Everything Retailers Need to Know About GDPR & Email Marketing

In this blog, we’ve outlined the key considerations for GDPR compliance for retailers using email marketing. It's not an exhaustive guide, but a starting point for those yet to tackle GDPR. Be sure to speak to a legal specialist before implementing anything.

Why is GDPR important?

Currently, there are significantly differing spam regulations in the European Union (EU), which vary greatly from country to country under the Directive on Privacy and Electronic Communication (or the EU E-Privacy Directive). This directive outlines overall goals and each member state can translate these goals into local law. However, the result has been differing email laws for each of the EU member states.

With the EU’s new privacy law, the goal is to bring order to the regulations across the EU. This regulation will be enforceable as law in all EU member states on May 25, 2018.

So what does GDPR mean for your retail brand?

GDPR will affect every company that uses personal data for EU citizens. If your business is collecting email addresses and sending emails to EU subscribers, then you will have to comply to GDPR (regardless of where your business is based).

According to Stewart Room, leader of cybersecurity and data protection at Pricewaterhousecoopers (PwC), “This will impact every entity that holds or uses European personal data both inside and outside of Europe (ComputerWeekly.com).

Take a look the this handy checklist from Lepide:

Stricter regulations for collecting consent

The way subscribers and customers are “opting in” to marketing messages is changing and GDPR hopes to tackle sneaky tactics where people didn’t know they were opting in or out. One way to prepare for GDPR is by reviewing your current consent process. 

Here’s an overview of GDPR standards for consent:

• Unbundled: Consent requests need to be seperate from other terms and conditions and should not be a precondition of a service sign up.
• Named: You should name your organisation or any third parties who require consent.
• Active opt-in: Any pre-ticked opt-in boxes are invalid and you must offer customers unticked opt-in boxes or similar.
• Granular: Provide granular options to consent separately to different types of processing where applicable.
• Easy to withdraw: Give customers the option to withdraw their consent at any time and also make it clear how they can do this.
• Documented: Your business must keep records to demonstrate what the individual has consented to. This includes what they were told, when, and how they consented.
• No imbalance in the relationship: If there is an imbalance in the relationship between the individual and controller then consent will not be given.

New requirements for consent record keeping

Under GDPR legislation, your business must keep clear records of consent taken. These records should include details of each individual, what they consented to, when they gave consent and the information they were given at the time. 

If someone withdraws consent, then you should have this documented as well. All consent documentation and records should be kept separate from other company documents.

To achieve compliance you must adopt new practices

Your brand should take both technical and organisational measures to ensure that data protection is a part of any procedure involving personal data.

Take the following steps for best practice:

• Review current policies and procedures and make sure that only necessary data is being collected and that it is only processed to the extent necessary
• Make sure the data you are collecting is being stored securely
• Make sure access to the data is limited
• If the data is no longer needed then it should be destroyed.

There will be penalties if you don’t play by the rules

Businesses could face penalties of up to €20 million or 4% of group worldwide turnover. According to the ICO, they will not be specifically targeting small businesses but there will still be an increased risk, due to individuals having a greater ability to bring private claims against organisations or breach of the regulations.

There is particularly a risk here for small businesses that may not have the resources to carry out the new processes of this legislation.

Prepare for GDPR legislation with a positive approach

If you’re not already in the process of anticipating GDPR legislation, there’s no better time than the present to start preparing for the arrival. The best way to do this is to demonstrate ‘privacy by design’, where you store customer data in a pseudo-anonymised way and build protection directly into processes and policies. 

Take a pro-active and positive approach to GDPR and see it as an opportunity to improve your email marketing process and, in turn, create better and more relevant brand experiences for subscribers.

Here are some other useful resources on preparing for GDPR compliance:

• GDPR - What email marketers need to know
• GDPR: Six examples of privacy notice UX that may need improvement
• GDPR in ecommerce: opportunity or pain in the £$$?

And finally, remember that this blog is just an introduction. It's not legal advice and you should speak to a legal expert when tackling GDPR.