GDPR Myth #3: You can’t send marketing emails anymore

Send button on computer keyboard — Will continuing to send marketing emails put your business at risk of breaching GDPR?

Do the General Data Protection Regulations (GDPR) mean you can’t send any more marketing emails?

JD Wetherspoons, the UK’s largest pub chain, hit the industry headlines last year when it decided to delete its entire marketing list. GDPR has injected a sense of impending doom into email marketers worried that carefully cultivated lists will need to be trashed come GDPR day.

This is not the case. GDPR does not prevent direct marketing taking place, nor does it mean your lists have to be deleted and collected again from scratch. However, it does mean marketers have a greater responsibility in processing personal data, and some issues around consent to market may have to be looked at.

GDPR Myth #2: GDPR requires you to delete all of a person’s data if they ask

Consent to send direct marketing emails must be compliant with GDPR

In essence, this means the person receiving the marketing email must have given their explicit consent to be marketed to, as well as have a clear way to opt-out that is not connected to the receipt of any other services.

GDPR requires evidence of how you are complying, so proof of consent storing systems are required, and the double opt-in method of recording consent is highly recommended. Of course, consent is not the only lawful basis to process data, so it might be worth even checking whether this is absolutely necessary.

The best way to assess existing consent under GDPR is to reconnect with a database. Asking all customers to re-acknowledge their consent statements in the run-up to GDPR gives marketers the opportunity to show they are taking the lead when it comes to protecting data and complying with the new regulations.

The first step is to audit your database. Then investigate who the contacts are and how they were acquired, and what additional information you may need from them to comply with GDPR. Review and disclose how you collect the information, including getting consent at the point of collecting data (uncoupled from any receipt of services), have a clear, updated privacy policy and communicate this to everyone who signs up.

The changes to email marketing may mean social media plays a more important role in a marketer’s toolbox. Engaging with customers via Facebook and Twitter removes the responsibility on the company to process large amounts of customer data. As people are spending more time on social media than old-fashioned email anyway, now might be a good time to consider the value in continuing to market by email, regardless of GDPR.

Download a free GDPR ready data protection policy template

Is your organisation’s data protection policy template up to date and GDPR compliant? VinciWorks has published a data protection policy template that can easily be edited to suit your organisation, staff and industry. You can download the policy by clicking the button below.

Download policy template

This blog is the third in a series of GDPR Mythbusters VinciWorks will be publishing to help businesses determine between helpful guidelines and scary myths.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”