The General Data Protection Regulation (GDPR) and its impact on email marketing was one of the major topics at this year’s EU Summit.
The GDPR aims to give EU citizens greater control over their personal data and better protection against cybercrime. In line with these aims, the regulation imposes restrictions on businesses that operate within the European Economic Area (EEA) in relation to the processing of personal data and sets down requirements for data privacy and communications. In particular, the GDPR requires that organizations must not collect or use personal data for marketing purposes without obtaining “explicit consent” from the person concerned.
In April, the United Kingdom (UK) formally left the European Union (EU). One of the significant factors behind the Brexit vote was a desire among many for greater control over immigration and to restore lost jobs due to international trade. Although the rights of UK citizens living abroad will be protected, there is concern that the cost of complying with GDPR may be difficult for some businesses.
The GDPR is set to come into force on May 25, 2018, and its rules apply to all organizations processing personal data within the EEA, including email marketers that process data relating to individuals in the UK.
The ramifications of the GDPR for email marketers will be significant. Email marketing is an essential tool for many businesses, helping them to connect with potential customers and allowing them to stay in touch with existing clients. Data subject to the GDPR has increased dramatically in recent years, with 2.34 million data records created every day in the UK alone in 2017.
The GDPR has significant implications for email marketers as it places restrictions on how companies can use personal data to communicate with individuals, including via email.
Under the new regulations, companies will no longer be able to use previously collected personal data to send commercial emails to people that did not give their explicit consent to receive such material. Businesses that fail to comply with the GDPR could face significant penalties, including up to 4% of annual revenue or up to €20 million ($23 million), whichever is greater.
What is ‘Spam’?
Data protection legislation in Europe is harmonized at a regional level and developed in line with national legislation and EU directives. In the UK, the GDPR is now the overarching legislative framework governing data protection and privacy issues.
One of the significant changes introduced by the GDPR is that it defines “spam” as “unsolicited commercial email” (UCE). Companies that use email marketing to promote products or services, often generating millions of messages a year, may be facing a challenge under the GDPR as the definition of “spam” includes emails that are not individually relevant to the person receiving the email. This could result in significant implications for marketers, particularly those that rely heavily on email.
For example, if a company sends out a newsletter with a great deal of product information about a specific product, that could be considered spam under the new regulations. However, if the same company sends out the same newsletter with information about a different product, that might not be considered spam.
Why does GDPR matter for email marketers?
Although the GDPR will impact every business that processes personal data in some way, email marketers have several sensitivities that make the regulation particularly relevant to them. Email marketing is a widely used and effective tool in any business and compliance with the GDPR is often overlooked by administrators who use email marketing to communicate with customers.
Firstly, like other business sectors, the email marketing industry is highly automated and largely conducted without the involvement of human beings. This minimizes the potential damage that could arise from non-compliance with the GDPR. Email marketing is also a digital form of marketing that can be easily automated and tracked, meaning that any data breaches could be more easily detected by businesses.
What do I need to do now?
If a business operates within the EEA, it will have to ensure that it is compliant with GDPR by May 25, 2018. With the Brexit deadline fast approaching, many businesses may be scrambling to ensure that they are ready to operate as an EEA business on May 25, 2018 with the minimum of disruption. As we discussed, the GDPR is complex and there are several areas that businesses need to focus on to ensure that they are compliant.
Firstly, email marketers need to assess the personal data that they hold relating to individuals in the UK and determine whether any of it is covered by the GDPR. To do this, businesses must look at their purposes for collecting data and how they are using it. Email marketers should keep documentation of their data processing practices and be able to provide evidence of how they comply with data protection legislation and the GDPR. This will also be a test of their technical infrastructure as they must be able to demonstrate that they have appropriate measures in place to ensure data security.