There is a new data protection law due to come into force in May 2018, the General Data Protection Regulation (GDPR). The regulations cover many aspects of the handling of personal data and the systems to keep this secure. However this post covers how the GDPR affects existing email marketing lists and what extra measures you might need to take. If you are in any doubt you should seek professional legal advice.
The new Data Protection law GDPR
The new Data Protection law GDPR affects email marketing and existing lists and how consent is proved or assumed.
The GDPR uses roughly the same concepts of ‘controllers’ and ‘processors’ as the current Data Protection Act legislation: the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
If you are a processor, the GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you still have obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
See this link for the official Information Commissioner’s overview of the GDPR on https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
How does the GDPR affect existing email marketing lists?
The GDPR requires provable consent for someone being on a mailing list. This requirement is ok for new subscribers but might not be practical for existing email marketing lists. The original consent might not have been kept and is therefore not provable.
There are a number of scenarios where you could legally store and use data:
Current customers – Demonstrate the “existing customer relationship”.
Email subscribers with provable consent – have the records that demonstrate that consent.
Active email recipients without provable consent – If the email programme can be considered a service, ongoing recipient email engagement (opens and clicks) may be sufficient to show an “existing customer relationship” with your email programme. You will need to be in a position to demonstrate how your emails programme is a valuable service in its own right. This should take into account the value and utility of the emails and the cost, damage or detriment suffered if those emails were to cease.
Lapsed customers – No legal basis for storing the data without any consent, customer relationship, or ongoing email activity: Delete unnecessary details and roll-up into reporting data.
Inactive email subscribers – No legal basis for storing the data without any recent consent, customer relationship, or ongoing email activity: Delete unnecessary details and roll-up into reporting data.
This is our first stab at gathering some advice on this issue. Let us know what you think about how the new GDPR affects existing email marketing lists?
If in any doubt seek professional legal advice.