The deadline for complying with the General Data Protection Regulation (GDPR) is less than a year away and many companies are still asking questions like “How do we become GDPR-compliant? What are the first steps we should take?” and “What do we do with all the email lists we have built up over the years?”
One of the requirements of the GDPR is that a company should only hold onto data for as long as is necessary, but there is no defined measure for what can be deemed ‘as long as necessary’. Can a company justify sending sales emails to someone who subscribed to a newsletter six years after the fact?
The reality for any email marketer who wants to secure and maintain GDPR compliance is that ‘re-consenting’ any email list is the quickest route to compliance.
Some bodies suggest that seeking permission again every two years is reasonable. This will show that permission is not assumed to last indefinitely. Under the GDPR, consent must be demonstrable and explicit, with the data subject taking an affirmative action. Most notably, the consumer must choose to opt into any marketing opportunity rather than having to opt out of it (an example of opt-out consent is when consumers have to deselect a pre-ticked box). Once consent has been obtained, the data subject may only be contacted in ways and on subjects that they have actually opted for, e.g. a newsletter can’t be sent to a person who has only opted into a special offers mailing list.
If a person was signed up for a mailing list more than two years ago because they failed to opt out of it, or if the person is receiving information on subjects they have not signed up for, it is best practice for the company to seek permission to maintain contact via email and then to repeat this action every two years thereafter. Otherwise, to comply with the Regulation, this data would have to be destroyed.
Regardless of how the data is compiled for a mailing list, organisations should seek fresh consent every couple of years anyway. Making this standard practice is the fastest route to achieving GDPR compliance for email marketing.
A GDPR compliance framework needs knowledge and competence. Take the first step towards implementing the GDPR in your business by attending our GDPR Foundation training.