Consent & your existing database
Learn more about the impact of GDPR on your current contact database
GDPR does not only apply to signups that happen after May 25th, it applies to all existing EU subscribers on your email list. On the face of it, the GDPR is quite clear – you must get the explicit consent of individuals in order to communicate with them.
Many are still wondering whether they can email contacts that haven’t explicitly opted-in, after 25th May 2018. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) *source ico.org
Marketing under the GDPR (email campaigns, pitches, Twitter DM's) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won’t be.
This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent-based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This means that if you want to send an email campaign to a segment or part of your contact database it can be done in reliance on its 'legitimate interests’ – it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).
- Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
- The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing - it acknowledges that marketing can be conducted in reliance on legitimate interests; but
- The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out-based e-marketing in many cases, though marketing teams should monitor developments here closely.
Needless to say, the impact of the new GDPR legislation will depend on how you run your communication campaigns today. Here are a few general guidelines.
- allow people to opt-out and respect that forever
- segment your audiences into interest groups so you can send the right content to the right people
- unsubscribe contacts if they have not opened/replied/clicked or engaged in your attempts after numerous attempts
- make it easy for people to unsubscribe and contact you
- plan for the withdrawal of consent
- store more information than you need for further personalization/segmentation (send relevant content)
- purchase (media) lists of business and personal email addresses
- email everything to everyone to get more attention
- undo unsubscribes to get more eyeballs on your content
- sell data you have collected or are gathering
- keep the data you don't longer use/need