The GDPR Checklist for Email Marketers: 10 Critical Points

As we head towards the deadline for GDPR compliance, it's time (if you haven't already) to start planning your approach to aligning marketing processes with new data rules outlined by The General Data Protection Regulation (GDPR).

Our handy GDPR checklist for marketers explores 10 key things to consider when preparing for GDPR compliance:

1. Data collection

The GDPR aims to give more clarity and control to users, when brands ask for their personal data in exchange for taking an action on a website or via a marketing channel.

Marketers must make sure that web pages, forms or calls to action contain information that clearly outlines why data is being collected and who will have access to the data. Implement a system that tracks user data and opt-in preferences (perhaps via your CRM), so that data is processed in the right way.

2. Data processing

Data processing is where many businesses have (consciously or unconsciously) got into murky waters. Marketers may display data privacy and usage terms as a matter of process, without really having control over the data.

Can you say for sure that you know that all the data you use for marketing purposes has be collected legitimately or processed according to your current terms of consent? This uncertainty is what GDPR seeks to clear up.

3. Marketing consent

You need consent from users to send them marketing messages and you must be transparent with information on consent. Opt-in by default is a no-no, so no more pre-checked boxes! Plus, you need to unbundle your marketing consent opt-in details.

There are exceptions, which come under "legitimate interests". This applies more to B2B direct marketing, where a legitimate interest to contact users is deemed valid.

Legitimate interests is one of the areas of The GDPR's "lawful basis of processing". Consider the following three things, outlined by the ICO:

• Identify a legitimate interest in making contact with a user
• Show that processing the data is necessary to achieve this interest
• Balance it against the individual’s interests, rights and freedoms

Find out more in the ICO's guide to GDPR, legitimate interests section. 

4. Cookies

Cookies are often forgotten when thinking about GDPR. Most websites have cookie notifications and pop-ups when users arrive on them. You may already have this in place, but before the GDPR compliance deadline you'll need to have a consent button which users can click to accept cookies. Only when accepted cookies should they be enabled in the user's browser.

5. Third-parties

From ESPs and CRMs, to tools and tech that help you optimise your marketing activities, third-party relationships and integrations are commonplace. And they have access your user data.

Even if you align your own processes and information with GDPR guidelines, it doesn't mean your third-parties have done the same. Check that they're GDPR compliant and take responsibility for the way they use your data.

Need any further incentive? Look no further than the Cambridge Analytica fiasco with Facebook...

6. Clear an easy opt-out and access

In giving users more control over how their personal data is used, marketers must give users a clear route to opting out of marketing messages or updating their preferences. 

Under GDPR rules, individuals have the right to:

• Access their data storage/processing details
• Modify their preferences
• Be forgotten (or the right to erasure)

A request to erase data is not the same as unsubscribing. See the ICO's checklist below for requests for erasure:

7. Https as mandatory

Have your moved your website over to https? You may have received prompts in your search console or been advised about switching to https to ensure your site is secure, to avoid being penalised by search engines or putting user data at risk. Whilst it currently represents SEO best practice, GDPR will require https as mandatory. 

8. Privacy policy update

Update your privacy policy to be fully transparent about exactly how your user data will be used. Outline the following:

• How data will be captured
• How data will be stored
• How you plan to process the data
• Who will have access to the data
• What affiliates/partners/third-parties will use the data
• How the data can be erased or marketing consent be disabled

Although you don't need to display your full privacy policy at every data capture touchpoint with prospects, you will need to display a link to your privacy policy.

9. Design and UX changes

Design and UX changes are required to incorporate details about consent and data usage in your marketing campaigns and website pages. However, this doesn't mean it has to be ghastly. 

As long as you're compliant with GDPR, you can still be playful. Give users a convincing reason to opt in for marketing communications and to sign up to email lists by explaining how they will benefit from your messages.

10. Re-permissioning

What is re-permissioning? If your database isn't segmented in a way that clearly defines the date and route of consent from your contacts, you'll need to send out re-permissioning emails (or messages via alternative channels) to ask users to confirm their consent.

Here are the key considerations for preparing your repermissioning messages:

• Define what marketing content/channels you require consent for
• Create a simple way to confirm clear consent from existing contacts
• Establish and create an extensive privacy policy
• Ensure consent is time stamped in your CRM and fully auditable

This table from Ometria is a great example of how to approach your existing database when preparing for GDPR re-permissioning:

Getting these messages right is vital. Check out Ometria's handy blog on the subject: GDPR: Getting Re-Permissioning of Customer Consent Right First Time.

Wrapping up

Our checklist acts as a handy overview for marketers, providing bitesize details of what's required of marketers and brands in the lead up to the 25th May GDPR deadline.

The benefit of GDPR for marketers is that it provides us with the opportunity to cleanse and refine our contacts lists, review our existing marketing processes and create better data to deliver more relevant campaigns to subscribers and customers.

Note: our GDPR checklist for marketers contains recommendations, but is not legal advice and should refer to a legal expert when ensuring all your processes are GDPR compliant.

More GDPR resources

A great starting point is the ICO's (The Information Commissioner's Office) Guide to The General Data Protection Regulation. Grab the guide here >> https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

The ICO has also created an excellent 12-step infographic and guide to preparing for GDPR compliance. Check it out here >> https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

We recently compiled some key GDPR resources for marketers, including guides and webinars from the likes of DMA (Direct Marketing Association) and Econsultancy. These resources should give you all the info your need! Take a look >> 5 Essential GDPR Resources for Marketers

Also, retail brands should check out this blog on GDPR for email: Everything Retailers Need to Know About GDPR in Email Marketing.