GDPR for email marketers

8 minute read

GDPR is coming. Here’s a handy 20 point summary of how GDPR is likely to affect you as an email marketer. There’s lots more to know, but this should get you headed in the right direction.

Get ready for GDPR

What is GDPR?
GDPR is the General Data Protection Regulations (officially (EU) 2016/679). Although it has new aspects it is not fundamentally new. It represents the latest evolution of regulations on data privacy and protection in Europe. It replaces the current EU Data Protection Directive (95/46/EC, known as DPD) of 1995 and sits alongside the EU e-Privacy Directives (2002/58/EC and 2009/136/EC) of 2002 and 2009.

What is the current law?
As EU ‘Directives’ the current DPD and e-Privacy are translated into various national level laws. eg. in the UK these are the Data Protection Act (DPA, 1998) and Privacy and Electronic Communications Regulations (PECR, various revisions since 2004).  In the UK these are enforced by the Information Commissioners Office (ICO) – the UK Supervisory Authority (SA) or Data Protection Authority (DPA)

Is it the new law?
Yes. Harmonising fragmented laws and relieving the legislative burden on individual member states is one of the objectives of GDPR. Unlike previous ‘Directives’, as a ‘Regulation’ GDPR does not need separate national level legislation in order to become law in each member state.

Why is it needed?
The reform of the 1995 Data Protection Directive was proposed in 2012 in order to address significant changes in the way personal data is now available, collected and used and to reflect the changing nature of the EU and its individual member states.

When will it happen?
The GDPR transcipt was published in May 2016 and it becomes EU law on 25 May 2018. This is referred to as the GDPR ‘effective date’. This allows the governments of EU member states and EU businesses a 2 year ‘readiness’ period in which to prepare for the changes.

Is it about marketing?
GDPR is not fundamentally about marketing or email. It is a wide ranging policy regarding the privacy and protection of EU individuals, specifically relating to how personal data about them might be collected, stored and used. GDPR refers to these uses as ‘processing’.

Who does it apply to?
GDPR is applicable equally across all sizes of business, public authorities and all industry sectors. It applies to any business located in the EU and also to businesses located outside of the EU who are processing the personal data of EU individuals.

Does it make things harder?
It’s not meant to be restrictive to good people. As a defined objective GDPR intends to help and guide those with legitimate business interests, but also to more easily identify and more severely penalise those who deliberately or consistently avoid compliance.

What about the UK and BREXIT?
GDPR is likely to become effective in the UK before BREXIT is finalised, so it will be UK law for at least some period of time. The Great Repeal Act (in preparation) will determine which aspects of GDPR are retained although it’s unlikely that the UK’s post-BREXIT conditions will be significantly different.

What are the key principles?
Apart from privacy and protection GDPR is based on several fundamental principles, eg. processing of personal data only under specific consent or other lawful conditions, a balance of interests between businesses and individuals and an overall environment of fairness, appropriateness and transparency.

What is Personal Data?
GDPR only applies to ‘personal data’ i.e. data which can or could identify an individual person (the data subject). Personal data includes previous items like name, email address etc and also introduces new definitions for biometric and genetic identifying data. It also includes encrypted data and ‘online identifiers’ like cookies.

When is processing lawful?
GDPR defines 6 scenarios for the lawful processing of personal data – these are legal obligation, public interest, vital interest, contractual, legitimate use and consent. Of these, contractual, legitimate use and consent are the most significant for most email marketers.

Has the principle of consent changed?
Although the principle of ‘consent’ is largely unchanged, GDPR introduces better clarification regarding what constitutes consent and how it might be obtained and used. These tighten the definition but they are still largely in line with any existing good-practice ‘permission marketing’ strategy.

How is consent now defined?
GDPR requires that consent must be a clear and affirmative opt-in action, freely given with full knowledge of owner and intended purpose of processing. It can’t be implied, assumed, bundled or otherwise connected and only applies for a specifically identified purpose.

Do I have to renew existing consent?
Consent obtained before GDPR is continuous (i.e. renewed consent is not required) provided the previous conditions of consent themselves were GDPR compliant and the purpose of consent has not changed for future intentions. However this must still be reviewed, justified and the impact assessed.

Can I email my customers without consent?
The scenario of ‘legitimate use’ builds on previous definitions of ‘legitimate interest’ and allows a scenario for processing where specific consent is not specifically in place. In this respect it’s similar to the current ‘soft opt-in’. GDPR requires a clear relationship, genuine mutual interest, balance of interests, expected and appropriate processing and without infringement of individual rights and freedoms of the individual.

Is direct marketing a legitimate scenario?
GDPR specifically references direct marketing as a possible scenario for legitimate use, provided that the conditions described above are met. The specific inclusion of this clarification has been welcomed by businesses and marketing organisations.

What else?
Contractual refers to data processing which is required or directly relates to the fulfilment of an existing contract between the business and individual. The (appropriate) processing of data for this purpose is lawful without further specific consent.

Do I need to justify my actions?
A major difference of GDPR is the placement of significant responsibility on data controllers (i.e businesses). Data controllers must ensure that any data related or processing activity is compliant – that it has been reviewed and justified, including an assessment for its impact and risk, and is fully documented and demonstratable.

Do I need a specialist?
Those businesses either processing data on a large scale or as a systematic course of their activity are required to appoint a Data Protection Officer (DPO). The DPO is responsible for compliance and liaison with the local Supervisory Authority (SA) (also known as the Data Protection Authority (DPA).