Nine top GDPR tips for email marketing strategies

email symbols over a man's hands

Although GDPR’s second birthday is rapidly approaching, the dust is yet to firmly settle around its implementation. Many questions and concerns remain unanswered, destabilising a data landscape that modern industries must navigate with caution.

This rings true with few professions greater than email marketers, with the email marketing campaigns they conduct experiencing the largest cause of complaints to data protection authorities across Europe since GDPR’s introduction in May 2018, alongside telemarketing and the use of video surveillance.

That’s because GDPR alters how organisations are able to use data, particularly the third-party data email marketers use to target existing and potential customers. For whichever reason – be it misunderstanding the legislation, or being unable to deliver personalised experiences whilst complying – over 100 GDPR-related fines have been distributed, stemming from around 60,000 complaints received by the European Commission. And perhaps nothing highlights how large a hurdle GDPR can be than the ICO’s decision to relax GDPR enforcement during the coronavirus economic downturn.

To avoid debilitating fines, it’s vital for businesses to follow established best-practices principles concerning the use of marketing and data. However, that's easier said than done.

The main point of concern is customer consent. GDPR holds organisations accountable for the data they hold and use, requiring them to have a strong reason for touching data, referred to as ‘legitimate interest’ – such as fraud prevention or the fulfillment of a legal contract. Such data processing has to be necessary to the act of achieving this purpose, provided that the rights of the individual whose data is being processed aren't infringed upon.

There are a number of ways to meet the legitimate interest clause, though its often the case that marketers rely on an individual giving their explicit and informed consent. Previously, many companies relied on tiny and obscure check-boxes that are ticked by default in order to obtain 'consent' from customers but, under GDPR, companies must explain in clear, concise wording exactly why customers' data is being gathered and how it will be used.

Many marketing departments are concerned that, if customers are given the choice about whether or not they want to be sent newsletters and other forms of marketing materials, they will refuse it. However, Skip Fidura, Chair of the Responsible Marketing Committee at the Digital Marketing Association, believes that GDPR actually offers an opportunity for marketers to use GDPR to their advantage.

We spoke to him to find out some of his top tips for email marketers who want to survive GDPR.

1) Don't panic!

The biggest thing that digital marketers need to remember, Fidura says, is that GDPR is not the apocalyptic cataclysm that many are making it out to be. If marketers have been doing their jobs properly, he argues, the laws should have a minimal impact on how marketers do business.

"There's really nothing in the GDPR that email marketers haven't been talking about and doing as best practice for years. Being open, honest and transparent when it comes to getting consent - you can use the GDPR language, but it all boils down to being open, honest and transparent," Fidura explains.

2) Don't re-permission your lists, refine them

A common response to GDPR from many marketing departments has been to try and re-obtain consent from their entire marketing list for life-long messaging, but according to Fidura, this is an unnecessary effort. "The myth when GDPR first came out," he notes, "was that consent is the only way we can market and therefore, because I don't have GDPR-level consent, I have to go get GDPR-level consent."

In reality, he continues, what brands have done is to take a step back and examine their data, working out how much of their lists they can continue to market to under GDPR's 'legitimate interests' provisos, which customers they need to approach to ask for new permissions, and which customers should be culled from their lists entirely.

3) Follow best practice

This dovetails neatly with another of Fidura's top tips, which is to make a point of following best practice - i.e. reducing email lists when some recipients haven't engaged for a defined period of time - no matter how unpalatable it may seem.

"[Marketers] know they should be culling people off lists, but when you go to the finance people and say 'I've just cut 25% off our email list', the finance people go 'what are you, crazy?'," he says. "So actually, I think in some cases, marketers have been able to use GDPR to do what they know they should have been doing all along."

4) Audit your data regularly

Of course, you can't cut dead weight from your email lists if you don't know that it's there. Fidura advises that companies conduct regular audits of their data stores to ensure that they know exactly what state their lists are in.

"The problem with data is data has a shelf-life, and just like a piece of fish that's gone off, if you let it sit too long, it's gonna stink," he states. Companies need to be aware of how long data is going to be relevant for when they collect it, and should regularly audit it based on the inflow of data and how many people are accessing and modifying it.


Don’t just collect data, innovate with it.

Removing the barriers to the experience economy


5) Don't forget about ongoing compliance

Many organisations went into a mad scramble to get ready for GDPR last year, but that doesn't mean that the work to get compliant is done. As Fidura points out, GDPR is far from a one-time deal. While initially complying with the regulations is important, ensuring that you continue to uphold those standards is actually more critical in the long run. The further we get from May 2018, the more relaxed companies are going to get, and it won't be long before "they're going to buy some new system and forget that they've got to now plug that into their GDPR compliance".

"What they need to think about going forwards is, they need to remember the steps they went through to get to their GDPR compliance; the data audit that they did," Fidura says. "Every time they bring a new channel, tool or system online, they need to think about what the potential impact of that is to the consumer. If necessary, they need to do a privacy impact assessment and they need to document all that stuff, because [GDPR implementation] is not the end; it's the end of beginning. GDPR doesn't go away."

6) Build customer trust

GDPR might be scary for marketers, but in reality, it offers companies an opportunity to build a deeper, more trusting relationship with their customers. According to research by the Digital Marketing Association, 62% of consumers are more willing to share their data if they have GDPR explained to them, and more than 85% want greater control and transparency regarding how their data is used and collected.

"We know that consumers get to be more comfortable about giving up data when they know how the data's going to be used; that's just human nature," Fidura says. "I think the opportunity for all marketers is to start talking about GDPR, start telling people about what's in the GDPR, what their rights are, how the business is implementing that, so that they start to rebuild trust. And then, of course, they have to live up to that."

7) Be honest about what data you need

It's not just customers that marketers need to be honest with around GDPR; according to Fidura, they also have to be honest with themselves. As part of the data audits mentioned above, marketing professionals need to take a step back and examine what data they absolutely need to have, and what data they're gathering for the sake of it.

"The example I always use is this: we have DotMailer-branded socks. In theory, to know how many socks to buy, we should ask people their shoe size. As an email marketing company, do we really have a need for their shoe size?", Fidura notes. "No - because we're probably going to buy a bunch of large, a bunch of mediums and a bunch of smalls anyway."

8) Be accountable

One of the fundamental tenets of GDPR is making companies accountable to the people whose data they hold, but Fidura says that this is a standard which companies should be holding themselves to regardless, in the service of rebuilding customer trust.

"Whatever you do, if something goes wrong and you violate that trust, be accountable for it. Hold up your hand and say 'you know what, we screwed up'," he says. "Too often, corporations don't want to say anything until they know all the facts, but by then, they've lost the story."

9) Don't let lawyers write your privacy policies

For marketers, GDPR isn't simply about getting customers to check a box indicating that they're happy to receive your emails; one of the stipulations is that you must give them a specific set of details about how you're using that information. Similar to the oft-ignored terms and conditions agreements for software, this is often represented by a wall of dense legal text, but it doesn't have to be.

"Don't let your lawyer or compliance team write your privacy policy," advises DMA managing director Rachel Aldighieri. "Work with them and the creative teams and your communications teams to write that." She says that privacy policies can be engaging and attractive when done well, citing examples from EasyJet, the BBC and more.

This article was originally published in May 2018, and has since been updated to include additional figures.