March 30, 2018

GDPR Checklist: Get ready for May 25th!

Reading time about 6 min

The new European Union legislation known as the General Data Protection Regulation, or GDPR, enters into effect on May 25th, 2018. That means you only have a few more weeks to prepare. Now is the time to make sure that you’re following best practices with your email marketing strategy in order to be in compliance with the new law.

For the past few months, the GDPR has dominated headlines in Europe and even in North America. It establishes new rights for online users regarding their personal data, including more control over how this data is used, stored, and processed.

Although the law is being put forth by the EU, any business that is processing personal data of EU citizens is subject to the new restrictions and requirements. That means if you have any European subscribers to your emails, or you’re collecting personal data from customers in the EU for your ecommerce store, you need to be ready.

Make sure you’ve taken the necessary steps to align your email marketing strategy with the new regulation by following our GDPR checklist:

First Step: Get proper consent from new contacts

Make sure that your opt-in forms are up to date and clearly communicate to new subscribers what they can expect after signup.

One of the main tenets of the GDPR is the importance of receiving consent from users to process their personal data. This consent should be “freely given” through a positive action based on very clear information regarding how their data will be used.

To make sure that you’re collecting consent in the right way, there are a few steps you need to follow:

Use an Active Opt-in

When setting up your opt-in forms, use checkboxes accompanied by affirmative phrases that make it clear to users what they’re signing up for. This allows users to signup through performing the positive action of checking a box that affirms which types of data processing they accept.

Translation: The GDPR forbids the use of “pre-checked” boxes, for which users must uncheck if they don’t want to subscribe, and awkward language designed to confuse subscribers (e.g. “Please check if you don’t want to be subscribed to our newsletter”).

Distinguish between different types of data processing with separate opt-ins

Ther should be a separate checkbox for each of the different types of processing for which you plan to use their personal information. For example, if you send a newsletter, promotional emails, and automated emails based on the on-site behavior of your contacts, you have to get permission for these types of processing separately.

Translation: You can no longer lump together multiple different opt-ins into one affirmative statement (e.g. “I agree to receive the monthly newsletter, weekly promotional emails, and automated emails based on my behavior and interests”). They must be separate and explicitly stated so the user has a choice.

Collect only the personal information that is necessary

Every piece of personal data that you collect must be essential for the service that is being offered. If it is not clearly essential, like giving an email address to sign up for an online newsletter, you must explain why it is necessary.

Translation: If you want to collect additional personal details from subscribers at the time of signup, such as first and last name or gender preference, you need to explain why (e.g. “We are collecting these details to give you a more personalized experience with our promotional emails.”).

Although these restrictions may seem like they’ll hurt your business, it’s actually good for your email deliverability and customer relationships. That’s because these steps will ensure that people are signing up for the right reason: they want to receive your emails. This will create more engagement for your campaigns, leading to better deliverability, and happier customers because they’re getting what they want.

Second Step: Make sure contacts in your existing lists have given proper consent

The GDPR is retroactive, meaning it applies to contacts who are already in your database as well.

Becoming GDPR-compliant also means checking to ensure that you have the consent of contacts in your current lists as well. This process consists of two parts:

Verify that current contacts signed up through an active opt-in process

As a reminder, active opt-in means that they signed up after being clearly informed of how their personal data would be used through the completion of a positive action (e.g. checking a box).

If you can’t show that you had an active opt-in process for your current lists, you’ll have to move on to the second part of the process.

Create a re-opt-in campaign

If you want to continue emailing your old contacts, you’ll need to ask for consent properly and in accordance with the GDPR.

That means sending a re-opt-in campaign asking if they would still like to receive your newsletter. All you have to do is include a button that clearly states “Yes, I would like to continue receiving newsletters,” and then keep only contacts who have clicked on this button. You’ll have to include separate buttons if you have multiple different types of emails (as mentioned above).

Even if your contacts did sign up through an active opt-in, it’s still not a bad idea to clean your list with a re-opt-in campaign anyway. This helps with engagement rates and removes any potentially expired or inactive email addresses.

Third Step: Make data access requests easy for contacts

Under the GDPR, your clients have the right to access, modify, or change any personal data of theirs that you have at any time.

As I mentioned earlier, the new regulation gives online users more rights and control over how their personal information is used. It’s imperative that you make it easy for users to exercise these rights if you want to avoid penalties under the GDPR. Here are a few things to keep in mind that should help:

Make unsubscribe links easy to find

Some marketers think it’s a good idea to make it harder for contacts to unsubscribe by obscuring the unsubscribe link (or hiding it altogether). This is a very bad idea — especially in light of the GDPR.

Users have the right to object to or unsubscribe from any type of personal data processing at any time. Hiding the unsubscribe link would deprive them of this right, which is why you should just make the process easy and painless. Plus, there is no reason to keep an uninterested contact in your database anyways — it just hurts your engagement rates.

Ensure unsubscribing applies to all of your lists

Once a user unsubscribes, they should be removed from receiving all of your emails. Otherwise, you risk making someone very upset, in addition to any legal penalties you might face from the new laws.

Stop using “no reply” email senders

You should always have a reply address for your email campaigns. This makes it much easier for contacts to make any data requests in accordance with their new rights outlined in the GDPR.

Fourth Step: Check to make sure that all of your third-party software providers are also GDPR-compliant

You are responsible for your contacts’ personal data, don’t just entrust it to anyone.

If you’re like most businesses these days, then you’re likely using multiple different third-party software tools to help process and store your customer data. It’s always a good idea to check with these providers and make sure that they’re following best practices in compliance with the GDPR (like Sendinblue 😉 ).

Feeling lost? Make sure you’ve covered all the steps with our GDPR checklist below!

GDPR compliance checklist

Ready to find your marketing zen?

Take the stress out of your work day with a solution that’s built for you!

Get started free