Email Marketing After GDPR – Will It Still Be Possible?

If you work in marketing, or do the marketing for any sort of business for that matter even as a sideline, then it’s more than likely that you will have heard about GDPR. It’s the EU’s new data protection regulation which will be coming in to force May later this year.

And if you haven’t heard of it, it’s about time you did because GDPR is something which will affect the way EVERY business operates, especially those that collect any sort of personal customer information or data.

And it’s because of GDPR’s importance, that as a marketing agency we have tried our utmost to make this a topic which we have a broad knowledge and understanding of.

On the topic of GDPR, we’ve already written two blogs: one which explains what GDPR is, and another where we highlight some of the changes which you may need to make your website in order to work towards GDPR compliance.

Before we get into the thick of it…

We’re not lawyers and none of this constitutes legal advice. Please ask a lawyer for formal advice about GDPR if you’re in any doubt about how it affects your organisation and what you need to do to comply with it.

How will GDPR affect email marketing?

Following on from this series of blogs, we thought it would be a good idea to write about how GDPR will affect email marketing.

Because with all the recent talk surrounding whether or not you need to gain consent, and having evidence of that consent, you might well be thinking email marketing is set to become a GDPR minefield.

And you wouldn’t be too far from the truth.

However, if you make the necessary changes in line with the new regulations, this is a minefield which it will be possible to navigate through.

So how will GDPR change things for email marketing?

There will be only one law for the EU

As it stands, each country in the EU abides by their own ‘interpretation’ of the local spam regulations which have been set by the EU. Essentially this means that each different country (28 in total) has their own law regarding emails.

Sounds a bit messy doesn’t it?

That’s what the EU thought as well; which is why come May, there will be only one blanket email law which every EU member state will be required to abide by. Much better.

And if you’re thinking that GDPR won’t apply to the UK because we’re going through the process of leaving the EU, think again.

If you are using (i.e. collecting, storing, processing) an EU citizen’s personally identifiable data, the GDPR will still apply even in non-member states. This also applies to statistical data which could be used to identify a specific person even if it’s not initially personal in nature (e.g. an IP address).

Stricter consent

This is something you may well have heard a lot about, and it’s for a good reason, as this is a key part of GDPR.

When the changes come into place, you will need to make sure whether or not you need consent to contact people. This forms part of the what is called your legal basis for your communication.

If you need consent then this means people must have actively and knowingly ‘opted in’ to receiving messages from your business. ‘Opting in’, means that they have given you permission to contact them, and it’s vital that you have evidence of this permission. You can’t bundle this request in with other requests or bury it in your T&Cs either.

It’s also vital to ensure you clearly inform people what they are giving their permission for at the point you ask for it.

  • If, for instance, they sign up to an email newsletter about bananas, that means you should only send them your newsletter – you can’t then try and call them and sell them a pair of slippers.

So what constitutes ‘evidence’?

Well, it’s defined in the GDPR law as consent which is “freely given, specific, informed, unambiguous”.

A good way to get evidence of this type of consent is to set up an unticked opt-in box, as part of a contact form, (or in any similar process which involves your customers submitting their contact details to you). You should make ticking this box a mandatory requirement for those wishing to contact you before they send you a message.

  • NOTE: I stress unticked, as pre-ticked opt-in boxes will not be allowed under the new GDPR regulations. You cannot assume consent or bury it in your terms and conditions.

    Once someone contacts you, need to keep a record of the message and the consent they have given you in a secure database, so that you have evidence of the consent. This could be anything from a screenshot, to the actual email itself.

Another important point is that you will need to make sure during the opting-in process you make the recipient aware that you will be collecting their data, why, and who you will share it with.

We touched on this topic in a recent blog, so if you’d like more information or want to see some examples of businesses which have already done this, be sure to have a read.

To further your understanding you could also have a quick look at our contact page to see a working example of what we’re describing. This is how we’re trying to comply with GDPR right now. No doubt new technologies and approaches will appear in time, but for now, this is how we’re doing it.

That’s fine for the future, but what about the data I’ve already collected?

Well, given that GDPR applies to all existing data, if you rely on consent as your legal basis for contacting someone, but haven’t got any evidence of it – even if you have previously been sending emails to them – you won’t be allowed to email them once GDPR comes into play.

  • Ask a lawyer to check for you.

One potential way to address this, if your lawyer agrees, is to run a refresh campaign before the GDPR deadline: quite simply, you send an email to your database asking them to give you their consent to be contacted. You can explain why you’re doing this: to help you protect their personal data.

But what if they don’t reply?

  • A lack of response is not an act of consent.
  • People have to give their explicit consent and you have to keep evidence of that.

Which means… strictly speaking, you cannot email them again. If they don’t give you their explicit consent, you’ll probably need to delete their information, unless you need to keep it for legal reasons or contractual reasons (e.g. to deliver a service to them they have asked for, and for which you can demonstrate evidence). You might also be able to keep their details on file and or contact them again if you can demonstrate a ‘legitimate interest’ in doing so.

So what is ‘legitimate interest’?

To put it simply, in terms of marketing activities a legitimate interest is a part of GDPR which allows businesses to continue processing data in the case that;

  • Those that are contacted would not be surprised or likely to object to your communication. For example; if someone buys a pair of shoes from your website, they would likely not be surprised, or be likely to object to receiving a follow up email offering a 10% discount off a second pair.
  • If consent is not required under PECR (Privacy and Electronics Communications Regulations)

However, an important point to understand when relying on a legitimate interest as a reason for contact is that you must take full responsibility for protecting the rights and interests for those associated with the data.

But how can I justify a legitimate interest?

Well the ICO have a broken down the justification process for this into three key elements, and they recommend you think of it as a three-part test.

  • The Purpose test – is what you are pursuing actually a legitimate interest?
  • The Necessity test – is the processing necessary in order to achieve it? (i.e. is contacting them is necessary)
  • The Balancing test – Do the individual’s interests override the legitimate interest?

If after these tests are followed correctly and the answer to each one is yes, then it’s likely that whatever it is would be classed as a legitimate interest.

If you’d like more information on this, the ‘ICO’s section on legitimate interest’ is well worth reading. As well as going into more depth regarding legitimate interests, they’ve also came up with a helpful checklist which you can follow in order to establish what is, and what isn’t a legitimate interest, and how it can be applied in practice.

And what if I don’t follow the rules?

It’s not only the rules for consent which are getting more strict under GDPR. The punishments for non-compliance are too.

For businesses which are found guilty of not complying with GDPR, there will be fines up to £20 million pounds, or 4% of a business’ annual turnover, depending on which figure is the larger.

Scary stuff.

Certainly significant food for thought for anyone who is currently reluctant to spend money on making the changes which are needed to their website or marketing campaigns in order to be GDPR compliant.

With this said, it’s not likely the GDPR police will come knocking at everyone’s door on the first of May – or even the day after – to make sure they are fully GDPR compliant. There simply isn’t the time or resources available for the authorities to be able to do that.

In reality, the punishment system for GDPR will be heavily reliant on consumers reporting breaches of the regulations themselves. Whilst the authorities will likely have to focus their efforts on the most serious cases of non-compliance or data breaches.

But given the enormity of the fines, you would be wise not to gamble your GDPR compliance on the chance no one will report it. It’s just not worth the risk.

What to do now?

If after reading this you’re keen to learn more about GDPR, there are lots of resources out there, including our previous blogs on GDPR:

Other sources:

Alternatively, if you’re now seeking some clarification as to whether your existing website or email marketing campaigns are GDPR ready, please get in touch, we’ll be more than happy to chat.

Some examples of how we could help you:

  1. Review your current website security, contact forms, privacy policy, cookie policy and permission-based offers and suggest amendments;
  2. Something else? You tell us!

A gentle reminder…

We’re not lawyers and none of this constitutes legal advice. Please ask a lawyer for formal advice about GDPR if you’re in any doubt about how it affects your organisation and what you need to do to comply with it.

We’ve Been Shortlisted for Start Up Business of the Year in the FSB Awards 2018!

2017 was a highly successful year for us here at Hype Marketing. We had the privilege of working with clients both old and new on lots of exciting projects, welcoming ...

Read more

Want to know more about out how we can help you to achieve successful, tangible results through our strategic, digital and creative approach to marketing? Send us a message via the form, or give us a call on 01603 964564.

Alternatively, drop in for a coffee and a chat at our office in The Union Building, 51-59 Rose Lane, Norwich, NR1 1BY.

Yes! Please contact me in relation to my enquiry by phone or email.