Email marketing and GDPR – It’s here – were you ready?

By Loran Simon | Good Stuff

UK +44 (0) 203 745 5551
IRE +353 (0) 766 805 551
US +1 (650) 665-5551
SA +27 (0) 87 551 7851

UK +44 (0) 203 745 5551
IRE +353 (0) 766 805 551
US +1 (650) 665-5551
SA +27 (0) 87 551 7851

Jun 05

If not, then you might want to read the below……….

Last week the General Data Protection Regulation (GDPR) came into force, and if you’re not compliant, then you could well be facing substantial fines (1% of revenue).

For smaller businesses, it's tempting to pretend it isn’t happening, or to put off what now needs to be done urgently. As Mike Cherry, national chairman of the Federation of Small Businesses (FSC) described it: "GDPR is the biggest shake-up in data protection to date and many small businesses are concerned that the changes are too much to handle."

It is going to be costly - The FSC estimates it could add another £508 to a small businesses’ data protection bill. But ignoring it is not an option. If the deadline has passed you by and you’re still in the throes of adapting your processes, then I’m sure you join a healthy number of other small businesses but that’s not a reason to cut corners. If you are running digital advertising campaigns, using social media or email marketing, then there will be things you’re required to do to be compliant. Over the past few weeks, we’ve been looking at what steps you’ve needed to take to be compliant in each area. This week, we tackle email marketing and in particular the level of consent you now need in order to email the people in your database.

In this blog post, much of our focus will be on the consent needed for emailing your consumer database ie. current patients and potential patients but before we do, we will quickly cover off what the GDPR has changed with regard to Business to Business (B2B) communications.

Email marketing to other businesses

At one time it did look as if the rules governing B2B marketing were going to be far more draconian than they now appear to be. In fact, where they ended up meant a lot less than anticipated needed to be changed to previous provisions for data protection.

In practice, this means that if you’re continuing to use ‘access to content’ as a way of collecting emails, or if you are emailing a cold database you can continue to send marketing emails without the need for consent. You must give recipients the ability to opt-out of future emails and include a privacy notice to tell individuals how their data will be processed (a link to your updated privacy policy will be sufficient), but essentially, if you’re doing the following things then you should be meeting GDPR rules:

  • An easy and obvious opt-out mechanism
  • An accurate sender field
  • A relevant subject line
  • A legitimate physical address listed
  • Immediate removal of individuals who who opt-out
  • Do not email sole traders or individuals personal email email addresses.

Business to Consumer (B2C) email marketing

So let’s take the same example and see what’s changed with regard to emailing your patients and potential patients in a business to consumer setting. You’re using some kind sign up device from your social media marketing, or a potential new patient has completed a form on your website. What can you do with that information?

In the first scenario where you are using some kind of ‘lead magnet’ ie. give me your email address in return for this vital piece of information or promotion - then you can email them the ‘thing’ but you are not permitted to continue emailing them and you cannot continue to store their details on your database, unless you have gained their specific consent to do so.

In the second scenario - the individual has signed up on your website perhaps for a call back about an appointment. Again, GDPR is a fairly blunt instrument. Once you’ve called them back and potentially set them up with an appointment you can only keep their details on your database if you have told them why you are doing so and how their data will be used.

How to protect your B2C email marketing under GDPR?

Ok so it’s a little more taxing than before, but most email marketing providers (the good ones at least) have helpfully pre-designed GDPR compliant templated forms for you to easily incorporate into your campaigns in order to obtain and record consent. These forms typically include:

  • A description of why you are collecting their information, what they are signing up for, with an (unticked) tick box to opt-in consent is kept separate from other terms and conditions, privacy notices, or any of your services (email consent must be freely given)
  • Opt-in checkboxes for all of your channels: Contacts can choose exactly how and where they want to hear from you - email, sms direct mail, and customized online advertising (Facebook, Instagram, Google etc)
  • Space for your own privacy policy and terms: Tell people how to contact you, point them in the direction of your privacy policy, and share any other applicable legal information.

What is perhaps rather more demanding is what needs to happy to ensure that your existing data is GDPR compliant.

Collecting consent from existing customers

If you haven’t collected consent from contacts on your marketing database already then to the true letter of the law you are now not permitted to email them to refresh consent. As ICO Head of Enforcement, Steve Eckersley put it, “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law…”

The reality is you might still decide to repermission and for some you might be quite within your lawful right to do so.  If the original consent given was in line with GDPR requirements then there is actually no need to seek fresh consent. you would have been required to re-permisson if for example you’d always used a ‘pre-checked’ box for ‘consent by default’ - which is no longer lawful under GDPR. If active consent has not been received from your contacts then they should be removed from your mailing lists.

Were you still to email those on your marketing database to refresh their consent to hear from you and we are certainly not encouraging you to break the law, but you would now need to be as specific and granular as possible as to what you are asking them to subscribe to - newsletters, promotions/offers, appointment alerts etc and via which channels - sms, email, direct mail, phone etc. The more granular you are the less likely your existing customers will be to accidentally opt of communications they may still wish to receive.

GDPR is here, we know, but if you are still working on your processes, then the ICO has a wealth of practical advice on how to comply with the new rules - checklists, guides and a telephone helpline.  If you’re unsure about anything you’ve implemented or are implementing that’s as good as any a place to start

And if you’ve decided it's now become too complicated for you to do your digital marketing yourself and be compliant, then we would love to help.  Check out our service pages or give us a call.  Book a strategy call today.

UK +44 (0) 203 745 5551
IRE +353 (0) 766 805 551
US +1 (650) 665-5551
SA +27 (0) 87 551 7851

Ideas House, Station Estate, London, E181 RT,
United Kingdom


  • Copyright Somnowell Marketing Ltd 2017