DISCLAIMER: This blog post does not replace actual legal advice from an actual lawyer. This is a very high-level overview of some things you should look at when considering email marketing under the new GDPR regulation beginning in May. I’m not a lawyer—I don’t even play one on TV. Take these ideas and go talk to a real lawyer if you need to.
This May 25th is GDPR Day! For email marketers, this day is when the General Data Protection Regulation (GDPR) goes into effect. That’s a lot of words (and an acronym) for what? Let’s take a look.
GDPR – General Data Protection Regulation
As Jeanne Jennings says, GDPR is really about data.
This regulation is designed to protect the personal data of European Union citizens and extend this scope of protection and scrutiny to all foreign companies that are processing data of the EU residents. This regulation is legally binding for any company that collects/deals with EU personal data, whether the company resides in the EU or not.
So how does GDPR define “personal data”:
“Any information that could be used, on its own or in conjunction with other data, to identify an individual is considered as personal data.”
Essentially, as an email marketer, you really need to consider every piece of data you collect as “personal data.” And if you have the data, you need to have the “receipts” as well—meaning some record of an express opt-in, proof your subscribers know what data you collect, why you’re collecting it, how you’re using data, etc.
GDPR compliance is not just restricted to data collected after the regulation goes into effect, either. It’s retroactive to all personal data of subscribers in the EU that reside on your current mailing list, too. (There is a period that can be construed as “implied consent” for some companies for a period of time, but that clock is running.)
And to show you how serious this regulation is, noncompliance can mean a fine of up to 20 million Euros or 4% of your total revenue (whichever is higher).
Sounds Scary? Take a Breath…
Though GDPR sounds scary, it is actually designed to protect both data owners as well as companies who handle the data. And, if you’re handling your list the right way now, you’re not too far from compliance as it is.
Since you are required to specify what you can and can’t do with your subscriber’s personal data, this (forced) transparency builds brand trust. Subscribers may be more inclined to offer their personal data once they are confident about it not being misused.
Additionally, GDPR helps businesses and email marketers document cleaner and more relevant data–increasing overall mailing list quality and lowering unsubscribe rates (we hope).
Steps to prepare for GDPR compliance
Here are two things you need to do as soon as possible:
1. Bring your current mailing list up to speed
Now is the time to evaluate your mailing list and prune unwanted email addresses.
Start by asking yourself these questions:
- Do I have proof of how I procured the email addresses?
- Does my opt-in form ask for the express consent of my subscribers?
- Do I use the data exactly for the purpose for which my subscriber gave consent?
If your answer is “no” to any of these questions, you need to make changes, stat. Some other changes you can make include:
- Change to double opt-in and only send to subscribers who have completed the confirmation process. (Again, receipts…)
- Set up a process for subscribers to easily have full access to their personal data. They must be allowed to refuse usage of their personal data, even in profiling or automated/triggered programs.
Note: Moosend has a nice checklist for you to follow.
2. Implement clean communications with new subscribers.
For new subscribers joining your mailing list, once you have streamlined your onboarding process for your existing subscribers, new subscriber onboarding should be a breeze. Avoid practices such as pre-ticked opt-in boxes and confusing messages (such as using double negatives to convey positive act) on your opt-in forms. Any “disruptive” mechanisms are a strict no-no under GDPR.
Best Practices to follow:
- Identify your loyal customers (and prospects) first and get them to opt in again. As May 25th nears, your subscribers are surely going to experience an influx of permission-based emails. Stand apart from the clutter by re-opting in your most engaged subscribers first.
NOTE: This is essential if you can’t produce proof of prior opt-in.
- Refresh your data collection methods. This will help you gather records on how you gained consent.
- When re-opting in your existing mailing list, non-responders should be considered opted out (unless you can produce hard proof of prior opt-in).
- Resell the positives. Show your subscribers the benefits/value of being subscribed.
Understanding GDPR is not rocket science, especially if you have already been working on the basis of true permission-based marketing. It can be an opportunity—one that you can take full advantage of by getting your business compliant.
How Does the GDPR Affect Your Email Marketing? (via SendinBlue)