Why it’s crucial to ensure email marketing is GDPR compliant
GDPREU with expert advice on email marketing and compliance, including what it means for data collation, erasure, processing and how it relates to marketing
While email marketing may not be the first thing that springs to mind when planning for GDPR compliance, it’s essential that you cover all forms of digital marketing.
Since its launch in May 2018, the GDPR has required every organisation to protect personal data in all forms. Furthermore, the regulations affect the rules of consent and boosts people’s rights to privacy.
In this blog post we’re going to have a look at what GDPR compliance means for email marketing campaigns and sending emails in general.
Email marketing is ubiquitous and has been for a long time. However, the number of emails sent every day may surprise you.
The number is rising each year, and figures from Statista show that 306.4 billion were sent and received every single day throughout 2020.
It’s predicted that by 2025 there will be around 376.4 billion emails sent and received round the world each day. That’s a lot of emails, and an awful lot of personal data to protect.
An office worker receives, on average, 121 emails every day, with only around 40 of these direct communications regarding a work matter.
The rest are a mix of spam and email marketing campaigns sent to boost customer interest and set up future campaigns.
Email marketing is the primary marketing strategy for 89% of marketers. This is despite the fact that email marketing is frequently bashed as one of the best marketing channels.
At least 86% of professional workers say that they give priority to email connections, which suggests that marketing emails are at least sometimes welcome.
And, from the other side, just under a third of marketers say that email campaigns are the most effective part of their digital marketing – 29% rate email marketing first, followed by 25% for a decent content marketing strategy and 22% for SEO
A whopping 93% of B2B marketers use email marketing to distribute content – choosing it over social media and other online business strategies.
The best email marketing strategies result, of course, in high click through rate and a good response rate.
Just under three-quarters of customers say that they prefer email to communicate with, and hear from, businesses.
And for the business, there are plenty of statistics to show that email marketing, in general, offers a decent ROI.
For example, recent US-based stats show that the ROI for email marketing stands at 4200% (ie, the marketer makes $42 for every $1 spent on the email marketing strategy).
We know that around 21% of communications sent via an email marketing campaign are opened within the first hour after they’ve been delivered.
An email marketing campaign is also more likely to result in a conversion compared with social media platforms such as Twitter and Facebook.
And from the marketers themselves, it’s clear that email is considered one of the most effective marketing tools at their disposal. About 40% of B2B marketers specifically cite newsletters, with an attention-grabbing email subject line as the most important part of their general email marketing service.
The campaign performance of the first email marketing campaign – and of an effective email marketing campaign – will then go on to inform the rest of the strategy.
A successful email campaign evades spam filters, gets new subscribers, avoids sending unsolicited emails and ensures that only targeted emails are sent.
After all, it’s in the marketer’s interest to ensure high click through rates resulting from their promotional messages.
Email campaigns will always be a popular way for organisations to email clients, send transactional emails, communicate with other small business owners and reach existing customers.
And whether they conduct their own social media marketing campaign to win over new customers or concentrate their email marketing efforts on getting repeat customers, if they are based in the EU or UK then a form of GDPR applies to them.
Everyone’s email inbox is crammed full of other people’s contact details, email addresses and all kinds of personal data.
Email marketers must ensure that their marketing campaign, whether it’s a simple call to action or a personalized email marketing piece for a target audience, complies with GDPR.
And while email marketing teams may prefer to focus on effective email marketing campaigns, under modern email marketing regulations, there’s a lot of best practices to be aware of.
Any organisation, including charities, companies, retailers and micro-businesses among others, that deals with personal information relating to residents or citizens of the European Union must comply with GDPR.
This also means that organisations that are not based in the EU, but also deal with email subscribers or customers within member states, must also comply.
In the simplest terms, every organisation must keep people’s data secure and make it accessible to the owner. The regulations are concerned with protecting the owner of personal data and ensuring that they retain full control.
Organisations that don’t properly comply with GDPR may find themselves dealing with fines of up to 4% of their global revenue or EUROS 20 million, depending on which is higher. They may also end up being liable for damages.
The GDPR requires “data protection by design and default”. This means that organisations have to always include data protection for any new or existing services or products.
GDPR Article 5 goes into detail regarding all the data protection rules you must stick to. These include adopting the necessary technical measures to ensure data is secure.
The kinds of technical measures they mean include pseudonymisation and encryption. Under the law, these measures should be used in order to minimise damage that could be caused by a data breach.
For an email marketing platform or marketer, encryption is the best option. The tech has evolved so much that today, this is an accessible and simple option. A secure, cloud-based email provider and appropriate internet service providers should be utilised.
However, it’s up to each individual organization to develop the most appropriate data security for them. And so, encryption isn’t mandatory.
Think about how many emails you have in your inbox. Most people rarely – if ever – take the time to delete backed up emails.
Many people may feel they need them to refer to in future and have reasons for retaining the data in them.
However, data erasure is an important piece of the GDPR, which clearly states that personal data can only be stored for “no longer than is necessary for the purposes for which the personal data are processed.”
In other words, if you hang on to personal data collated using an email marketing tool, even if it originally had the consent of the person, once the original usage is complete, this no longer stands.
Data erasure is one of the personal rights that is famously protected by Article 17 – the ‘right to be forgotten’. The data subject is the one with the rights over their data and can demand erasure of that data to be processed without “undue delay”.
When you send your own email marketing campaigns, you will automatically hold lots of people’s data. And, if you habitually keep emails in your inboxes for whatever reason, this also contributes to the sheer amount of data you have.
Should there be any kind of data breach, the more personal data you and your organisation has retained, the more likely you are to be liable under GDPR.
And, since May 2018, the erasure of personal data has been the law. Every organisation should ensure that their email retention policy is regularly reviewed with the aim of vastly reducing – if not eliminating – the personal data held in employee’s email inboxes.
This policy must be in place to comply with GDPR. And, in practical terms, just as you can organise marketing automation, you can also make sure that email deliverability and erasure is automated too.
Email marketing software or the email service provider itself often include email expiration services that allow the user to delete them automatically after a set period of time.
Managing the difference between spam and a marketing plan that leads to business success is important.
Under GDPR, organisations can only use people’s data under six legal frameworks. Article 6 explains the six lawful bases upon which you can collect, store and use other people’s data.
The first of these lawful bases is consent, and this is essential to understand before you follow any email marketing tips.
Consent regarding email marketing must be, as per GDPR, “freely given, specific, informed and unambiguous”.
This means that the data subject must easily and instantly be able to understand what data of theirs you hold and what you are planning to do with it.
Furthermore, requests for consent must be made in “clear and plan language” and be “clearly distinguishable from other matters.” On websites, this generally takes the form of a pop up that the user must click before accessing the information.
Documentary evidence of the consent given must also be retained.
Article 13 and the ePrivacy directive gives organisations another way to utilise an email campaign based on customer data.
It states that when it comes to a sale of a service or product then the organisation “may use these electronic contract details for direct marketing of its own similar products or services…”
This is only allowed if the “customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner.”
In simple terms, this means that as an organisation you can lawfully send out marketing emails for the service you provide as long as the receiver understands they can opt out of receiving them at any time.
There must be a clearly signposted unsubscribe link on every single communication, whether it’s directed at mobile devices or as part of email templates.
Before GDPR came in, organisations would have received plenty of emails with a subject line or subject lines saying that it would be the “end of email marketing” or, perhaps more popularly, the “end of spam”.
GDPR has been in place for four years now, and we can see that a subject line like this was no more than scare mongering over the prospect of changes to data privacy laws.
In reality, of course, spam has always been against the law or at least against the email provider’s terms and regulations.
It’s highly unlikely that your spam folder received nothing further after the 25 May 2018 when GDPR was brought in!
And we can also see that GDPR has not ended or banned email marketing.
GDPR is not about making it more difficult to reach customers, nor is it about pointless regulatory constraints.
Rather, GDPR underscores the importance of personal data and how much responsibility organisations have in protecting it.
These regulations came at just the right time to reflect the ever-increasing mass usage of personal data.
Creating an email marketing campaign is increasingly simple for organisations. There is plenty of software available offering the drag and drop editor tools necessary to create professional content, whether directed to a mobile device or a desktop user.
It’s only reasonable that it’s just as simple for the data subject to give their consent for the use of their data, and to have the option to always withdraw it.
To fully comply with GDPR for email marketing, consent must be obtained. This must be in the form of an affirmative opt-in, and this must be obtained before any content is emailed out.
Furthermore, it must be easy for the data subject to choose to opt out at any time.
Only if a marketing email fails to provide a way to unsubscribe, or is sent to someone who has not consented, or concerns a subject unrelated to the one it did obtain consent for, is the GDPR regulation violated.