GDPR: A warning to small businesses

We agree: anything named the General Data Protection Regulation doesn’t sound a great deal of fun to read. But for anyone involved in digital marketing - email marketing in particular - it’s a must. This new regulation (which we’ll refer to as GDPR from now on, to save space) will be a law, not a directive - with penalties of up to €10m for those who do not comply.

That’s ten million Euros. Paying attention yet?

The GDPR will come into force on May 25, 2018 - meaning that SMEs need to start thinking now about the data they hold, and how they use it.

So, what exactly is GDPR, and why does it matter in email marketing terms?

GDPR: The basics

Currently, each of the 28 member states of the EU has its own separate email laws, based around the EU E-Privacy Directive. It’s fair to say this makes things a little confusing - which is why the GDPR came about. This new EU privacy law will create a single data protection framework across the EU, and will be enforced as law from May 25, 2018. With the ruling coming into force pre-Brexit, the UK will still need to enforce the changes. Post-Brexit? Well, that’ll depend on whether UK firms are dealing with EU citizens - and even if not, it makes logical sense to retain the procedures that have already had time, money and resource spent on their implementation.

What this means is a unified way in which marketers collate, handle and process personal information, changing the current opt-in process for all manner of marketing activities.

Put simply, B2B and B2C marketers alike will need to have written consent (such as via an opt-in form) from their audience in order to market to them at all. There will be no use of cookies to track users’ behaviour without their consent, and you must have clear written documentation confirming that your audience is happy for you to use their details for marketing purposes - which could cause problems for your email marketing efforts. What’s more, exactly which data you are able to use must also be made clear.

Essentially, your audience must have confirmed in writing to opt-in: soft opt-ins or relying on opt-outs to filter lists will no longer be the norm.

Add to this the fact that the regulation gives consumers the right to be forgotten, easier access to information on how their data is used and the right to know when their data has been hacked: for some firms, a great deal of work needs to be done before the new ruling comes into force.

Why is this happening?

GDPR is all about protecting the privacy of EU citizens. Well, it’s partly to unify the current patchwork quilt of regulations that makes up the EU’s privacy laws, and partly to protect the privacy of EU citizens.

At Winbox, we’re all about value added marketing: marketing only builds relationships when there’s a clear benefit to the recipient. However, we live in an age where spam emails are still the norm: something Winbox has been campaigning against since day one. Firms buy dodgy email lists to increase their mailing lists, consumers unwillingly agree to third party email contact after missing a tiny clause in the middle of a terms and conditions document - and we’re now dealing with the fallout of years of poor email marketing practice. Blanket emailing large lists of email addresses with no qualification is a surefire way to foster negative feelings about your brand - and it’s part of the reason why the GDPR has been given life.

What impact will the GDPR have on email marketers?


GDPR will impact on all businesses who use the personal data of EU citizens and have email subscribers within the EU: and will include the UK post-Brexit. This impact will be felt in a number of ways, namely:

1. The way in which consent is collected

The consent that’s given for commercial email purposes must be, says the GDPR, “freely given, specific, informed and unambiguous”: no pre-ticked boxes, no assumptions that silence means that a consumer wants to receive your emails. The purpose of their email address must be made clear too: if someone has provided an email address to download a white paper from your website, you must let them know at the time if you plan to use that email address for any commercial purpose and give them the opportunity to say no.

2. Keeping records of consent

Not only will you need to gain the consent of those opting in to receive commercial emails - you’ll need to keep detailed records of this consent too. The burden of proof lies with you, the email marketer: if challenged, you’ll need to prove your compliance with GDPR.

These requirements not only apply to email lists that you’ve collated yourself, but also those purchased from other companies: before purchasing lists, you’ll need to ensure that this documentation is available to comply with GDPR. It’s also important to note that this regulation will apply not only to new data, but to existing data too: if you don’t want to lose the ability to contact your current mailing list, a re-permissioning campaign (asking existing subscribers to re-confirm in a way that fits with the new ruling) may be needed.

While it’s clear that the GDPR will affect all businesses that run digital marketing campaigns within the EU, small businesses could well feel the effects more than others. For small businesses, email marketing is one of the most effective ways of reaching clients and potential clients alike - and will continue to be, providing compliance is front of mind.