Based in Redhill, Surrey, UK

0333 9900 106

What to do about GDPR and your email subscriber lists

GDPR and your email subscriber lists

This blog aims to set out options in relation to GDPR and your email subscriber lists in preparation for GDPR which comes into force on 25th May 2018.

Since Europe’s data protection rules were created in the 1990s, the amount of digital information we create, capture, and store has vastly increased. The GDPR brings the biggest reforms in two decades and significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations.

In fact, email marketing rules are not specifically covered in the GDPR (Source: SendGrid). EU email marketing rules are contained in the ePrivacy Regulations, which was due to be revised and implemented at the same time as GDPR, but is still in the approval process.

An “optimistic” forecast is that the ePrivacy Regulation will be finally approved by the end of 2018, although the implementation date remains to be seen. So there may be clearer guidelines for email marketing after GDPR. Read more…

In the meantime, if your business collects personal data including email addresses for email marketing, it would seem wise to ensure that your consent processes are prepared for GDPR and your email subscriber lists comply as far as possible,  ahead of the new ePrivacy Regulations.

What to do before GDPR

This blog suggests two options for your consideration. Compliance with GDPR is primarily your responsibility. It’s best to consult your own legal professionals for help with this.

REsubscribe or UNsubscribe?

Option 1 – Invite your subscribers to REsubscribe

Your email campaigns prior to 25th May, should clearly state what they are subscribed to and give them the option to

  • REsubscribe
  • Update their preferences, or
  • UNsubscribe

You may have already seen businesses preparing for GDPR by taking this approach. Recipients are advised that if they do not REsubscribe, they will be removed from the email list after 25th May 2018.

If you do this, make sure your sign up form is quick and easy to complete. You will have to be prepared to lose subscribers. On the other hand, this is a good way to data cleanse your list and ensure that your subscribers are those who are genuinely interested in what you have to say.

It may help to set up a new a Subscriber List for this purpose, and use it as an opportunity to restructure by asking subscribers to ‘opt-in’ to specific services or subjects, which you can then use to segment your lists and create more targeted campaigns. As long as tick boxes are not pre-ticked, this should be OK.

However, be careful about deleting your old lists after GDPR. They contain records of UNsubscribers and your email marketing provider will prevent you from inadvertently resubscribing those individuals.

Update their Preferences or Unsubscribe

At the same time give the option to update Preferences or Unsubscribe. In the run up to GDPR, include this in the main content of your email with a clearly clickable links or buttons. Updating Preferences gives the recipient the opportunity to check what data you hold about them on your subscriber list, and update it if they wish.

Option 2 – Invite your subscribers to UNsubscribe

By choosing this process you will give your recipients a clear option to UNSUBSCRIBE. 

Your email campaigns prior to 25th May, should clearly state what they are subscribed to and give them the option to

  • Unsubscribe, or
  • Update their preferences

Consider this a subscription reminder, instead of a ‘refresh’ opt-in. If recipients do not respond, they had the opportunity but did not take action – you assume that it is OK to continue emailing them.

This as a ‘risk managed solution’. There is an argument that retrospective data collection prior to GDPR is unlikely to be checked by the ICO.  Your email marketing platform should have records of when and how each subscriber was added to your list, which you can provide if necessary.

In the unlikely event that the business is questioned about historical sign ups, you will be able to prove that the process took place and you acted responsibly. This option may be sufficient prior to the new ePrivacy Regulations due after GDPR.

Source: SendGrid Webinar : ‘GDPR – What senders need to know.’

Preparing for GDPR, ICO 12 step guide. GDPR and your email subscriber lists
Click to view

The Information Commissioner’s Office (ICO), who will be responsible for enforcing GDPR, have prepared a 12 step guide “Preparing for the General Data Protection (GDPR)

Step 7: Consent states:

“You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard…

…You are not required to automatically ‘repaper’ or refresh all existing DPA (Data Protection Act ) consents in preparation for the GDPR.”

So – refresh your existing consents to make sure any new subscriptions meet the GDPR standard, but existing consents do not have to be re-consented, providing your current procedures meet current DPA rules.

What to do after GDPR

After 25th May 2018, to comply with GDPR and your email subscriber lists, we recommend that you have the following in place:

Collection of personal data for email marketing

  • Sign up forms must state clearly what the subscriber will receive
  • All email campaigns must include an unsubscribe option
  • Include a Preferences link, where recipients can see what data you have for them and update it if they wish
  • Opt-out should not be used ie. do not use a tick box which requires users to tick to opt-out of your emails
  • Clearly state that their data will not be passed to any third party

Every email campaign or newsletter should include a Permission statement. Ask your legal adviser to check what this should include, for example:

  • How you obtained their email address
  • Your ICO Registration number and a statement about conforming to GDPR
  • Details of your Data Controller ie who to contact to request information about data held and to request it’s removal
  • A link to your Privacy Policy

Please note that the rules for email marketing may change when the ePrivacy Regulations are updated, due after GDPR.

Compliance with GDPR is primarily your responsibility. We advise you to consult legal advice to ensure your business fully complies.

For more information about our email marketing service, FactorEmail, click here. To request a review of your preparations for GDPR and your email subscriber lists, please contact us.

Useful links

2 thoughts on “What to do about GDPR and your email subscriber lists”

Comments are closed.