Data is the new oil, according to the Economist. A long-time resource for digital companies, the role of data may be valuable for most, but are you complying with the strict UK GDPR rules that regulate how it’s collected, stored and used? If not, this should be an urgent priority for your business.
Since we left the EU, and the six-month transition period ended on the 30th June 2021, data protection looks a tad different now. No longer do we have easy data portability with EU countries, we now have many more considerations to make. Rather than complying with GDPR, we now have the UK GDPR and the Data Protection Act (DPA) 2018. Combined, these two documents and the PECR (Privacy and Electronic Communications Regulations) of 2003, set out laws governing any data that passes through a UK company.
How GDPR affects you
The General Data Protection Regulation (GDPR), which recently celebrated its third anniversary, is the most impactful change to EU privacy law in the last twenty years. Its broad compliance requirements will demand a lot from businesses across all markets. If you handle your customers’ personal data, GDPR affects you. No matter where personal data is sent, processed or stored, GDPR requires businesses to respect and protect user freedoms and privacy.
As a former EU member, a lot of what is in GDPR has carried over into UK law in order to guarantee ‘third country compliance.’ All this means is that as we are no longer a member of the EU, we have to have ‘adequate protection’ for data to be moved from the UK into the EU.
Fail to comply with UK GDPR and you’ll be facing a fine of £20 million or 4% of your annual global turnover, whichever is higher.
You are not required to automatically refresh all existing DPA (Data Processing Agreements) consents for UK GDPR compliance. But if you rely on an individual’s consent to process their data, make sure it will meet the UK GDPR standard on being explicit, recorded and as easy to remove as it was to give. If not, alter your consent mechanisms and ensure you have simple, explicit consent options at every necessary point.
Subscribers to your email marketing will also need to be able to quickly remove data if requested. Known as the right to removal or erasure clause, UK GDPR makes it compulsory to provide a clearly identifiable route for users to make contact and communicate their request to unsubscribe, opt-out, or scrub their data.
What counts as personal data?
Personal data describes information that impacts the identity of a user, called a “natural person” under UK GPDR, including their:
- full or partial name
- email address
- IP address
- bank details
- posts on a social networking site
Under special categories, according to UK GDPR compliance, the following information can also elaborate on a person’s identity:
- medical information
- biometric data
- sexual orientation
Under strict UK GDPR compliance, since it relates to ‘any information’ that helps identify a user, it’s advisable to interpret personal data broadly to avoid penalties or confusion.
Got an email mailing list?
If your current marketing email opt-in doesn’t satisfy GDPR, you’ll need to alert the user if you hold their data, offer them a chance to action it under Section 23 and then ask them if they wish to continue hearing from you. You can’t ‘soft’ opt-in.
Email marketers now need explicit consent from their subscribers. This can be referred to as ‘hard opt-in’, where the consent has to be freely given and no boxes are pre-ticked. Soft opt-in, where a box is pre-ticked, or suggested in the copy of the notice, is no longer good enough.
Your subscribers need a way to easily opt-in or out of email campaigns. This could be achieved through a straightforward call-to-action that allows customers to check a “yes” box to consent to receiving emails.
UK GDPR also demands data relevance. Whereas when GDPR first came into force in 2018, companies quickly panicked and sent out engagement campaigns, data protection now needs this regularly.
To have good list hygiene, you need to ensure that anyone on your list is actually interested in your emails. Email marketers, at least the good ones, should create sundown automations to regularly qualify their contacts. A sundown policy simply looks at whether someone has engaged with an email in the last 12 months (9 months if it’s an Outlook email…) If they haven’t, a sundown policy offers them a chance to remain subscribed and tells them if they don’t, their data will be removed.
How to keep email consent compliant with UK GDPR
UK GDPR requires explicit consent from users. According to the ICO (Information Commissioner’s Office) consent is about the preservation of user privacy and freedoms, but also helps brands establish trust, transparency and a positive, open reputation. Under UK GDPR, consent is unambiguous and legal guidance mandates that email marketing forms should enable clear, signposted actions for a user to follow.
To comply with GDPR, remember that your email consent forms should include the following:
- Consent must be given, specific, informed and explicit
- There must be a positive opt-in
- No pre-ticked boxes
- Create simple ways for people to withdraw consent
- Try using double opt-in methods
- Keep your consent policy separate from other Terms & Conditions
How to take advantage of double opt-in
Double opt-in for email marketing campaigns is not a new idea. Firing a confirmation email after a form completion, however, can provide a number of advantages.
The value of an email list isn’t in its quantity, but rather its quality. You could have a mailing list containing forty-thousand addresses, but if none of them convert, you’re wasting your time. Providing double opt-in to email listings means that the quality of your list is much higher. People who are genuinely interested in your offering are more likely to confirm their interest in your subscription than someone on the fence.
The obvious downside of double opt-in is that your email list will take longer to grow. Adding an extra hurdle for the user will naturally slow short-term growth of your subscription list. This is why you need to make your subscription really attractive to your subscribers. From emotive and creative copy to bespoke visuals, the quality of a strong email marketing campaign can convert regardless of an extra barrier upon sign-up.
Fortunately, double opt-in provides you with an ideal opportunity to touch base immediately. You can tell them more about your brand or offer a promotion as soon as they sign up, making the extra hurdle more palatable.
Is your email marketing on top of compliance with UK GDPR?
No matter how big your operation, the cost of auditing your assets and bringing them up to compliance standards is significant. Strict requirements, like greater data access and deletion rules, risk assessment procedures, Data Protection Officer roles and data breach notification processes, will mean businesses need the right expertise to deliver compliant email campaigns.
But in a world increasingly aware of the risks of exposing online privacy, consumers value the trust they have with brands. Yes, UK GDPR demands changes from your email marketing. The sooner you take action, the more trustworthy and authoritative you’ll appear against your competition.
Data protection is a good thing for email marketing. It gives you genuine, opted-in customers who actually want to hear from you. Take advantage of data protection, and the rewards are better than you could ever imagine.
If you need help designing an email system that’s not only compliant but creative, useful and reaches your customers where they are, then get in touch with MRS Digital today to find out how we can help.