On 25 May 2018, the Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data. This will apply to all companies processing and holding the personal data of EU data subjects, regardless of the company’s location and size, and covers all forms of personal data that can be used to directly or indirectly identify a person, such as their name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Among many new conditions, one of the biggest changes SMEs will face concerns the issue of consent, and in particular, the process by which people are added to email marketing lists. Without exception, consent means active and affirmative agreement. It can no longer be inferred from, say, a pre-ticked box or opt-out box. Furthermore, once GDPR comes into force, businesses will need to keep records of how and when each individual gave consent.

But what does this actually mean? Can you still offer incentives to people to join your email list? What about people who are already on your email list? I decided to call the Information Commissioner’s Office (ICO), the body responsible for enforcing GDPR in the UK, and ask…


Questions about GDPR and e-mail marketing


Q. We provide incentives to encourage people to sign up to our mailing list. Is it OK to continue this once GDPR comes into effect in May?

Yes and no. According to the ICO, consent must be freely given, without coercion, undue incentives, or a penalty for refusal. However, the exact meaning of the word undue is frustratingly vague and open to interpretation. When pushed, a representative from the ICO told us that offering a cash incentive to persuade someone to sign up to your mailing list would definitely NOT be allowed under GDPR. Similarly, offering access to a course that you would ordinarily charge for, would also fall foul of GDPR regulations. However, a downloadable one-page resource might be ok. At least until someone complains. At which point, the ICO says the onus would be on you to argue that the freebie you are offering is not of sufficient value to be considered an undue incentive.

Given such ambiguity, my advice would be to err on the side of caution, and unbundle your mailing list opt-in from any incentive. By all means use your freebie as an example of the quality of your work, and offer people the opportunity to sign up to your mailing list when you deliver them their free content. You might get fewer sign-ups, but the ones that you do get will sign up because they are genuinely interested in what you are providing, which from a marketing perspective, is gold.

Q. We often attend trade shows where we ask for business cards in exchange for entry into a prize draw. Can we add these people to our mailing list?

Unless they have given you their express permission to be added to your mailing list, then the same rule applies here. If you are collecting people’s personal information with a view to marketing to them (and is classed as personal information), then you need to get their explicit consent to do this. Entering a competition or prize draw does not automatically provide you with consent to send them marketing material. Instead, take a tablet or laptop to the show with you and ask people to complete an electronic form that enables you to keep a record of the fact that they have signed up to join your mailing list.

Q. What about people who are already on our mailing list?

Once the new GDPR regulations come into force, you must have a PROVABLE record that people have opted-in to receive your communications. But what about existing subscribers? Unless you have records of them having actively signed up to received your emails, the only way to guarantee that the data you hold complies with GDPR is to ask subscribers to opt-in again. But even here, you need to tread very carefully. Last year, Honda received a fine from the ICO for sending out such emails. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. However, since Honda couldn’t provide evidence that the customers had ever given consent to receive this type of email, the ICO fined the car company £13,000.

My advice would therefore be to only contact users who have actively engaged with your emails in the past few weeks, while taking the opportunity to remove lapsed customers and inactive email subscribers from your list.

Q. We send abandoned cart emails to our customers. Are we OK to continue with this under the GDPR?

If you are genuinely sending the email to help them complete the transaction then you should be ok. However, in order to continue engaging with them beyond offering them help to complete their purchase, you need to ask for their explicit consent.

Q. Is it necessary to use a ‘double opt-in’ method before I can send out marketing emails?

Double opt-in refers to the process of asking someone who has just filled in a webform to verify their email address and confirm their interest by clicking on a link sent to them via email. Although double opt-in is not legally required under GDPR, it is a good way to ensure that you are meeting the requirements of GDPR. It adds a layer of security, ensuring that you are definitely getting the consent of the customer. (Some argue that under the single opt-in, someone could input another person’s email address without their consent, and that only by emailing them first can you confirm that they really did intend to subscribe).

Q. I don’t have many people on my mailing list. Should I just abandon it and start again? 

Only you can answer this question. Some companies, like Wetherspoons, have decided to do away with email marketing altogether. Others have decided to conduct an audit of their mailing lists and remove data that they can’t prove complies with GDPR. The important thing is that you take action. Too often marketers persist with the old way, especially around data, through fear of change. However, under the new rules, this is neither an excuse nor an option.

Q. Where can I find out more about GDPR and the implications for my business?

Although there is a lot of information about GDPR available online, much of it is contradictory and misleading. My suggestion would be to call the ICO Helpline and explain your situation. As you might expect, their phone lines are very busy at the moment, so be prepared to be kept on hold for around an hour, depending on the time you call (avoid calling from lunchtime onwards if you can). Rest assured that when you do get through, you will be met with helpful, jargon-free advice from the organisation responsible for implementing and enforcing GDPR in the UK.


[Disclaimer: Please note that I am not a legal expert. The information presented above is provided for information purposes only. The law surrounding GDPR is complex and may have changed since this article was written. You should seek up-to-date, independent legal advice before acting on any of the information provided. I do not accept responsibility for any reliance placed on the information contained in this article.]