Nine top GDPR tips for email marketing strategies

It's not all doom and gloom - here's how you can make GDPR work for you

Email surveillance

It's been more than a year since GDPR came into force, but there are still a large number of questions and concerns about implementation. The legislation has fundamentally changed how companies use email as a marketing tool, with more than three-quarters of marketers in the US and Europe having said that GDPR has affected how they use third-party data to target people.

Although the hype around GDPR may have died down, there have still been almost 100 GDPR-related fines handed out across Europe, from around 60,000 complaints received by the European Commission. It's therefore still vitally important that businesses follow best-practice around marketing to data, especially when it comes to emails.

In fact, email marketing and promotional emails have been the second-largest cause of complaints to data protection authorities across Europe since GDPR was implemented in May 2018.

The main source of concern for marketers is the issue of consent. Under GDPR, companies are legally required to ensure that they have a good reason for holding onto and using an individual's data - something that's referred to as a legitimate interest'. This can be for reasons such as fraud prevention or the fulfillment of a legal contract, but the data processing has to be necessary to the act of achieving that purpose, and it has to be an interest that is not overridden by the interests of the individual whose data you're processing.

Advertisement - Article continues below
Advertisement - Article continues below

Marketers are free to contact people under the basis of legitimate interest' in a number of situations, such as if they have an existing business relationship with the person in question (not just the company they work for). However, the most relevant legitimate interest for marketers is that the individual in question has given their explicit and informed content.

It's the 'explicit and informed' part that has proved the most worrisome for many marketers. Many companies have traditionally relied on tiny and obscure check-boxes that are ticked by default in order to obtain 'consent' from customers to be placed on newsletter lists, but under GDPR, companies must explain in clear, concise language exactly why customers' data is being gathered and how it will be used.

Many marketing departments are concerned that, if customers are given the choice about whether or not they want to be sent newsletters and other forms of marketing materials, they will refuse it. However, Skip Fidura, Chair of the Responsible Marketing Committee at the Digital Marketing Association, believes that GDPR actually offers an opportunity for marketers to use GDPR to their advantage.

We spoke to him to find out some of his top tips for email marketers who want to survive GDPR.

1) Don't panic!

The biggest thing that digital marketers need to remember, Fidura says, is that GDPR is not the apocalyptic cataclysm that many are making it out to be. If marketers have been doing their jobs properly, he argues, the laws should have a minimal impact on how marketers do business.

"There's really nothing in the GDPR that email marketers haven't been talking about and doing as best practice for years. Being open, honest and transparent when it comes to getting consent - you can use the GDPR language, but it all boils down to being open, honest and transparent," Fidura explains. 

2) Don't re-permission your lists, refine them

A common response to GDPR from many marketing departments has been to try and re-obtain consent from their entire marketing list for life-long messaging, but according to Fidura, this is an unnecessary effort. "The myth when GDPR first came out," he notes, "was that consent is the only way we can market and therefore, because I don't have GDPR-level consent, I have to go get GDPR-level consent."

In reality, he continues, what brands have done is to take a step back and examine their data, working out how much of their lists they can continue to market to under GDPR's 'legitimate interests' provisos, which customers they need to approach to ask for new permissions, and which customers should be culled from their lists entirely.

3) Follow best practice

This dovetails neatly with another of Fidura's top tips, which is to make a point of following best practice - i.e. reducing email lists when some recipients haven't engaged for a defined period of time - no matter how unpalatable it may seem.

"[Marketers] know they should be culling people off lists, but when you go to the finance people and say 'I've just cut 25% off our email list', the finance people go 'what are you, crazy?'," he says. "So actually, I think in some cases, marketers have been able to use GDPR to do what they know they should have been doing all along."

4) Audit your data regularly

Of course, you can't cut dead weight from your email lists if you don't know that it's there. Fidura advises that companies conduct regular audits of their data stores to ensure that they know exactly what state their lists are in.

Advertisement - Article continues below

"The problem with data is data has a shelf-life, and just like a piece of fish that's gone off, if you let it sit too long, it's gonna stink," he states. Companies need to be aware of how long data is going to be relevant for when they collect it, and should regularly audit it based on the inflow of data and how many people are accessing and modifying it.

5) Don't forget about ongoing compliance

Many organisations went into a mad scramble to get ready for GDPR last year, but that doesn't mean that the work to get compliant is done. As Fidura points out, GDPR is far from a one-time deal. While initially complying with the regulations is important, ensuring that you continue to uphold those standards is actually more critical in the long run. The further we get from May 2018, the more relaxed companies are going to get, and it won't be long before "they're going to buy some new system and forget that they've got to now plug that into their GDPR compliance". 

"What they need to think about going forwards is, they need to remember the steps they went through to get to their GDPR compliance; the data audit that they did," Fidura says. "Every time they bring a new channel, tool or system online, they need to think about what the potential impact of that is to the consumer. If necessary, they need to do a privacy impact assessment and they need to document all that stuff, because [GDPR implementation] is not the end; it's the end of beginning. GDPR doesn't go away."

6) Build customer trust

GDPR might be scary for marketers, but in reality it offers companies an opportunity to build a deeper, more trusting relationship with their customers. According to research by the Digital Marketing Association, 62% of consumers are more willing to share their data if they have GDPR explained to them, and more than 85% want greater control and transparency regarding how their data is used and collected.

"We know that consumers get to be more comfortable about giving up data when they know how the data's going to be used; that's just human nature," Fidura says. "I think the opportunity for all marketers is to start talking about GDPR, start telling people about what's in the GDPR, what their rights are, how the business is implementing that, so that they start to rebuild trust. And then, of course, they have to live up to that."

7) Be honest about what data you need

It's not just customers that marketers need to be honest with around GDPR; according to Fidura, they also have to be honest with themselves. As part of the data audits mentioned above, marketing professionals need to take a step back and examine what data they absolutely need to have, and what data they're gathering for the sake of it.

"The example I always use is this: we have DotMailer-branded socks. In theory, to know how many socks to buy, we should ask people their shoe size. As an email marketing company, do we really have a need for their shoe size?", Fidura notes. "No - because we're probably going to buy a bunch of large, a bunch of mediums and a bunch of smalls anyway."

8) Be accountable

One of the fundamental tenets of GDPR is making companies accountable to the people whose data they hold, but Fidura says that this is a standard which companies should be holding themselves to regardless, in the service of rebuilding customer trust.

"Whatever you do, if something goes wrong and you violate that trust, be accountable for it. Hold up your hand and say 'you know what, we screwed up'," he says. "Too often, corporations don't want to say anything until they know all the facts, but by then, they've lost the story."

9) Don't let lawyers write your privacy policies

For marketers, GDPR isn't simply about getting customers to check a box indicating that they're happy to receive your emails; one of the stipulations is that you must give them a specific set of details about how you're using that information. Similar to the oft-ignored terms and conditions agreements for software, this is often represented by a wall of dense legal text, but it doesn't have to be.

Advertisement - Article continues below

"Don't let your lawyer or compliance team write your privacy policy," advises DMA managing director Rachel Aldighieri. "Work with them and the creative teams and your communications teams to write that." She says that privacy policies can be engaging and attractive when done well, citing examples from EasyJet, the BBC and more.

This article was originally published in May 2018, and has since been updated to include additional figures.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020