GDPR for Email Marketing – Your Essential Guide to Achieving Compliance in 2018

Are you ready for GDPR this May? Or do you feel overwhelmed with all the information you find online and don’t know what to do next?

With the May 2018 deadline for GDPR (General Data Protection Regulation) approaching, people are still trying to figure out what it is and what it implies.

It is predicted that by the end of the year 2018, more than half of companies will not be fully compliant with the new set of rules and requirements.

I bet you do not want to be among them, but if you are still wondering how GDPR will affect your small business and your email marketing, in particular, you are in the right place.

Here you can find your essential guide to achieving compliance.

What is GDPR?

It took four years of work and negotiation until the officials of the European Parliament and European Council have adopted the General Data Protection Regulation in April 2016.

GPDR is the new framework for data protection laws and is aimed to replace the 1995 Data Protection Directive.

It will come into force on May 25, 2018 (GDPR compliance date), a date when you, as a small business, will have to demonstrate that good data protection is a key element of your policies and practices.

Starting with this day, you will have to comply with the new laws. Otherwise, you will pay huge fines; the GDPR fines are up to €20 million (about $24.5m) or 4% of your global annual turnover.

It is one of the most significant legislation in the past two decades, based on the experts’ statements, and the truth is that the comprehensive reform of data protection rules was necessary.

Since the former directive was created, the amount of digital information we store, produce, and capture has increased considerably. In other words, the old data protection rules were insufficient and no longer appropriate for its intended use.

So, what is new? Read further for a GDPR overview.

What are the benefits of GDPR?

At first glance, the General Data Protection Regulation which will be enforced in May 2018 is a revolutionary change that will affect millions of organizations inside and outside of Europe.

Although the compliance obligations may cost your company an eye-watering sum, it’s best to prepare and meet the new requirements instead of paying significant fines.

The EU drafted the Regulation to give people more control over how their data is used. Any GDPR-compliant app or process will have a better adoption.

The legislation increases the consumer trust due to enhanced security and provides your customers with more transparency.

You know that companies like Google and Facebook condition the use of their services in return for the access to the customers’ data; that’s because the current laws were adopted before the businesses developed new ways of exploiting data.

Another benefit of the GDPR is that organizations have to implement controlled business processes. Now, they have to organize the data, which will result in increased business efficiency and productivity.

Personal data of citizens is collected and organized in one centralized location – the General Data Protection Regulation Software – which is then secured and backed-up in hosted servers. The IT Security is enhanced, compared to last years, and data will be accessed and used only on request.

For email marketing, GDPR will help you become more transparent with your customers, get a more engaged audience and increase customer satisfaction.

Here are a few other advantages offered by GDPR:

• Better and more transparent customer interactions
• More engaged audiences
• Increased customer satisfaction
• More economical marketing campaigns
• Lower security risks
• Less email spam

What types of private data does the GDPR protect?

Buying email lists without collected consent is illegal in countries like the United States and violates the CAN-SPAM Act, but it is still a practice among businesses all over the world.

However, if these lists contain data of EU citizens, you will have to stop it or find a method through which your consumers give you their consent to store and use their information.

Furthermore, your users should be made aware of any profiling. They must know if their personal data is processed to analyze, evaluate, or predict any of their characteristics.

Here’s what information is protected by the GDPR:

• Identity information – name, address, and ID numbers
• Web data such as location – cookie data, IP address, and RFID tags
• Biometric data
• Health and genetic data
• Racial or ethnic data
• Sexual orientation
• Political opinions

If you collect any of this information about individuals, then you need to comply with the GDPR regulation when collecting and storing their data.

What areas does the GDPR cover?

There are quite a few areas of change introduced with GDPR, like the “right to be forgotten” or “data breach notifications,” which are common sense and shouldn’t require a regulation to enforce them.

Apart from the fact it gives EU customers the control over their personal data, the General Data Protection Regulation also changes the approach of companies towards data privacy.

The rules are much stronger than the existing laws; compared to the “EU cookie law,” for example, the GDPR is more restrictive.

First, people will have to confirm that their information can be collected, and the consent is harder to obtain.

The privacy policy is much clearer and ought to say what type of data is stored and how it will be used.

Then, users will have the right to withdraw the consent to use the personal information. Thus, the organizations will be forced to delete the data.

GDPR implies binding corporate rules for the legal transfer of data. If companies do not comply with the Regulation, they will deal with increased fines and enforcement powers.

Here you can find some of the most important changes brought by GDPR and a short description of each of them:

1. Right to access

If your customers request a copy of their data, you will have to provide it for free. They need to know what personal information is processed, where it’s stored, and why you use it.

2. Right to be forgotten

Once a client requests the controller to delete their personal data, you will have to comply. Thus, any other third-parties will not have access to the data, either.

3. Right to rectification

Your customers will need to have easy access to the data you collected about them and have a way of edit it when they want to.

4. Data portability

The Regulation gives individuals the right to request the access to their information in an electronic format. Then, they can transfer their data to a different controller.

5. Data breach notification

Both controllers and clients ought to be informed in case of lost data, hacks, leaks, or other data breaches within 72 hours from the moment they become aware of it.

6. Privacy by design

All systems should be designed bearing in mind the data protection and data compliance. You can read more about this topic below.

7. Data protection officers

GDPR mentions that companies and organizations that have as core activities processing personal information or monitor individuals on a large scale have to appoint a data protection officer. It replaces the previous laws that required notifying the local Data Protection Authorities concerning their activities.

What else is new?

As a business, you will have to invest in pseudonymization, which includes changes to the information so that it cannot be personally identified.

The Regulation covers only the personal data – what the US refers to as personally identifiable information (PII) – name, address, email, account names, phone numbers, and IP address (location data). Through pseudonymization, the organizations will replace the identifiers with codes.

Is it better than encryption? Let’s see!

Your company cannot strip the personal data from the content. You’ll say now that minimizing the files with the personal information isn’t such a bad idea.

Well, although it is a legitimate way to address the security of the data collected, and you will not have to notify your customers in case of a breach, encryption is a trick that doesn’t come cheap.

Consult the experts, and they will explain to you that encryption is impractical when it comes to securing the file data. It demands a lot of work, and adding a layer of encryption to the file system will become challenging to manage.

Yes, you read that right! Your company needs pseudonymization since it reduces the burdens of the GDPR and you can do it on a large scale, as well.

What you need is an intake system that processes and converts the personal data into codes. Then, use a master table to connect the codes with the real identifiers. It is necessary for the processes that demand the original raw data.

Also, Brexit does not matter to GDPR. The UK government declared loud and clear that they will maintain GDPR as a national law. Instead of using Brexit as an excuse, learn how to stick to the rules and attain compliance.

What about Privacy by Design?

A significant improvement of GDPR is the introduction of the concept Privacy by Design (PbD).

It is a personal data minimization technique explicitly mentioned as a “data by protection by design and by default.”

The concept demands controllers to implement organizational and appropriate technical measures which specify that, by default, only the information required for a particular purpose of the processing is collected and processed.

As a result, businesses and organizations will minimize the amount of the personal data collected. At the same time, the data controllers will reduce the information’s period of storage, the extent of the processing, and accessibility.

By default, companies will not store personal information of their users for longer than it is necessary for a specific purpose.

Plus, they will have to ensure their customers that their data will not be available to an indefinite number of individuals without the express consent of users.

The approach of Privacy by Design is vital to minimize the privacy risks and build confidence.

Why do you have to design the products, processes, systems, or projects with privacy in mind? Because it will help you to detect the potential problems at an early stage; thus, you will address them timely and at minimum costs.

The actions will no longer be privacy intrusive, and they will not hurt customers.

Additionally, the overall awareness of privacy and data protection increases in business, while the companies will be less likely to breach the DPA (Data Protection Act).

Now that you’ve got a good understanding of GDPR let’s see what the implications for marketing are (and email marketing in particular).

What type of companies does the GDPR affect?

The dense 88-page document eliminates unsolicited information and offers, and its purpose is to protect the customers’ privacy.

Since it is a regulation, the GDPR applies automatically “as is” in all EU states and to the processors and controllers of data who are dealing with information belonging to residents within the European Union.

The new data protection laws will affect any business or organization, whether it is a government, a charity organization, or a profit-seeking company.

Even when the processors and controllers of the personal data are based outside the European Union, you will have to comply with the GDPR to handle the data of your EU citizens.

Who is affected most by GDPR in marketing?

GDPR may shake up the digital marketing landscape. Some marketers are guilty of collecting more personal data of their customers than they need.

But starting with May 2018, things will change. You will have to legally justify the processing of the information, and keep it for a minimum of time.

GDPR will affect everyone in the companies or organizations that have customers.

Though, the most significant changes in the everyday work will occur in the marketing department, particularly for these areas:

1. Email Marketing

From now on, copying or buying email lists is strictly forbidden. Instead of automatically adding users to your email list and waiting for them to opt out, you will have to begin the sales process by ensuring users opt-in to your B2B email marketing campaigns.

If they give you their email address and consent, you’re on the right track.

2. Public Relations

Contacting journalists about company information or product releases will be different.

You may have them in your list of the traditional email outreach program, but you cannot send them messages if they do not give consent to be contacted by you.

Consider getting in touch with them through platforms or social media where they expressly approved to receive texts from PR execs.

Though, if they contact you first, it means that they are interested in hearing from you.

3. Marketing Automation

Although it is a powerful tool, marketing automation can result in penalties if any communications will reach users who have opted out.

Does your marketing automation system deliver messages on behalf of your CRM system?

Make sure that every subscriber in your database gave consent to market to them.

Do you already have the next email scheduled? Check if your systems are updated before sending the communications.

What does GDPR mean for email marketers?

The Regulation covers a lot of different aspects concerning the data and privacy of your customers.

But how will GDPR affect your business?

You will have to get the consent of your clients to collect and use their personal data, and you should keep a record of their choices and preferences.

Does it ring any bells? It’s one of the features of the Canadian Anti-Spam Law.

Email Marketers will have to respect an individual’s choices and employ opt-ins that maintain a preferences page on their account. Give your customers options regarding marketing and set expectations.

Since email filters are regularly improved, they detect what kind of emails are wanted by recipients. And, based on the most recent studies, a user marks a message as spam in their inbox when they are not clear on the reasons why they received it in the first place.

So, what can you do?

As a marketer, you will have to be clear that you obtained the email address from the recipient.

Then, you ought to explain to them what are your intentions – who you are, what you do, what kind of marketing communications they will receive from you, and why.

Plus, you need to give your customers the possibility to opt-out of receiving further messages.

It may seem obvious, but you need to include an unsubscribe link in each of your email marketing communications.

This time, you have to remove the email addresses whose recipients have withdrawn consent.

My recommendation? Remove those who stopped engaging with your business for a while, as well.

If someone agrees to receive marketing communications from you, it does not mean that the consent is forever.

Even though they did not unsubscribe or haven’t sent a spam complaint, you should stop addressing them email newsletters when you haven’t heard a word from them for a long time.

What is the benefit? It will help you to accomplish a good reputation at major email service providers like Gmail, Apple Mail, Yahoo or Outlook.

But what can you do if some of your targeted audience is under 16 years of age?

If you used to send regular one-to-one conversations to teenagers, well, things are about to change.

According to the GDPR’s Article 8, when the consent is obtained from a user that is under 16 years old, companies and organizations must get the parental consent.

Hence, you must make reasonable efforts and check if the approval comes from the parents. Yes, it is tricky to verify age on an address collection page.

However, if you have a simple policy that prohibits users younger than 16 years old from registering or using your services/product, you will comply with GDPR’s rules.

It is recommended to update your Privacy Policy and Terms of Service pages, and state explicitly that children under 16 years old cannot obtain an account without the permission of their parents.

Marketers who run a service which is mostly used by children should consider an age-gating mechanism or similar measures.

Do I have to change my entire email marketing program?

Most marketers are now worried that the strict privacy and opt-in regulations will prevent them from growing their email list at the rate they were used to.

No, you don’t have to delete the European addresses, nor block the signups and traffic that comes from the European Union.

Take time to review and adapt your existing opt-in processes up to the GDPR standards.

In the short term, re-permission campaigns and changes to opt-in processes will slow down the list growth. But in the long run, it will improve the list quality overall.

Setting up separate sign up processes for users coming from different parts of the globe may be a solution to this, but you can end up putting a lot of effort into it.

Instead, try to be GDPR compliant, and this will help you to maintain a healthy email list, which will grow your business in the long run.

Why is the Regulation a golden opportunity for marketers?

Perhaps you’ll have to rethink your entire marketing strategy. But if you bring your email program up to the GDPR’s standards, you will be compliant with other international email regulations, as well.

Although it sounds intimidating, the new legislation does not throw you back. It’s your opportunity to show that you’re a professional when you develop targeted marketing campaigns with subscribers that are engaged with you.

This way, you gain their marketing consent. Instead of opting in for a simple yes or no when asking users about data, provide them more options, which will help you to learn what are your customers interested in, and how to segment them.

From this point forward, your communication will be based on their specific interests.

As a marketer, you will get to know your customers.

Plus, you will keep track of all your permissions data and store it in a single place.

Because you will have a single platform that will allow your subscribers to switch consent on and off, for various purposes, you will find more about your clients and how to build more relevant campaigns.

People love transparency. Most of them prefer to work with organizations or individuals that they know and trust.

How can you as a marketer earn your clients’ confidence? The answer is simple: with transparency.

Comply with the Regulation, be honest about who you are, and be transparent with your clients’ data. If you prove them that their information is held securely and being treated with respect, you will strengthen the engagement and trust with your subscribers. And how can you do this?

Practical tips on GDPR for Email Marketing

The Regulation isn’t about massive fines, nor ceasing contacting your subscribers. GDPR aims to uphold the rights and freedoms of EU citizens to privacy and facilitate the free transfer of data between the countries within the European Union.

Did you know that, according to a Consumer Privacy study, 92% of online customers perceive data security and privacy as a concern?

Obviously, you want to avoid this. You could use the tips below to comply with the GDPR and earn the confidence of your clients.

1. Evaluate and audit. Evaluate how well your current mailing list complies with the Regulation. Rumors are that 75% of marketing email lists will become obsolete by the time GDPR will come into force.

Start auditing your email list and remove the addresses that do not have a record of their email opt-in. If your users freely and willingly gave their consent to handle their information, you must keep accurate records of their permission.

If you already use double opt-in for list building, then you will be okay with having valid consent for your existing subscribers.

Also, investigate if the email marketing solution that you use as well as other tools that collect customer data are GDPR compliant. If they are, your life will be much easier.

2. Deal with the gaps identified during the audit process, and request external expertise, if needed.

3. Evaluate the existing policies and procedures, such as terms and conditions, privacy policies and the way you interact with your contacts and customers. Then update them to let people know what type of data you collect and ask for consent.

4. Estimate the risks to the personal data collected from users. If you believe that you collect data that is not needed and could affect your reputation in case of a security leak, then choose to no longer collect that data.

5. Use double opt-in. New subscribers must confirm through an automated email that they want to join your list. As for the email consents that were obtained in the past – and it fulfills the Regulations’ requirements – you don’t have to re-request your contacts’ permission, based on the GDPR’s Recital 171:

Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.

6. Stop buying email lists. If you used to purchase mailing lists, you should review the way you are collecting users’ data. Sorry, folks, but you have to start fresh with a new marketing database, especially if you want to play by the rules and avoid paying exorbitant penalties.

Look at the bright side! You will achieve a list of engaged and interested subscribers.

7. Ask for explicit consent during opt-in. Use opt-in forms (email or account creation) on your website and invite more users to add themselves to your email list. Consider specific opt-in forms for blog posts, product news, and general business news.

If you need some inspiration, here are 10 examples of best practice UX for obtaining marketing consent.

Also, remember to keep email consent separately from your terms and conditions.

8. Improve your content marketing strategy. Invest in a content marketing strategy, especially if you create messages tailored to your potential clients. Create eBooks, guides, and email courses that your subscribers can download or access in return for them sharing their contact info. It’s a win-win situation!

9. Run a re-permission campaign. If you have the feeling that your email list might be stale, then it is time to run a re-permission campaign. This will help keep people that are still interested in hearing from you and remove those that no longer find your content relevant to them.

Plus, if you do not have explicit consent from your email list and proof to show it, then you need to run a re-permission campaign before May 2018 to be sure that you have a GDPR compliant email list.

10. Use social media for outreach. Your sales team must learn about social selling techniques. Instead of reaching new prospects by email, connect with them on social media.

Give your potential clients relevant content and obtain their affirmative consent to join your mailing list.

11. Verify if you have to install age verification controls for your email marketing business.

12. Keep records of what personal information you store, why you collect and process it, or for how long.

13. Prepare for any data breaches and, if it’s the case, report it to the relevant data protection agency within 72 hours from the moment you become aware of it.

14. Appoint a Data Protection Officer, considering the number of your employees and your market size. If you run a small business, with 250 staff members or less, and you do not process and monitor data on a large scale, nominating a DPO is not mandatory. However, for best practice, you are advised to appoint someone with the reasonable capacity for the job.

15. Erase the personal data of your users when a service/agreement comes to an end, or they revoke their consent.

16. Map your data flows and keep in mind that you cannot share it with companies within non-EU states.

What happens if you don’t achieve compliance?

According to a PwC survey, 92% of U.S. organizations consider GDPR a top priority. Consequently, most of the companies have already updated their terms of service and privacy policy.

Perhaps you switched into “panic mode,” considering the substantial fines of not being compliant with the new Regulation.

Instead of making mistakes regarding the use of personal data, you should take a step back, and leave it to professionals.

Did any of your subscribers opt out, but you haven’t deleted their data, yet? The B2B marketing companies who do not correctly process an individual’s data will be fined.

Although a €20m penalty is possible, the plausibility of an organization being fined to this extent is small.

According to ICO chief Elisabeth Dunham, issuing fines continues to be a last resort.

As an example, in 2016-2017, 17,300 cases were concluded, and only 16 of them resulted in penalties.

As far as we know, the highest fine issued by ICO didn’t exceed £400,000. What happened? Over three million people were affected by the Carphone Warehouse breach.

More likely, authorities will carry out audits, issue warnings, or demand you to erase the data stored. Perhaps you will be forced to fix things within a strict deadline or stop the data transfers to other countries.

If you cannot manage every aspect of the business-wide compliance, give your IT an overhaul.

So, what should you do?

Request professional assistance for your business and use Elevatr for email marketing.

My approach to GDPR

When you first look at it, GDPR seems to be a monster that makes you feel like running away from it.

However, I don’t see GDPR as big of a problem, especially for small businesses.

As a small business owner, your most significant responsibility would be to make sure that you use tools which are GDPR compliant and let the burden on their shoulders.

Personally, here’s what I plan to do before the deadline this May:

1. Customer Data

I’ve been taking clients for years now, and almost every project required me to create backups, save login information or have some client data on my end.

When a project finishes, I make sure that I remove any client data from the tools I use or my hard drive.

Now, before the deadline in May, I will do an audit and remove any customer data that may still be on my end.

2. Email Marketing

Email marketing is something that I am excited about, mainly because I run Elevatr, so here’s what I plan to do about it:

• Run a re-permission campaign to ask contacts if they still want to hear from me; this will lead to a considerable drop in subscriber numbers, but I will end up with a much cleaner email list which will then will lead to higher open and click-through rates.
• Continue using double opt-in – I’ve been using double opt-in since like, forever, and I will continue to do that from now on to keep track of consent and have a clean email list.
• Update my privacy and cookie policies to make sure that I added all the information that is collected on my websites.
• I will use Elevatr for all my email marketing communication.

Further reading on anti-spam laws and regulations

Here you can find a list of the primary anti-spam laws and regulations across the globe:

• United States: CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act)
• Canada: CASL (Canada’s Anti-Spam Law)
• Australia: Spam Act 2003
• EU: GDPR (General Data Protection Regulation) in May 2018

Current laws in some of EU countries:

• United Kingdom: Data Protection Act
• France: Confidence in the Digital Economy Law
• Germany: Federal Data Protection Act
• Spain: The Information Society Services and Electronic Commerce Act
• Italy: Italian Personal Data Protection Code
• Sweden: Swedish Marketing Act
• Netherlands: Dutch Telecommunication Act

For more information about GDPR, here you can find a few resource:

• Full law text: General Data Protection Regulation (GDPR), as of April 27th, 2016
• DMA UK: Webinars, facts, and updates about GDPR
• European Commission Fact Sheet: Questions and Answers on Europe’s Data Protection Reform
• European Commission: Protection of Personal Data
• ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR). 12 Steps to Take Now.

Over to you

Do you feel prepared for GDPR? Have you done any changes yet? If not, what is your plan?

Join the conversation about GDPR and all things online marketing in our private group here.

---

Disclaimer: this guide has been created strictly for information purposes and does not contain any legal advice. I recommend you reach out to professional counsel about how GDPR can impact your organization and what you need to do to achieve compliance.

Also, the guide has been an extensive research study, it is still work in progress and should be taken as is. If you have any feedback that will help complete it, feel free to send it my way.