RAAK_Blog-Header_ 6 How to keep your email marketing GDPR-proof

How to keep your email marketing GDPR-proof

The new GDPR (short for General Data Protection Regulation) will harmonize the data protection across EU nations as from 25 May 2018. This means that new rules are lurking around the corner. These will address new obligations concerning consent, data anonymization, breach notifications and data protection officers (DPO). The new regulations come with significant penalties for those who don’t comply. So let’s look into the upcoming changes and make sure your company is GDPR-proof.

A lot of the rules mentioned in the GDPR are based on concerns related to the privacy of individuals. Clients will have more rights when dealing with privacy issues in a digital environment. This will give individuals more control over their personal data:

  • They need to know what is happening with their data in a clear and unequivocal way
  • They will be able to transfer their personal data between service providers without hassle
  • They will have the right to be ‘forgotten’ (if they don’t want their data to be processed anymore, all entries should be deleted permanently)

The new GDPR holds constitutions to protect these rights. The following topics will cover the most important issues to keep in mind when dealing with personal data as from 25 March 2018.

The upcoming GDPR focusses on maintaining a high level of consent. As a brand, make it a best practice to ensure that the consents you collect are “freely given, specific, informed and unambiguous”. Also, when an email marketing plan has multiple purposes, consent should be given for all of them. For instance, when somebody gives their email address during an event to enter a competition, you can’t use it to send your weekly newsletter unless they explicitly agreed on it.

Pre-checked boxes aren’t permitted under the GDPR, as this could be misleading for the reader. The intended use of the email address should be specified as well.
The major issue with the stricter consent rules is that marketeers will need to find a way to document every prospect acknowledging that they are willing to be marketed to. Companies who can’t prove someone’s consent, risk a fine. Focusing on opt-in, rather than opt-out, will become the new norm.
Additionally, the signup process must be transparent to subscribers. It should be clear about the brand that’s collecting the consent and give information about the processing of their personal data.
Special categories of personal data
Another important change are the “special categories of personal data.” These are personal data “particularly sensitive in relation to fundamental rights and freedoms”. They include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.” So if you’re not planning on using this kind of information for a particular purpose, don’t ask for it.
Children and privacy
The GDPR introduces specific protection measures for children. They will make sure that consent to data processing isn’t possible without parental authorization. Since the last negotiations, the final draft opted for the age of consent to be set at 16. A member state can however lower the age limit, but never below 13. Which implies that a country will follow the normal GDPR guidelines: the proven consent of a parent or guardian is needed when dealing with personal data of a child under the age of 16.
Buying databases
Keep in mind that the GDPR prohibits the selling or exchange of any personal data from EU citizens. You will not be able to prove their consent and asking for additional information will be a struggle.
According to the GDPR, “companies in the EU that process personal data shall designate a “data protection officer”. This person will be involved and is responsible for all issues which relate to the protection of personal data and serves as a contact point for the supervisory authority on issues regarding processing. This will become an extra job task for many email marketers.
Data breach
Some companies will —but hopefully won’t — have to deal with data breach. This means that in some way, personal data has leaked into the open. When a breach happens you should notify the breach to the supervisory authority in less than 72 hours after becoming aware of it. Take this very seriously, as an event like this could result in fraud, identity theft and so on… It goes without saying that it’s important to report a data breach as soon as possible.


The new GDPR promises penalties up to 10,000.000 euros. For corporations, the fine can be as much as 2 % of the total worldwide annual turnover of the preceding financial year. Avoid negative consequences for your company at all cost: take the right steps to make your emailmarketing 100% GDPR-proof by March 2018.

Posted on
Mar 16, 2017