RenewThoughts: Digital communication best practices in a GDPR world

By Lauren Glickman, Managing Partner

May 25th has come and gone. You’ve probably received an email from every company or brand you’ve ever given your email address to that includes updates to privacy policies you probably never read to begin with. As a communications professional, who works with a variety of clients based in the U.S. and focused exclusively on marketing in the U.S., I’ve spent a lot of time trying to determine the impacts of the new regulations surrounding data protection and privacy (known as GDPR) for my clients. While compliance might not be required for my clients immediately, implementing the highest standards when it comes to data protection and consent will always benefit a company’s marketing efforts and its reputation.

This blog is meant to serve as a practical guide for dealing with data protection and digital consent as it relates to marketing, and is not intended to replace the advice of a lawyer. As you implement your system for compliance (which may include many of the tips outlined below), you should consult a lawyer to verify it. The GDPR penalties for non-compliance are no joke and can carry steep penalties of up to 20 million euros or 4 percent of global annual turnover, whichever is higher. On day one, it appeared Google and Facebook are both facing potentially major lawsuits.

Why all the emails?

Most of the emails I’ve received don’t actually deal with consent but with how the organization plans to manage my data going forward (a key component of the new regulation). The ones that do deal with consent mostly feel like a hurried attempt to gain an affirmative and verifiable opt-in. This makes a certain amount of sense when you consider that prior to May 25, the laws governing digital were very vague (at best).

Buying lists, scraping contact information and other non-consent-based means of generating business leads have never been best practice for the industry, but it was something you could get away if you were delivering valuable content that your end user wanted. Those days are now gone; it’s now about delivering content the end user has asked for.

If you’ve been organically building a list over time, where people are asking for continued email communications from you, congratulations! You don’t need to send additional consent emails. If you have a email list of unknown origin, having sent out a consent email prior to May 25th might bring you a step closer to compliance, but the actions you take going forward will be critically important.

There have been laws around for years governing digital consent and this chart from Relationship One offers a simple side-by-side comparison.  

The bottom line

Even if your company or organization hasn’t been sending out unsolicited emails to the masses, the GDPR will require most (if not all) organizations with any ties to the personal data of individuals in the EU to examine — and potentially change — how they collect, store and process the information for business operations. And in today’s global economy, practically speaking, that means all of us.

Assuming your business relies on any form of lead generation this means that compliance will be an ongoing activity, and not something covered by even the most well thought-out email. May 25th was never the end of the talk and activities surrounding GDPR, it was only the beginning.What should you do now?

If you haven’t done so already, you should update your privacy policies and put together a simple, easy-to-find online FAQ about what the GDPR means for customer data, to cover your bases.

The types of personal data these new regulations cover:

  • Basic identity information, such as name, email, address and ID numbers
  • Web data, such as location, IP address, cookie data, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Your privacy policy going forward should contain the following (at a minimum):

Right to access - If a customer requests a copy of their data, you will have to provide it for free. This includes where the data is stored and why you use it.

Right to be forgotten - You should be able to comply with any request to delete a customer’s personal data.

Right to rectification - Customers should have easy access to the data you collect about them, and the ability to edit it when they want to.

Data breach notification -  The ability to inform your customers in case of lost data, hacks, leaks, or other data breaches within 72 hours from the moment they become aware of it.

Privacy by design - Data protection and data compliance  should be central to the design of all your systems.

Data management - How long the data will be stored for.

Age - Indicate you have a policy that prohibits users younger than 16 years old from registering or using your services/product.

Email best practices going forward

When it comes to email best practices it all comes down to consent. Consent to receive your communications should be “freely given, informed, specific and explicit.” Just because someone gives you their email address at some point, does not mean they have given you consent to email them going forward unless it was explicitly stated. A good recommendation is to consult with local counsel to determine if consents obtained prior to the GDPR comply with its requirements -- or whether you instead need to contact your subscribers and others you have email addresses for to re-request consent, in accordance with the GDPR requirements, or rely on a different lawful basis for your email processing under the GDPR.

1. Document where your emails come from and when consent happens

This means you should seek consent wherever possible — it’s better to be safe than sorry, and asking for direct, affirmative permission to contact someone via email (the reason for some of the emails you’ve received) is the most secure process under GDPR and E-Privacy legislation.

2. Do not buy lists

It was never a good idea to buy an email list before, regardless of where the data came from. From now on, copying or buying email lists is strictly forbidden. Instead of automatically adding users to your email list and waiting for them to opt out, you will have to begin the sales process by ensuring users opt-in to your B2B email marketing campaigns.

3. Double opt-in is good for everybody

To make sure you are fully in compliance, you either need to set up a second opt-in process for anyone who says they are an EU resident and keep them on a segmented list, or update your protocol for everyone. I recommend the latter.

4. Age restrictions

You cannot collect information from anyone under 16 without parental consent. If you don’t target those under the age of 16, you will need to add a checkbox in your opt-in to indicate if a subscriber is older than that.

5. Think about the information you require

You cannot require more information than is needed for your business for each subscriber. So if you don’t need a phone number or a mailing address, don’t ask for one. If you want to collect this information you will need a valid reason. If you send industry or geographically specific information, explain that in the opt-in process.

6. Audit your current email list

Where did your current email list come from? How did you obtain consent? Do you have a record of that consent? If the latter two questions give you pause. It may be time to send one of those emails referenced at the beginning of this article.

7. Get rid of unnecessary data

As part of your audit and from now on, it’s good to figure out a method for getting rid of data you’re not using. When it comes to your email list, this could take a couple different forms.

1) Remove email users who’ve never opened an email, or haven’t opened an email in the last year.
2) Email inactive users quarterly and ask if they still want to remain on your list. Delete users who don’t respond.

8. Don’t be afraid to seek professional help!

These new regulations may only directly apply to doing business in member countries of the EU at the moment, but data privacy and protection are globally important topics. The GDPR provided companies with 18 months to be compliant, and even post-deadline, some companies are still navigating the issue with uncertainty.

It certainly seems like when the dust settles, we'll find a lot of the GDPR opt-in emails might not have been necessary or did nothing to achieve ongoing compliance. Unfortunately, it may take some lawsuits to set precedents before we get some consistency. It’s important to take as many steps possible to ensure your business does not become a precedent-setting case when it comes to data protection and consent.

Disclaimer: This information is provided as-is, based on our best understanding of the information publicly available. This is not legal advice, and we may not have addressed your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.