The Email Savant Series: 5 Simple Steps For Aligning Email with GDPR
Written by Mark Vogel
There has been a great deal of media coverage lately about privacy, and who owns your personal data. Facebook is the highest-profile entity embroiled in this debate, but businesses of all sizes utilize data to send relevant messaging to their target audiences. If you have an e-newsletter, your email marketing program can tell you who received your message, if they opened it, if they clicked on a link, and so on. If you sell products online, it’s easy to follow-up with an email that says, “Since you bought Product X, you might like Product Y…”. With that in mind, you may have read about an upcoming regulation called GDPR and wondered if it will impact your email marketing strategy. This blog will help you determine if it will affect you and what steps to take if it does.
GDPR stands for General Data Protection Regulation. It is a regulation in European Union law on data protection and privacy for all individuals within the EU, and it takes effect May 25, 2018. GDPR helps ensure continued, stringent protection and enforcement – and to simplify the regulatory environment for global organizations. Advanced technology like cloud computing has intensified the focus on data protection.
So, you say “I’m in the US, so I’m not bound by EU regulations!” Actually, you are – if you hold Personally Identifiable Information (or PII) on any resident of the EU. A simple email address is considered PII. Let’s be clear. This is NOT a major issue for most small- to mid-sized businesses! The regulators will focus primarily on the big offenders first. Multi-national companies that store massive banks of data are scrambling right now to comply – such as banks, insurers, healthcare institutions, major publishers and so on. But even though your risk isn’t large, it isn’t zero. And, unless you’re one of those huge data aggregators, the steps you can take to ensure compliance with your email marketing efforts are NOT expensive or difficult to implement.
Step One: Determine Level of Risk
Does your organization store relatively large numbers of email addresses from residents worldwide, say, more than 10,000? This applies not only if you OWN the data, but also if you PROCESS the data. GDPR identifies both the “controllers” of the data and the “processors” of the data as equally liable. Advertising agencies, IT consultants and email marketing firms who manage client databases and send email messages on behalf of other companies to EU residents (whether B2C or B2B) need to implement GDPR compliance efforts.
Step Two: Identify the Sources
GDPR requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous.” That means if you are emailing large numbers of messages to purchased or rented lists, you need to purge those addresses. Sorry, but email lists are going to shrink – it’s the “new normal.” Don’t collect more data than you need.
Step Three: Audit Your Collection Processes
What does your sign-up form look like? Pre-checked boxes that automatically sign-up a visitor to your email marketing messages are not allowed under GDPR. For example, if you ask for an email address in order to download a whitepaper, that does not infer consent to continue to send marketing emails at a later date. Add a checkbox (not-pre-checked, obviously) that states “Yes, I’d like to receive occasional emails from you on your products and services” or something to that effect. If they check the box, you’re good. If not, just give them the whitepaper and don’t archive that address.
Step Four: Locate the Data
Today’s cloud-based computing means that copies of data can reside on multiple servers, not to mention the copies of Excel docs made by your team that may reside on their office desktop or personal laptop. Clearly define the process of where email marketing data goes once in it enters your possession. Ensure that everyone in your organization understands the rules. Determine who has access to the data, and routinely change login credentials, especially when someone leaves your organization.
Identify any vendors who might have access – email marketing pros, email service provider platforms, IT consultants, or temp workers, and ensure they understand the rules as well.
Step Five: Keep Records
Keep records of what you are doing to prepare for the GDPR and be ready to share records if asked by the EU authorities – how did you acquire the email marketing data, and can you prove that the consent to provide the data “freely given, specific, informed and unambiguous.”. This proof is a requirement under a new “accountability” concept included by the GDPR. Create a checklist of all processes and share it with everyone in your organization. Develop procedures to detect, report and investigate a data breach.
Data subjects will now have the right to request that their information is completely erased from all servers. This is not optional. By keeping accurate records of the data collection and storage process, you should have no trouble meeting this requirement when asked.
Compliance with the GDPR for email marketers doesn’t have to be costly or a burden on your business. In many respects, these are best-practice actions you probably should have been following all along. Other countries will be watching the GDPR enforcement and fine collection process and success, and very well might implement similarly strict data protection rules. Now is the time to ensure that your organization has taken the five steps listed above. If you don’t have the internal resources to ensure compliance, hire an outside professional.
Mark Vogel is president of Vogel Marketing Solutions LLC and serves as a lead email consultant for Nxtbook Media. He has more than 35 years of experience in the marketing world and has been actively engaged in email campaigns for more than 20 years. His email marketing clients include Fortune 500 companies, e-commerce retailers, non-profits, local businesses, and more. He can be reached at Mark@VogelMarketing.net.