By Tosin Yussuf

The countdown has begun, May 25 is quickly looming and businesses all over the EU and elsewhere are scrambling to be compliant with GDPR. For small businesses, the ramifications can be quite damaging as the cost of advice hurts that little bit more. Email marketing is a key function of most, if not all small businesses, be it in the form of newsletters or larger scale campaigns, so figuring out the ramifications of this new regulation on this most essential of business functions is extremely important.

So what is GDPR?

The General Data Protection Regulation (GDPR) will affect businesses of all sizes by changing the way in which data on EU citizens is collected and used. In the case of email marketing, this would refer to email addresses, names and any other details held in your email database.

Email marketing depends on the gathering of data and use of it in order to build an email database.

The GDPR requires that parties collecting data be responsible for and demonstrate compliance with six data requirements. The most relevant of them to email marketing are:

  • Individuals, data should be collected for specified, explicit and legitimate purposes and not further processed in a way that renders it incompatible.
  • Data is only kept in a form that permits identification of data subjects for only as long as is necessary for the purposes for which they have been collected.
  • Individuals data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

What does this mean for email marketing?

When collecting email addresses for your email marketing campaigns, it’s important to get explicit consent to all activities that will be carried out with the data. Allowing users to opt into the newsletter and any marketing emails is the bare minimum, but if you go on to change the uses of these email addresses for different types of emails, this will need their consent also.

You will need to ensure the security of where you store data. Many small businesses can be quite lax with this especially, leaving client information in spreadsheets and files that aren’t very secure. Going forward this would be a breach of GDPR so more effort needs to be put into storing data on secure services, where they will not be vulnerable to hacking, loss or damage; or accidentally being used for the wrong purposes, as you will be liable for all of this.

How do I make my existing database GDPR-compliant?

Your existing email database can be made compliant with an audit of your current processes. Ensure you are aware of how users have given consent and what they gave consent to.

If you are unable to distinguish who has and has not given consent to their data being collected, you have to clear options in order to avoid the potential 20 million euro fine. You can take one of two actions:

  1. Delete all of your contacts and start again; the cost of this will be tiny compared to the fine. 
  2. Reach out to all members of this database in order to get updated consent that complies with the rules set out above.

Anything else to consider?

Ensure you review your encryption and protection policies, and that of the services you use to store data, where possible make use of pseudonymisation of the data so no identifiable information is readily accessible.

In compliance with GDPR, stick to the correct uses of data; if you wish to use people’s data for other purposes, gain their consent. This is an activity that is ongoing and will involve both your existing data and any newly gathered data.

GDPR can initially seem quite daunting, however, with some minor tweaks to your current practices it’s simple to become compliant. This is an instance where being a small business is quite beneficial because you’re able to be more reactive and these changes will not take as long as with much larger businesses. Contrary to what some will have you believe, GDPR will not be the end or death of email marketing, it will take some time to get used to, but will eventually be nothing more than a blip in the radar.