Nine top GDPR tips for email marketing strategies

It's not all doom and gloom - here's how you can make GDPR work for you

Email surveillance

It's been more than a year since GDPR came into force, but there are still a large number of questions and concerns about implementation. The legislation has fundamentally changed how companies use email as a marketing tool, with more than three-quarters of marketers in the US and Europe having said that GDPR has affected how they use third-party data to target people.

Advertisement - Article continues below

Although the hype around GDPR may have died down, there have still been almost 100 GDPR-related fines handed out across Europe, from around 60,000 complaints received by the European Commission. It's therefore still vitally important that businesses follow best-practice around marketing to data, especially when it comes to emails.

In fact, email marketing and promotional emails have been the second-largest cause of complaints to data protection authorities across Europe since GDPR was implemented in May 2018.

The main source of concern for marketers is the issue of consent. Under GDPR, companies are legally required to ensure that they have a good reason for holding onto and using an individual's data - something that's referred to as a legitimate interest'. This can be for reasons such as fraud prevention or the fulfillment of a legal contract, but the data processing has to be necessary to the act of achieving that purpose, and it has to be an interest that is not overridden by the interests of the individual whose data you're processing.

Advertisement - Article continues below
Advertisement - Article continues below

Marketers are free to contact people under the basis of legitimate interest' in a number of situations, such as if they have an existing business relationship with the person in question (not just the company they work for). However, the most relevant legitimate interest for marketers is that the individual in question has given their explicit and informed content.

It's the 'explicit and informed' part that has proved the most worrisome for many marketers. Many companies have traditionally relied on tiny and obscure check-boxes that are ticked by default in order to obtain 'consent' from customers to be placed on newsletter lists, but under GDPR, companies must explain in clear, concise language exactly why customers' data is being gathered and how it will be used.

Many marketing departments are concerned that, if customers are given the choice about whether or not they want to be sent newsletters and other forms of marketing materials, they will refuse it. However, Skip Fidura, Chair of the Responsible Marketing Committee at the Digital Marketing Association, believes that GDPR actually offers an opportunity for marketers to use GDPR to their advantage.

Advertisement - Article continues below

We spoke to him to find out some of his top tips for email marketers who want to survive GDPR.

1) Don't panic!

The biggest thing that digital marketers need to remember, Fidura says, is that GDPR is not the apocalyptic cataclysm that many are making it out to be. If marketers have been doing their jobs properly, he argues, the laws should have a minimal impact on how marketers do business.

"There's really nothing in the GDPR that email marketers haven't been talking about and doing as best practice for years. Being open, honest and transparent when it comes to getting consent - you can use the GDPR language, but it all boils down to being open, honest and transparent," Fidura explains. 

2) Don't re-permission your lists, refine them

A common response to GDPR from many marketing departments has been to try and re-obtain consent from their entire marketing list for life-long messaging, but according to Fidura, this is an unnecessary effort. "The myth when GDPR first came out," he notes, "was that consent is the only way we can market and therefore, because I don't have GDPR-level consent, I have to go get GDPR-level consent."

Advertisement - Article continues below
Advertisement - Article continues below

In reality, he continues, what brands have done is to take a step back and examine their data, working out how much of their lists they can continue to market to under GDPR's 'legitimate interests' provisos, which customers they need to approach to ask for new permissions, and which customers should be culled from their lists entirely.

3) Follow best practice

This dovetails neatly with another of Fidura's top tips, which is to make a point of following best practice - i.e. reducing email lists when some recipients haven't engaged for a defined period of time - no matter how unpalatable it may seem.

"[Marketers] know they should be culling people off lists, but when you go to the finance people and say 'I've just cut 25% off our email list', the finance people go 'what are you, crazy?'," he says. "So actually, I think in some cases, marketers have been able to use GDPR to do what they know they should have been doing all along."

4) Audit your data regularly

Of course, you can't cut dead weight from your email lists if you don't know that it's there. Fidura advises that companies conduct regular audits of their data stores to ensure that they know exactly what state their lists are in.

Advertisement - Article continues below

"The problem with data is data has a shelf-life, and just like a piece of fish that's gone off, if you let it sit too long, it's gonna stink," he states. Companies need to be aware of how long data is going to be relevant for when they collect it, and should regularly audit it based on the inflow of data and how many people are accessing and modifying it.

5) Don't forget about ongoing compliance

Many organisations went into a mad scramble to get ready for GDPR last year, but that doesn't mean that the work to get compliant is done. As Fidura points out, GDPR is far from a one-time deal. While initially complying with the regulations is important, ensuring that you continue to uphold those standards is actually more critical in the long run. The further we get from May 2018, the more relaxed companies are going to get, and it won't be long before "they're going to buy some new system and forget that they've got to now plug that into their GDPR compliance". 

Advertisement - Article continues below
Advertisement - Article continues below

"What they need to think about going forwards is, they need to remember the steps they went through to get to their GDPR compliance; the data audit that they did," Fidura says. "Every time they bring a new channel, tool or system online, they need to think about what the potential impact of that is to the consumer. If necessary, they need to do a privacy impact assessment and they need to document all that stuff, because [GDPR implementation] is not the end; it's the end of beginning. GDPR doesn't go away."

6) Build customer trust

GDPR might be scary for marketers, but in reality it offers companies an opportunity to build a deeper, more trusting relationship with their customers. According to research by the Digital Marketing Association, 62% of consumers are more willing to share their data if they have GDPR explained to them, and more than 85% want greater control and transparency regarding how their data is used and collected.

Advertisement - Article continues below

"We know that consumers get to be more comfortable about giving up data when they know how the data's going to be used; that's just human nature," Fidura says. "I think the opportunity for all marketers is to start talking about GDPR, start telling people about what's in the GDPR, what their rights are, how the business is implementing that, so that they start to rebuild trust. And then, of course, they have to live up to that."

7) Be honest about what data you need

It's not just customers that marketers need to be honest with around GDPR; according to Fidura, they also have to be honest with themselves. As part of the data audits mentioned above, marketing professionals need to take a step back and examine what data they absolutely need to have, and what data they're gathering for the sake of it.

"The example I always use is this: we have DotMailer-branded socks. In theory, to know how many socks to buy, we should ask people their shoe size. As an email marketing company, do we really have a need for their shoe size?", Fidura notes. "No - because we're probably going to buy a bunch of large, a bunch of mediums and a bunch of smalls anyway."

8) Be accountable

One of the fundamental tenets of GDPR is making companies accountable to the people whose data they hold, but Fidura says that this is a standard which companies should be holding themselves to regardless, in the service of rebuilding customer trust.

Advertisement - Article continues below

"Whatever you do, if something goes wrong and you violate that trust, be accountable for it. Hold up your hand and say 'you know what, we screwed up'," he says. "Too often, corporations don't want to say anything until they know all the facts, but by then, they've lost the story."

9) Don't let lawyers write your privacy policies

For marketers, GDPR isn't simply about getting customers to check a box indicating that they're happy to receive your emails; one of the stipulations is that you must give them a specific set of details about how you're using that information. Similar to the oft-ignored terms and conditions agreements for software, this is often represented by a wall of dense legal text, but it doesn't have to be.

"Don't let your lawyer or compliance team write your privacy policy," advises DMA managing director Rachel Aldighieri. "Work with them and the creative teams and your communications teams to write that." She says that privacy policies can be engaging and attractive when done well, citing examples from EasyJet, the BBC and more.

This article was originally published in May 2018, and has since been updated to include additional figures.



data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020