The General Data Protection Regulation (GDPR) is a wide-ranging piece of legalisation that impacts the use of personal data in our digital marketing efforts in a number of ways.
It would be impossible to cover GDPR in an article like this because each institution uses personal data in a number of different ways, however there are three main areas to consider to ensure you are compliant. If you’re unsure, please reach out to your data protection team.
1. Is this communication considered to be ‘marketing’?
Since the introduction of GDPR the ‘marketing’ element of your communication will come under scrutiny, and if it is considered to be marketing it will be in-scope for control under GDPR. The following easily falls into this category:
- Mass emails sent from a system like MailChimp or HubSpot with content referring to a product or service aligned to a call to action to apply/buy/find out more
- Cold e-mails to potential customers from whom you do not hold a relationship
- E-mailing from purchased lead lists (where correct permission has come with these lists)
- Cold calling
Examples of non-marketing emails would be communication along the lines of:
- Service-based e-mails – i.e. an email about a maintenance issue, or critical service updates relating to a product that a user is consuming
- Transactional-based e-mails – such as billing e-mails
2. Where did I get permission to market to this person?
Once you have established that your communication is considered to be in-scope, the next issue is where did I get permission to market to this person?
Clearly, this will vary from situation to situation, but the answer is likely to fall into one of the following:
- Explicit permission was given by the customer when contracting with us – i.e. they opted into marketing when signing their accommodation contract
- Explicit permission was given by the customer when giving us their details to be contacted further – i.e. when signing up to an enquiry/booking form
- Permission was obtained and transferred internally via another team or partner (which would be outlined in a data processing or data sharing agreement)
If you’re not sure where consent has been obtained, find out before you contact that person!
3. How can this person opt-out of my marketing?
An important principle of GPDR is that once you have someone’s consent to market to them, they can still withdraw it at any time. This should be a straightforward process, with the most accepted method being an unsubscribe link at the footer of every marketing e-mail you send.
Most mass e-mail products have this in-built into them and you should test this periodically to see if it works. For example, how are you sure that if someone unsubscribes that you don’t continue to contact them, even by mistake.
Also consider how you are allowing for consent to be withdrawn on 1:1 e-mails. 1:1 e-mails sent from a CRM like HubSpot will also usually append an unsubscribe footer to them. However, if you are sending a genuine 1:1 e-mail (for example from Outlook) but it is still considered marketing, consider how you and your teams might process a request from a customer to stop receiving such marketing.
The distinction between marketing emails and operational emails need to be clear from the start to ensure that any unsubscribe methods can be added to the marketing content. This also needs to be managed via separate contact lists if you don’t have separate systems sending and managing the unsubscribe requests. When a student unsubscribes from a marketing email, if they are a current resident they will still need emails relating to their contract.
Finally…
To many people first considering how GDPR applies to e-mail marketing, it can be a bit of a daunting process.
However, once you get into the mindset of these three simple things and have some robust processes in place to control them, it is fairly straightforward to remain compliant.