Blog

Everything Retailers Need to Know About GDPR & Email Marketing

Learn the key GDPR considerations and recommendations for retailers using email marketing and looking to become compliant with the new rules

Written by
Enchant Team

This article was written in 2017 ahead of the GDPR coming into place.

The General Data Protection Regulation (GDPR) came into full effect in May 2018, and the changes present significant difficulties for marketers. Businesses are required by law to provide transparency about how they collect and store data as well as gain true consent before using this data, giving consumers more control. What does this mean for retailers? Read on to find out...

In this blog, we’ve outlined the key considerations for GDPR compliance for retailers using email marketing. It's not an exhaustive guide, but a starting point for those yet to tackle GDPR. Be sure to speak to a legal specialist before implementing anything.

Why is GDPR important?

Currently, there are significantly differing spam regulations in the European Union (EU), which vary greatly from country to country under the Directive on Privacy and Electronic Communication (or the EU E-Privacy Directive). This directive outlines overall goals and each member state can translate these goals into local law. However, the result has been differing email laws for each of the EU member states.

With the EU’s new privacy law, the goal is to bring order to the regulations across the EU. This regulation will be enforceable as law in all EU member states on May 25, 2018.

So what does GDPR mean for your retail brand?

GDPR will affect every company that uses personal data for EU citizens. If your business is collecting email addresses and sending emails to EU subscribers, then you will have to comply to GDPR (regardless of where your business is based).

According to Stewart Room, leader of cybersecurity and data protection at Pricewaterhousecoopers (PwC), “This will impact every entity that holds or uses European personal data both inside and outside of Europe (ComputerWeekly.com).

Take a look the this handy checklist from Lepide:

Stricter regulations for collecting consent

The way subscribers and customers are “opting in” to marketing messages is changing and GDPR hopes to tackle sneaky tactics where people didn’t know they were opting in or out. One way to prepare for GDPR is by reviewing your current consent process. 

Here’s an overview of GDPR standards for consent:

  • Unbundled: Consent requests need to be seperate from other terms and conditions and should not be a precondition of a service sign up.
  • Named: You should name your organisation or any third parties who require consent.
  • Active opt-in: Any pre-ticked opt-in boxes are invalid and you must offer customers unticked opt-in boxes or similar.
  • Granular: Provide granular options to consent separately to different types of processing where applicable.
  • Easy to withdraw: Give customers the option to withdraw their consent at any time and also make it clear how they can do this.
  • Documented: Your business must keep records to demonstrate what the individual has consented to. This includes what they were told, when, and how they consented.
  • No imbalance in the relationship: If there is an imbalance in the relationship between the individual and controller then consent will not be given.

New requirements for consent record keeping

Under GDPR legislation, your business must keep clear records of consent taken. These records should include details of each individual, what they consented to, when they gave consent and the information they were given at the time. 

If someone withdraws consent, then you should have this documented as well. All consent documentation and records should be kept separate from other company documents.

To achieve compliance you must adopt new practices

Your brand should take both technical and organisational measures to ensure that data protection is a part of any procedure involving personal data.

Take the following steps for best practice:

  • Review current policies and procedures and make sure that only necessary data is being collected and that it is only processed to the extent necessary
  • Make sure the data you are collecting is being stored securely
  • Make sure access to the data is limited
  • If the data is no longer needed then it should be destroyed.

There will be penalties if you don’t play by the rules

Businesses could face penalties of up to €20 million or 4% of group worldwide turnover. According to the ICO, they will not be specifically targeting small businesses but there will still be an increased risk, due to individuals having a greater ability to bring private claims against organisations or breach of the regulations.

There is particularly a risk here for small businesses that may not have the resources to carry out the new processes of this legislation.

Prepare for GDPR legislation with a positive approach

If you’re not already in the process of anticipating GDPR legislation, there’s no better time than the present to start preparing for the arrival. The best way to do this is to demonstrate ‘privacy by design’, where you store customer data in a pseudo-anonymised way and build protection directly into processes and policies. 

Take a pro-active and positive approach to GDPR and see it as an opportunity to improve your email marketing process and, in turn, create better and more relevant brand experiences for subscribers.

Here are some other useful resources on preparing for GDPR compliance:

And finally, remember that this blog is just an introduction. It's not legal advice and you should speak to a legal expert when tackling GDPR.

Subscribe to our newsletter

Get started with Enchant.

Discover how we can maximise your marketing potential across multiple channels.

Enchant came in and delivered an incredible training programme and strategy for our Global Marketing team on many areas of our CRM and email marketing.
Rene from BlackRock

Rene

Director, Global Marketing Insights at BlackRock