Every business handling personal data of EU citizens, from those tracking user behaviour to improve their funnel to those using cookies for remarketing, has a reason to be wary of GDPR
However, those engaged in email marketing are actively drawing attention to their use of this data, and are opening themselves to some risks that others don’t necessarily have to worry about.
Despite email marketing often being identified as the most effective lead generation technique, especially in the B2B arena, we’ll have to rethink our approach to it if we want to stay compliant and avoid heavy fines. Here are some of the steps you need to take in order to ensure you are not stepping on any toes with your email campaigns.
Audit Your Lists
In force since May 25 2018, GDPR also protects the interests of data subjects who shared their data before that date. In other words, just because you obtained some kind of consent to use the data, you may not necessarily still be entitled to do so.
If the way you got consent to use someone’s information conforms to the current standards, you might be able to keep using the subject’s data (of course, strictly for the purposes described when getting permission). However, if you didn’t receive consent that would be seen as valid today, or did, but don’t have any way to prove that you did, you might want to think about asking the person in question to re-subscribe, now with new rules in mind.
While businesses who performed these audits seem to be happy to retain a half of their mailing lists, and some fare much worse, this doesn’t have to be all bad. The process of re-subscription can be seen as a way to not only additionally segment your audience, but also to ensure that you are only focusing on those who have shown the greatest amount of interest in your offer. So, while you might have fewer leads, the ones you will have will be much more engaging and closer to conversion, adjusting your strategy accordingly beforehand is highly advised.
Privacy by Design
All the data you are using for email marketing needs to be treated as any other kind of personal data, which means you have to think about:
- Protecting it, which includes minimising the amount of detail you keep on data subjects, and anonymising the data so that it can’t be accessed even if someone does manage to get through your security
- Making it accessible to data subjects for deletion or correction and have it portable should they request for you to send it to them
- Informing the data subject of breaches in a timely manner
- Limiting your staff’s access to the data based on its sensitivity
- Keeping detailed logs of everything related to the way data has been collected, stored and handled for the entire duration of your interaction with it. Especially ensure that you have proof that everyone in your list has given appropriate consent.
So, even when not actively using your list to contact your subscribers with updates or promotions, you have to make sure you are not misusing their data.
This is one of the most obvious changes – user-side, and one that you cannot take any liberties with if you want to comfortably use the data you have. User consent needs to be asked for with as little ambiguity as possible, without you taking anything for granted.
For instance, one of the favourite lead generation techniques of many marketers – lead magnets or content upgrades in form of webinars, ebooks or other resources, can no longer be used to collect email addresses for marketing purposes, without you clearly stating that you’ll use the information that way.
Data subjects have the right to be fully informed not only why you are gathering their data and how you are using it, but also who are you sharing it with, which is why auditing your third-party service providers should also be on your list when assessing your compliance.
Data Protection Officer
Even though some businesses might be obliged to hire a data protection officer, unless you process special categories of personal data or systematically monitor individuals on a large scale, or if you are a public authority, you probably aren’t required to hire someone for this role.
However, even if you don’t have to, finding a mentor who understands not only the limitations imposed by the GDPR, but has had experience in running email campaigns, and knows their challenges and demands, might save you quit a bit of trouble.
Having someone strictly devoted to caring about how data is handled means that you won't have to worry about the day-to-day operations, like sending automated emails, which, if you end up sending to someone who has opted out, could land you in a lot of hot water.
While GDPR has placed some restriction on how we approach email marketing, this kind of heightened transparency is not only resulting in decluttering of subscriber lists, leaving only the most engaged ones, it is also likely to result in the increase in trust that people will be able to afford advertisers.
After auditing your current contacts and your third-party providers and ensuring that your entire data gathering and storing process is built for privacy, you can start building your list once again, keep it centralized to avoid any kind of synchronization issues, fully disclose your intentions to the data subjects whose consent you are asking for, and at least consider hiring someone to supervise not just your transition into compliance, but to ensure its stability.