11 min read May 25, 2018 at 4:37pm
GDPR is finally upon us and everyone is talking about it as if Armageddon will hit today unless we all run around burning files and throwing hard drives off cliffs just in case the rozzers find someone's email address on them.
Let me start by telling you what this post isn't.
There is approximately one cubic gazillion articles claiming to be the ultimate guide to GDPR, and I bet you've read a few and still don't understand it.
So, I'm not going to get into that here. This isn't a comprehensive GDPR marketing guide.
Instead, I thought what might be useful is a “cut through the crap” set of very short, succinct points that will give you some sort of idea about the whole process and what, if anything, you need to do about it.
Mostly, though, I'm hoping to stop a few people destroying their email lists because some guy in a suit said they should.
If I'm not compliant by the 25th May, will I be fined £17 million and sent to rot in jail?
Let me explain why ...
There are consultants currently travelling the country telling everyone, usually on their first PowerPoint slide, that the fines that the ICO (the UK organisation that will implement GDPR) can punish you with are mahoosive; up to 4% of turnover or 17 million quid.
You can imagine that ACME window cleaning Ltd with two employees is positively quaking in its boots at this revelation, but it's nonsense.
In fact, the ICO themselves are getting a little hacked off with it.
See below a quote from their own blog:
The biggest threat to organisations from the GDPR is massive fines.
This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point
GDPR gives the ICO more clout to punish people, yes, and it gives them the teeth to act when companies fail to follow the rules, but they're not going to be knocking on your door in the middle of the night threatening to take you to a cash point.
Last year they concluded 17,300 cases. 16 companies got fined. And none were fined the maximum available to the ICO.
The sort of companies that get fined are the ones that systematically or blatantly break the rules.
For example, ignoring people's requests to be removed from mailing lists and continue to email them on a huge scale.
The ICO wants to educate, so rather than throwing fines about willy-nilly, they'll work with the companies to ensure they're doing it right and help them stick to the rules.
Is it illegal to send marketing emails under GDPR?
Seriously this is just bonkers!
I've heard more than a few people say they're going to cancel their MailChimp account because they won't be able to email people anymore.
Let's make it clear:
- If people have given you their email address, and they've opted in to receive marketing emails, then you can still send them those emails.
- If people haven't opted in, or you're using lists scraped off the Internet or bought from some dodgy outfit for ten quid, then you shouldn't be doing that anyway!
But I need their consent, yeah?
Yep. Just like now. The important thing with GDPR is that they need to know exactly what they're signing up to.
You can't imply or assume consent anymore.
Make it clear what they're opting in to
When someone gives you any of their details such as email address, phone number etc., you need to make it really clear what it is they're opting in to and what you'll do with that information.
For example, if someone downloads an e-book from your website, you need to give them the option of also signing in to your mailing list. You can't just assume that because they've downloaded the book that they're also happy to receive your other emails.
To be fair, this has been a grey area for a while, but GDPR now makes it clear.
It's going to affect a lot of websites, for example, those that only let you read the rest of an article after you've signed up, but that's OK, they'll cope.
You probably can't just email them because they've bought from you
It's the same with online shopping.
You can send them transactional emails, that is, emails that are triggered by their purchase such as order confirmation, invoice and dispatch data, but you can't then start bombarding them with marketing emails unless they tick the box saying they're happy to have them.
(Note: This is actually covered by PECR, which is additional regulation, that suggests that you cancontact your customers for legitimate reasons. A reason might be you want to offer them something. Just make sure they can opt out, you’ll be fine.)
Again, this is a grey area that's being tidied up, but many shops have been doing this for years, it's no biggie.
You can't have pre-ticked boxes or confusing consent
Some stores are a bit naughty, and right at the bottom of the order form there will be a tick-box with a sentence next to it saying “We will occasionally send you marketing emails, but if you'd rather not be pestered, un-tick this box.”
You can't do that anymore, which is a good thing.
This goes hand-in-hand with tick boxes that aren't especially clear, for example, ones that give multiple reasons or say things like
“By ticking this box, you do not allow us to remove your email address from our lists or maybe email you on a regular basis. If you do not wish us to not email you regarding things like this and such, then dance a merry jig while smoking a peace pipe.”
You must make it easy for people to unsubscribe
It needs to be really simple and completely fool-proof.
Ideally, a link on every single email that says “Unsubscribe” which takes them to a page that says “Sorry to see you go, you're now unsubscribed.”
Maybe give them a question to ask why, but that's it.
Close browser, job done.
Some people grind my gears by taking you to a site which you then have to log in to first (i.e. reset password because I forgot it) and then choose a complex set of tick boxes before being released from their vice-like grip.
One click dude, no dick moves.
How about getting consent for emails again, do I need to do that?
In most cases, no.
I've had a flurry of emails from companies saying “Due to GDPR, we need to get consent to keep sending you emails.”
The only time you'd need to do that is if you got the email through nefarious means in the first place.
For example, if I filled out a basic contact form on your site and then you started emailing me.
That's wrong, it's always been wrong, and now it's even wrongerer.
But if I signed up via your newsletter sign-up form, you do not need to ask me again.
Honestly, you don't.
If you got consent in the past, you have consent now.
Also, there's still a grey area about business to business. It seems you don't need consent anyway for this (there are exceptions, stick to the basics and you'll be OK.)
Also (2), do you use a proper mail client like MailChimp or ActiveCampaign or Aweber?
Well don't worry about it, there's an unsubscribe button at the bottom of the email. When people click this, they're unsubscribed, and they can only get back on the list if they specifically ask.
Are there any scenarios when I might have to get consent again?
- If you use Outlook and just BCC everyone on your list, then you have no real way of guaranteeing when people unsubscribe, so you need to stop doing that. You shouldn't be doing that anyway; use a proper email system.
- If you scraped all the emails from the Internet or typed them in from the Yellow Pages. I mean, seriously, what were you thinking?
- If you really have no idea where your list came from.
Other than that, you're probably OK. I'm saying “probably” because I don't know where you got your filthy list from, and I don't want you using this blog as an excuse. If you were bad with data in the past, clean it up.
Should I email everyone to get re-consent anyway? Just to make sure? I'm scared…
Oh please, grow some.
Yes, of course you can. Send out that email.
What's your current open rate? 20%?
And click through rate? 8%?
So, just working this out on the back of a fag packet, if I had a list of 800, I'd end up with 13 left on it when I've gone through this utterly pointless exercise.
So what should I do?
If you're a huge company with lots of employees, go get yourself a consultant, they'll help you in exchange for some cash.
There are different rules for large businesses, and you might have some work to do, so go do it.
If you're a small business, you need to follow some basic steps:
The first is to check out the ICO website which explains everything in detail, it's all you need.
If someone tells you something is “what you need to do”, then check with the ICO, they're being incredibly pragmatic about it all.
Secondly, don't lose sleep over it.
Thirdly, check your mailing list. This next bit is a bit in-depth, so I've decided to give it a new section.
How to make sure I'm not breaking the law and will, therefore, go to jail or have my house repossessed
If you systematically scraped email addresses from the web, typed them in yourself from the Yellow pages or in some way got your mailing list using nefarious means, then delete them all.
However, if you fall into one of these categories, read on:
- Bought the list of business email addresses from a reputable company (Experian etc.)
- Collected the email addresses via a sign-up form on your website
- Asked people at networking meetings if they'd like to subscribe and added them that way
- Got them some other way where the person who gave you the email is happy for you to use it in marketing
Still with me?
Good, let's rock.
Audit your mailing lists
Where they from? Can you split out all the ones that opted in via your sign-up form? Good, do that, tag them or add them to another list.
This is the list of people who absolutely, positively wanted to sign up. Good, we're done. Leave them alone.
Got some others you're not sure about?
OK, put those in another list or tag them “we're not sure” or something, we'll work on these guys next.
Send out an email
The mistake everyone is making here is emailing everyone and saying “you need to sign up again” when they don't.
If they signed up before, that's fine. They gave consent and therefore that consent passes into the GDPR era.
So let's just tackle the ones we're not sure about, and rather than asking them to sign up or not hear from you ever again, let's do it another way. Let's give them an option of opting out.
Create an email something like this:
By now you've probably heard about GDPR and the new rules regarding email marketing and the correct way of getting consent.
Well, we're sure you were asked nicely if you wanted to receive our emails, but we can't be absolutely certain.
It might be that you downloaded something from us, or we met you at a networking event and you said it was fine, in which case, we're all good.
However, If you don't want to receive any more emails from us, then please click the button below to unsubscribe instantly from our list.
You won't need to do anything else, it's all automatic.
If you don't mind receiving our emails, then do nothing, but remember you can unsubscribe at any time.
Thanks for your time!
Keep this in mind
I'm not a GDPR consultant or a lawyer. This advice comes to you from someone who has read the documentation, but your situation might be unique/different.
However, there's no excuse for many in the industry to use scare tactics to get you to do something and propose knee-jerk reactions that might end up in your losing a significant part of your business.
As with everything, be sceptical of what you're told.
Investigate everything and then do what is right.
What if someone complains!?
Someone is bound to complain. There's been so much publicity about it, there will be people looking for companies to trip up so they can get the feds on them.
If you're using a good email system (I recommend: ActiveCampaign) then all unsubscribes are handled automatically, you're safe, but if not, and someone requests to be removed from your lists – do it immediately.
As long as you're on the ball, delete people's data as soon as you're asked and be open about what you do with the data you keep, then you'll be OK.
Is this everything GDPR is about then?
GDPR is a huge deal for many companies and it covers vast swathes of regulation, that's for others to deal with.
I just wanted to clear up some misinformation about it that's doing the rounds at the moment and make sure that a bunch of companies that are doing everything right aren't forced to the wall by over-cautious consultants.
If you need more advice, find a good consultant.