How to manage a GDPR-compliant Email Marketing Campaign

Organisations running an email marketing campaign will need to review their current practices in order to comply with the new General Data Protection Regulation (the 'GDPR'). The regulation comes into force across all EU member states (including the UK) in May 2018.

Think about it. We've all received unsolicited emails asking us to buy products and services we don't really want. Often we don't know how marketers have obtained our personal information; bad marketers simply won't tell you either, even when asked. The GDPR aims to address these concerns by enhancing current EU data protection laws to ensure more transparency and strengthen our rights over personal information.

How will GDPR affect email marketing?

Under the GDPR, email marketers will need to obtain consent from recipients which is freely given, specific, informed and unambiguous (Article 32). To comply, consider the following practices:

  • New consumer opt-in permission rules;
  • Proof of consent storing systems; and
  • A method through which consumers can ask their personal information removed.

Outlawed from May 2018 is the pre-ticked box 'opt-out' format. But, neither soft opt-in nor soft opt-out formats are allowed either, although the Privacy in Electronic Communications Regulations (as amended) do still allow for a soft opt-in approach*. We at E RADAR recommend that you follow a 'double opt-in' process. This allows the recipient to receive an email or other form of message with a confirmation link enclosed. The recipient must click on the link to give consent freely given, specific, informed and unambiguous.

How can I do email marketing under GDPR?

Under the GDPR it is still possible to do email marketing. Take a look at our checklist below.

  • Audit your current marketing database.
    • Do you know geographically where your contacts are?
    • Do you capture an audit trail of consent?
  • Know your contacts and how you acquired them.
    • Did you follow a double opt-in practice?
    • Do you keep track of where and when your contact’ information is coming from?
    • How did they end up in your database?
    • Do you have enough information on permission and source to hold up in court if needed?
  • Review and disclose your data practices.
    • Do you ask for consent at the point of collecting the data?
    • Have you a privacy policy that details how you collect, store, transfer and process your data using clear, concise language?
    • Do you communicate this data privacy policy to your recipients?
  • Look at your upcoming initiatives to ensure compliance now.
    • All new initiatives should take into consideration compliance - so-called 'Privacy by Design. You don't want to keep going back to adjust your processes.

Check out E RADAR's online Information Asset Register template!

GDPR and existing marketing contacts

The GDPR doesn’t only apply to personal data collected on after May 25th 2018, but also to personal data gathered before. Does the consent record of your existing contact lists provide you with clear authorisations to send email marketing campaigns to each contact?

To ensure your email marketing is compliant, any ambiguous records will require you to obtain new consents freely given, specific, informed and unambiguous

Can I buy contact lists under GDPR?

Possibly, but this is not recommended. Some purchased lists may contain clear evidence that consent of data subjects was freely given, specific, informed and unambiguous.

At E RADAR we do not think purchasing contacts lists is acceptable or good for your e-mail marketing strategy.

How can I get email UNSUBSCRIBE right?

Marketers should always ensure that email recipients can unsubscribe from receiving any further communications. The unsubscribe process under GDPR needs to be clear and simple. You should include a visible UNSUBSCRIBE link in each marketing email where your subscriber can

  • Unsubscribe to the marketing communication
  • Unsubscribe to all marketing communications
  • Contact you via a return email address

Allowing your contacts to easily subscribe and unsubscribe are equally important in achieving compliance with EU GDPR.

Contact us for further information on how E RADAR can help you get GDPR-compliant

* I am also grateful to Neil Brown who has pointed out that direct marketing (under Recital 47) can rely upon 'legitimate interest' rather than 'consent' as the legal basis for processing personal data.

The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’

This may be where consent is not viable or not preferred, though the Data Protection Network rightly stresses the fact that organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing.

Of course, any individual can object to direct marketing and it is one of the examples of legitimate interests for which objection is already fairly well understood and easy to action (often by unsubscribe link or by contacting the company in question to request).