EMAIL COMPLIANCE & STRATEGY

GDPR & Email Marketing: Preparing for the 2018 Changes

09 October 2017

In the world of email marketing, staying ahead of legal and regulatory changes is crucial. Sometimes, this involves adapting to new coding techniques; other times, it means ensuring compliance with major shifts in data protection law.

GDPR & Email Marketing: Preparing for the 2018 Changes

With the General Data Protection Regulation (GDPR) set to come into effect across the European Union in May 2018, it's essential for marketers to understand what it is, why it affects them, and what steps need to be taken before the deadline. This guide breaks down the upcoming changes.

 

What is GDPR? (The Upcoming Change)

GDPR is a new EU regulation designed to strengthen and unify data protection for all individuals within the EU, replacing the 1995 Data Protection Directive (95/46/EC). It aims to give individuals more control over their personal data and simplify the regulatory environment for businesses.

Unlike the previous directive, GDPR is a regulation, meaning it will be directly binding and applicable in all EU member states without needing national legislation.

  • Timeline: Adopted April 2016, enforceable from May 25, 2018, after a two-year transition.

  • Authority: Driven by the European Parliament, Council of the EU, and European Commission.

 

Why Will GDPR Affect Email Marketers?

GDPR will impact any company processing personal data of EU citizens, regardless of where the company itself is based. If you collect email addresses and send marketing communications to subscribers in the EU, you will need to comply.

The EU represents a significant market, making GDPR compliance strategically important. Furthermore, the principles it introduces reflect a growing global focus on data privacy.

 

Key Changes Introduced by GDPR (Compared to DPA)

While many GDPR principles align with the existing UK Data Protection Act (DPA), there are crucial expansions and clarifications:

  • Broader Definition of Personal Data: GDPR explicitly includes online identifiers like IP addresses as personal data, reflecting technological changes.

  • Scope: Applies to both automated data and accessible manual filing systems. Pseudonymised data (like coded data) may fall under GDPR depending on re-identification difficulty.

  • Core Principles (Enhanced): GDPR mandates that personal data must be:

    • Processed lawfully, fairly, and transparently.

    • Collected for specific, explicit, legitimate purposes.

    • Adequate, relevant, and limited to what's necessary.

    • Accurate and kept up-to-date.

    • Kept identifiable only as long as necessary.

    • Processed securely.

  • Accountability: Crucially, the data controller (your organization) is responsible for demonstrating compliance with these principles.

 

What Email Marketers Need to Do Before May 2018

GDPR significantly impacts how marketers seek, collect, and record consent.

1. Stricter Consent Requirements

Under GDPR, consent must be "freely given, specific, informed, and unambiguous," requiring an affirmative action (no pre-checked boxes).

  • Transparency: Clearly state who is collecting consent and why (purpose limitation).

  • Invalid Consent Methods: Acquiring an email for one purpose (e.g., a whitepaper download) cannot automatically add them to a marketing list without separate, explicit consent for that specific purpose.

 

2. Burden of Proof (Recording Consent)

You will need to maintain clear records demonstrating how and when consent was obtained. Storing consent forms or records (timestamps, source, specific wording) will become essential.

 

3. Reviewing Existing Data

Your current database needs assessment. If permissions weren't collected to GDPR standards, or if you can't prove they were, you may not be allowed to email those subscribers after May 2018.

  • Action Recommended: Run re-permissioning campaigns well before the May 2018 deadline to obtain fresh, GDPR-compliant consent from existing EU subscribers where necessary.

 

4. Adapting Email Programs

You'll need to update your sign-up processes. Consider:

  • Option A (Complex): Separate sign-up flows for EU vs. non-EU citizens.

  • Option B (Recommended): Bring your entire database and all opt-in processes up to the stricter GDPR standard. While this might slightly slow list growth initially, it ensures compliance and results in a higher-quality, more engaged list long-term.

 

What About Brexit?

The UK voted to leave the EU in June 2016. While negotiations are ongoing, it's highly likely the UK will still be subject to GDPR in May 2018. Even post-Brexit, UK businesses handling EU citizens' data will need to comply. The UK's Information Commissioner's Office (ICO) advises businesses to continue preparing for GDPR.

 

The Cost of Non-Compliance

Doing nothing is not a viable option. GDPR introduces significantly higher potential fines for breaches: up to €20 million or 4% of global annual turnover, whichever is greater. While enforcement priorities are yet to be seen, customer complaints can also trigger investigations. Compliance is the only safe path.

 

Conclusion (Historical Context)

Preparing for GDPR requires a significant strategic and operational shift for many email marketers. By focusing on transparent consent, robust record-keeping, and reviewing existing data practices before the May 25, 2018 deadline, businesses can ensure compliance, build greater trust with their audience, and lay the foundation for a more sustainable and effective email marketing program under the new regulations.


Show more