should have been consented to by the subject – and it must be possible for anyone using the information to show that it was given freely, in an informed way, for the specific purposes that you are using it for. So make sure your systems has the capability to record all the relevant information, and is able to output it in a useable format.

As part of the GDPR boxes that have already been ticked (and require opt-outs), silence or inactivity cannot be considered as consent. A “clear affirmative action” is required, so the good news is that if you have been following best practice you are probably already doing this – but now is the time to check.

Information must also be kept in a way that means subjects can get in touch with you easily and request that their details are removed from your system (and any other system they may be on). They can also request details on how their information is being used. This means keeping an organised record of where all contact details are and who it relates to.

Finally, it is important that all information is stored securely and is protected against any unlawful or unauthorised processing. It should also be kept safe from damage, destruction or accidental loss. This also includes keeping it away from hackers who could potentially steal and use this information.

Both the ICO and DMA have a wealth of information and resources to help you prepare for GDPR and over the following weeks we will share our thoughts and insights as well.