Email marketing in the era of GDPR – How to ensure compliance?

Which aspects do you need to consider when sending email campaigns according to the GDPR? The GDPR brought many changes in digital marketing, which also affected email campaigns. Therefore, it’s crucial to understand the connection between the GDPR and email marketing in order to avoid the negative consequences of non-compliance, but also to improve your response rates.

This is because the GDPR brings the focus towards communication only with interested audiences, and proven opt-in consent is what makes email marketing more precisely targeted. In this article, you’ll find some fresh stats about this important marketing strategy and learn how to minimise the risk of its negative impact on your recipients.

Learn more about the connection between the GDPR and digital marketing in the article How does GDPR affect digital marketing?

Make sure your content is valuable and targeted to your audience

Do you want to sell something? Do you have a special offering? Do you want to launch a new product or service? Then you need to make sure that it is something really useful for your audience. Put yourself in their shoes – do you like the content you’re about to send? Ask around if people consider the communication to be spam – if yes, then people will probably unsubscribe or report you to a Data Protection Authority. Even if you’ve done all the necessary compliance steps outlined below, there might still be somebody who is offended by your content. Make sure your content is valuable and targeted to your audience. Give your audience a chance to provide you with feedback in order to adapt to their expectations.

Email marketing in the era of GDPR – How to ensure compliance? - Advisera

Brief your audience

Does your audience know what you do with their data? According to Articles 13 and 14 of the GDPR, you must brief your data subjects about the personal data you are processing.

This can be done using a Privacy Notice that needs to be placed in a public location – a website or a Facebook Note, depending on which form the user used to register. If they registered on Facebook, then there should be a Privacy Notice on Facebook. If they registered on a website, then the Privacy Notice should be placed on the website. However, it must be written using simple, clear language that can be understood by your users.

Before sending the first email communication, you need to make sure your audience knows that they will be receiving email communication from you, based on legal grounds (consent, contract, legal obligation, vital interest, public interest, legitimate interest), through an email blast platform (like Mailchimp or other) or directly from you. Also, you can refer to your Privacy Notice containing all this information in each email you send to your audience. For more about consent, read the article Is consent needed? Six legal bases to process data according to GDPR.

Determine your legal grounds

Did your audience subscribe to your email communication? Then you have their consent (if it was collected in the correct manner, according to Article 7). Are you sending your email campaign in order to execute the contracts that you have with your recipients (i.e., late payment notifications, product recalls, etc)? Do you send an email communication related to a fact that protects the vital interests of your audience? Then you can apply vital interest as legal grounds.

Are you a public authority, like a state agency or a local government office? Only then can you use public interest as a legitimate basis – however, the content of the communication must reflect that (i.e., notifying the citizens of a neighbourhood about some public work affecting them). Legitimate interest is a much more complex legal ground and it is explained in the section below.  

Using legitimate interest as a legal basis means avoiding surprises

According to the definition from Article 6.1.f, legitimate interest can be invoked when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. The first keyword here is “necessary”. The processing is necessary only when it matches the purpose of the processing, and the purpose of the processing could not be reasonably fulfilled by other means.

For example, let’s say you have an ecommerce site. Rather than blasting an email with an upsell offer (and invoking legitimate interest to cross-sell to customers who already purchased a product as your legal grounds), you could consider that less-intrusive means can be used to fill this purpose – customers could see the offer as a banner in their account when they visit the ecommerce site and log in to their account.

The next sequence is also critical – “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. This is translated as: “Don’t surprise your audience”. There should be a reasonable expectation from your audience to receive your email. For example, former customers that you want to re-activate, or to provide them some benefits that can be quantified in an email. Something that a person should expect. If you “surprise” your audience, they might get upset and challenge your legitimate interest. Also, you need to perform the “balance test” – you can find a detailed guideline regarding legitimate interest at the Information Commissioner Office’s website.


GDPR and email marketing – Rules for compliant campaigns

Final considerations

Email communications don’t have the same results as some years ago. There are new digital mechanisms, both outbound and inbound, that can be used to achieve the same results with fewer risks regarding privacy and the GDPR. However, if you want to send emails as part of a campaign, make sure you deliver the right content to the right people (segmentation and micro-segmentation of the audience – don’t send the same thing to everyone), make sure they feel briefed and that they expect to receive the communication, and that you have legal grounds for every person in your list.

Avoid using purchased databases unless the seller has all the legal grounds that you can use to send communication. Also, make sure that your audience can exercise all their rights – rights to access, rectify, delete and export the personal data, and rights to restrict processing and to object to processing.

For a wider view on the GDPR in marketing, register for this free webinar: How GDPR Affects Marketing Practices.

Advisera Tudor Galos

Tudor Galos

Tudor Galos is a versatile, award-winning Business Consultant with a focus on the GDPR. He has an ECPC-B Professional DPO Certification from the European Centre on Privacy and Cybersecurity, Maastricht University. His company has delivered GDPR compliance projects to more than 50 customers in verticals like Retail, E-tail, Financial Services, Insurance, Healthcare, Manufacturing, Digital Advertising, FMCG, etc.
Read more articles by Tudor Galos