IT consultant with over 11 years of e-business experience in digital marketing, e-commerce and integrations. Co-Founder and COO of Optimum7
If you can’t trust the internet with your data, what can you trust? That is the question that many people face in 2019. We have sometimes switched providers and canceled services on learning that they compromised our information.
On the other side of the coin, businesses need to learn what to do with the European Union’s new General Data Protection Regulation (GDPR) reporting actions. The punishments can include fines in the millions, which no company wants, or a percentage of your annual turnovers. Since the law passed, more data breaches have been reported and show how lax some businesses can be in their data collecting and storing.
When you are a marketer, you want to know what you can do with client data, and often email in particular. You also want to know if you need to comply with the new regulations in Europe. We will go into those regulations in detail.
What is GDPR?
GDPR was passed in 2018, following ample debate over certain scandals, and went into effect on May 25 of the same year. In addition to websites and providers disclosing that they collect data via digital cookies, businesses must process the information under a “lawful basis and purpose” as well as secure it from data breaches and hacking. Per The Guardian, six legal grounds must be followed when collecting data: consent, contract, legal obligation, vital interests, public interest and legitimate interests.
In short, consumers need to know when their data is being collected, give consent for it and make sure the reasons for collecting the data are legitimate. You must also not enable any moral hazards that can hurt the public.
We can understand why the European Union would pass this regulation; recent years have proven that rotten digital apples exist online: businesses that take advantage of the data. You know who the bad apples are and why what they did was heinous. They used people’s data to influence events in various countries.
Who has to abide by GDPR?
Before, only companies based in the European Union would have to abide by these regulations. With the 2018 updates, every company that interacts with European customers has to do the same, even if they are based internationally.
This means that if you know for certain that some of the people visiting your website are from Europe (you can find that out via web analytics services) and you are collecting data, then you have to abide by it. If you are doing email marketing and want to contact European customers, you have to abide by GDPR.
You should conduct an audit on who visits your website and decide if you want to consciously cater to the European market. There may not be a choice but to abide by the law if you have a significant amount of visitors from the European Union. That is the first step toward compliance: knowing if you want or have to follow the GDPR.
How does GDPR affect email marketing?
This is the question we need to answer. You are not a bad apple. On the contrary, you run an ethical business that merely wants to abide by the new rules. Having a data breach would most definitely ruin the trust that your customers have built when ordering from you.
Basically, you don’t want your consumers to cancel because you got hacked or because a firm used you to acquire confidential data. Trust is a valuable commodity that takes time to rebuild, and money cannot speed that process up. Knowing the law and what it requires will help you maintain that trust.
You are doing email marketing because it’s a viable strategy for generating leads. While you cannot purchase lists of emails to which to send messages — it is illegal in the United States — you could collect the emails of visitors to your website.
Many European companies go with the “opt-in” email policy. You will have to do the same by asking for consent and confirming that consumers want to receive emails from you. Rather than collect the data from cookies and using it in an automatic server, you have to let consumers choose if they want to receive an email and confirm in the follow-up. Sometimes you may even want verification that the users are not bots.
Mind that this only applies if you haven’t asked for consent before. If you received consent before May 25, 2018, then you do not need to ask again. Also, if the consumer has not opted in before, you may violate Privacy and Electronic Communications Regulations by asking them for consent via email.
Instead, you can provide the option on your website and app when asking if you can send mailing lists to consumers. Only send a confirmation email when they provide an address and ask them to verify that they signed up. Automated email systems will have this option so that you will not manually have to send confirmation emails every time a user signs up for your newsletter or special deals.
Storing your consents is important. If you are cited and asked if you have followed the rules of consent, you need to have a paper trail and database. Do not store this information in plain text; find a way to encrypt the information.
You do have to include consent withdrawal options. In the case of email marketing, this would mean having an “unsubscribe” button in your emails. If a consumer wants to opt out after they’ve already opted in, you have to give them the choice and then honor it. Have a reliable system on hand for the unsubscribe option.
Can the world rebuild data trust?
2016 and 2017 proved that a handful of firms, with sufficient incentive, could corrupt legitimate marketing practices with ulterior motives. They’ve made things worse for the rest of us. But we can rebuild trust and show that we can handle clients’ data responsibly.
The GDPR is a relatively new law for changing online frontiers. You can navigate it and still conduct email marketing.