GDPR is big news at this present time. We recently covered the General Data Protection Regulation, setting out the three key areas in which businesses of all sizes and types that do business with any EU based consumer will need to ensure compliance.
One of these key areas was consent. If you regularly send email newsletters or updates to a contact list that resides within the EU, then you are going to need to follow a number of steps to make sure you are not breaching the new Regulation. Remember, a breach could cost you literally millions of pounds.
Email Marketing Requires Opt-In Consent Under GDPR
Under GDPR, businesses can only send emails to those who have opted in to receive them. Whilst the current EU Privacy Directive already requires this in the majority of EU countries, the difference under GDPR is the nature of the consent.
Consent must never be compulsory or hidden; it must be active (opt-in only); you must have separate requests for each type of contact; it has to be clear who is requesting the consent, and the consent must be easy to withdraw.
You cannot assume that it is permissible to send marketing materials to contacts who do not request NOT to be contacted.
Why are you Collecting Data?
Your reason for collecting data must also be made clear, and you must set out how it will be used. Again this needs to be a positive action (opt-in) rather than a negative opt-out action.
For example, saying something like, ‘Office Assistants will use your personal details and record your purchase habits so we can provide you with appropriate offers in the future. If you would prefer for us not to do this, please tick here.’ This would be non-permissible under GDPR because you are asking for an opt-out rather than an opt-in.
‘Please tick the box to confirm you are happy for us to do this’ is the right way to obtain consent as this is a positive action.
Every time you collect an email address you will need to run this procedure. It doesn’t matter whether it’s a web sign-up form, a postal mailshot, an exhibition or anything else, you MUST obtain consent to send marketing materials. Under GDPR you cannot collect, store or use email addresses without consent.
Record Keeping is Essential
You will also need to keep records of all consents collected because if compliance is questioned, you will need them as evidence. This could be done by keeping copies of sign-up forms or taking screen shops of web pages or apps where consent boxes were ticked.
GDPR will apply to all data captured both before and after the introduction of the Regulation on 25th May 2018. This means that any current mailing list you have will need to be refreshed. In other words, you will need to request consent from every person on your existing mailing list.
When to Plan for GDPR?
The best time to do this is NOW. If you leave it until the last minute, your consent request email will be lost in the midst of everyone else’s who is undertaking the same exercise. It may also be necessary to send a series of requests in case there is a lack of response in the first instance. Give yourself time otherwise you could find yourself with an unusable mailing list come May next year.
If you are in any way unsure as to how GDPR will affect your business, why not speak to your local bookkeepers?