Ok, exactly how up-to-date are your current email marketing lists? Do you have an accurate record of how and when an individual gave you permission for them to be added? Have you even sought permission? With the new GDPR regulations coming into force next month you have a short window of opportunity to clean things up and get your marketing lists compliant.

Before we start, let’s just remind ourselves what GDPR and PECR are all about…

The EU’s General Data Protection Regulation (GDPR) is designed to give people more control over how organisations use their data. The regulations overlap with with The Privacy and Electronic Communications Regulations (PECR) which cover the the use of cookies and electronic marketing communications eg email. In the UK, GDPR will replace the Data Protection Act 1998 and will be enforced by the Information Commissioner’s Office (ICO) who have powers to impose hefty penalties up to €20million or 4% of annual turnover (whichever is higher) for organisations that fail to comply with the rules. The fines also extend to organisations that suffer serious data breaches.

GDPR doesn’t just affect large companies. If you have a website or hold any personal information (including name, email address, phone numbers etc) for your clients, suppliers and / or employees you have to be compliant.

In a nutshell GDPR means you have an obligation to:

• Be clear about the legal basis upon which you are storing or processing the personal data and only use it for the purpose that the consent was given. There are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest). For marketing purposes the basis is usually either consent or contract.
• If you don’t have a lawful basis or permission upon which to store and process personal data you will no longer have the right to use it for marketing purposes after the 25th May 2018 and the data should be erased
• Ensure you get (or, in the case of older data, have) agreement, in a GDPR compliant format, from the individual for you to store the data, and communicate (via privacy notices and help text) how you will process the data collected, including the rights of the individual to access, remediate or erase the data.
• If you are collecting personal data for more than one purpose, gain separate consent (unbundled and freely given) for each purpose and have a clear, audit-able process for recording (and storing) the date and method of consent.
• Only hold the data you actually need and only store it for as long as you need it
• Keep the information secure and, in the event of a serious data breach, notify the ICO within 72 hours
• If you process the data of under 18’s, have systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity of individuals under the digital age of consent (in the UK the digital age of consent is 13 years old and over).

Whilst under PECR you have an obligation to give people privacy rights in relation to electronic communications. PECR includes specific rules on:

• Marketing calls, emails, texts and faxes;
• Cookies (and similar technologies);
• Keeping communications services secure; and
• Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail (email) marketing to individuals, unless:

• They have specifically consented to electronic mail from you; or
• They are an existing customer who bought (or negotiated to buy eg by providing a quotation) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

Additionally, you must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

For the purpose of this article we have focused on the implications of GDPR (and PECR) for your email marketing lists to give you clear recommendations as to what you need to do before the 25th May 2018.

However, please be aware that you probably store, process and use personal data in multiple places, other than just in your email marketing lists, including your website, CRM software, accounting software, payroll software, in offline printed formats and more. You need to be aware, under GDPR that you have an obligation to only process and store personal data where you have explicitly been given permission to do so, or where you have a legal obligation. When you no longer need (or have to) store personal data it should be erased. The process of cleansing the data you hold that we describe below for your email marketing can be applied to any data that you hold.

To read our recommendations about making your website GDPR compliant click here.

Ok, so you understand the rules. What can you do to get your email marketing lists GDPR compliant by the 25th May 2018?

Start by identifying any emails where you don’t need consent. Namely:

1. Any non-personal business email addresses eg info@

2. Any previous customers

3. Any individual that has asked you to do something before entering into a contract (eg providing a quote)

Under GDPR you can rely upon ‘contract’ as being the lawful basis for processing someone’s personal data when you need to use that data in order to fulfil your contractual obligations or when you have been asked to do something before entering into a contract (eg provide a quote). The same principle applies with PECR. You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning for the purpose of using their data to send marketing communications. Just remember:

• If a personal or non-personal email has previously unsubscribed you do not have consent to continue emailing them
• Where you have a lawful basis to send emails keep your emails relevant, restricting your mailings to similar products or services to those previously purchased (or where you have provided a quote) or to the service / mailing list the individual subscribed to.
• Always include an unsubscribe option in each email you send.
• You should hold a suppression file of hard bounced emails and emails that have opted-out and should ensure that un-subscription links work.

Under GDPR and PECR the resultant lists can be used for email marketing purposes. Provided you respect and record un-subscription requests, to keep your lists clean, you have every right to continue to send marketing emails to this group.

Divide the rest between consented and non-consented emails

For other emails on your list, look through your records and see if there is any evidence that consent has been previously given and divide the remaining list into:

1. Consent is provided that is GDPR compliant
2. Consent is provided but not compliant to GDPR.
3. Consent is not provided or has been removed

Let’s take each of these in turn…

1. Consent is provided that is GDPR compliant

If you have a list of emails that have provided consent to a GDPR standard, you can continue to send marketing emails to this list. We recommend that you continually cleanse and validate the list to make sure it is up-to-date by:

1. Check, using an email address checker, to ensure you have accurate info and to reduce bounce rates. There are several websites that provide this service including Brite Verify
2. Screen against the CTPS register for opt-outs. Note: If you have a prior existing relationship with a customer, you do not have to screen the data but take care with very old records as they may not even remember you!

2. Consent is provided that is not GDPR compliant

For this group, you have until the 25th May 2018 to get their consent, so you can continue to send email marketing communications to them. You can obtain consent by running re-permission email campaigns (read our blog article about re-permissioning campaigns here). Don’t limit yourself just to emails, to regain permission, you can call them, text them, contact them via social media and even write to them to regain their permission.

Don’t forget: If you do NOT get their permission by the 25th May, you have no lawful basis upon which you can store this data and should erase these records.

3. Consent is not provided or has been removed

If you do not have consent to email individuals under GDPR and PECR you should consider speaking (not emailing them). You can…

• Undertake ‘customer care’ calls to your customers to establish and categorise their status and to tidy up your database e.g.
  • Dormant customers that can be retrieved through incentives and simply through some love and attention
  • Lapsed customers that have gone elsewhere (offers to tempt them back?)
  • No longer trading/out of business
• Start by segmenting individuals by value (or potential value) and, to maximise your return, start at the top of the list!
• Whilst on the call, gather opt-ins to further marketing (especially relevant if you gathered their information about a particular sale and you want to offer them something completely different)
• Append data that is missing from the database
• Gather preferences for contact e.g. by email, phone, post etc
• Record the date and method of any permission you obtain so that you have an audit trail

If you do NOT get permission by the 25th May for this group of emails, you have no lawful basis upon which you can store this personal data and should delete these records.

Email marketing after the 25th May 2018

By following the steps above you will have a fully compliant email list by the 25th May 2018.

Further reading:

How to run a re-permission campaign

How to ensure your website is GDPR compliant