Friday Digital Roundup
The Friday Digital Roundup is a witty take on the weird world of the internet. With fun stories from around the globe, it’s the only email newsletter you’ll actually read and enjoy!
We do love writing it, but clearly not as much as people like receiving it - just look at the response we got when a technical hitch meant it wasn’t sent out on time!
I didn't receive the Roundup. The Roundup comes on Friday. Therefore it can't be Friday.
No digital round-up this week?! My breakfast just wasn't the same without it :(
It's the only way to start your weekend and end the week! Miss it, miss out!
GDPR: You’re Doing it All Wrong!
GDPR is coming and unless you’ve had no internet for about two years then you’ll have heard of it. From the 25th May 2018 GDPR will be enforced. Sounds scary, doesn’t it?
Plenty of self-titled experts have emerged recently offering to prepare businesses for the changes, and charging extortionate amounts. There’s a lot of scaremongering going on, and some confusion over what you need to do.
The regulation means that businesses need to protect the personal data and privacy of EU citizens within EU states. Personal data includes things can can identify a person, so name, address, web data, health data, etc.
Even if you have no idea what GDPR is (a new data protection law) then you’ll no doubt have had your inbox burned with email after email after email asking you one thing in a manner of different ways…
“Would you like to hear from us again?”
“Please give us permission to contact you after May.”
“Let this not be the end – click here to stay in touch.”
… and about 100 other versions of the same very simple action – Opting in!
The General Data Protection Regulation (GDPR) is coming in to update a law that was first passed in 1998.
A lot has happened since then. Facebook, the iPhone, Cloud computing, browser cookies!
We’ve come on a lot in these past 20 years, right!?
So, the data protection laws we have need to reflect the systems we use. That’s fair. But we’re seriously getting frustrated with re-consenting emails and here’s why:
- It’s the best way to destroy your marketing list
- You don’t actually need consent under GDPR
- Many of the people emailing us didn’t ask to put us on their list in the first place.
Before we get onto the technical bits (as checked over by an actual expert) we wanted to explain why you should avoid the practice of sending re-consenting emails and spamming your list to beg for opt-in.
This is by far the best way to destroy your marketing list!
What’s your open rate? 20%? 30%? The average is very low and you’ll do well to get 40%.
Even if you have a 50% open rate on ALL your emails… you just agreed to delete 50% of your list by asking them to opt back in.
50% won’t open the damn thing and then you’ll lose them. Those occasional openers are bound to get binned. What if they wanted to hear from you but didn’t open that email? They’re gone.
And then… then there’s click rate! The avg. click rate is less than 4% so you’re effectively killing off 96% of your 50% list.
If you had 1,000 people on your list, and you went down the opt-in route, then chances are you’re going to end up with 20 people left!
20! And those are probably a few employees, your friends, and your mum.
If they’re an individual, and an existing customer, then provided they’ve been able to always remove themselves from your list then the soft opt-in applies under PECR, and as we’ll see you don’t need consent under GDPR. You don’t need to delete them.
And here’s the thing, if you haven’t emailed already, you’re way behind those who went early when this was all new and you’ll mostly likely get deleted before you’re opened as we’re all sick of it.
And here’s the other thing…
You don’t need consent!
Nowhere in GDPR does it state that you need ‘consent’ for email marketing. For some reason, everyone got confused, and the big guns started their opt-in process and confused the heck out of everyone else.
This then created a snowball… no… an avalanche of emails of “Want to hear from us again?” spam!
Not really the idea, is it?
Oh… and when you email people to ask for their consent, what you’re effectively saying is:
“We’re not sure what (if any) consent we have from you.”
… If you knew, and it was recorded, you wouldn’t ask, right!?
So with that in mind, how are you complying with the current law, PECR?
PECR works alongside the existing data protection laws, and has been law since 2003. By saying you don’t have consent to send email to people ON EMAIL… you’re breaking the law (provided the recipient is an individual not at a company.)
Yup. “Hey there, I didn’t do this properly and now I’m emailing everyone to tell them!”
You don’t need consent under GDPR but if you word an email to say that you do (from you for your systems and processes), then you’re potentially in breach of PECR and could end up in trouble.
This has nothing to do with GDPR anymore…
You can’t break one law to comply with the other. It just doesn’t work like that.
You don’t need consent under GDPR! YOU DON’T!
What’s the other option?
You can go down the consent route and many have, but if you’re running a consent rule on your email then you have to apply that to everything else. If you say “We have consent from everyone to email them” then you might as well say that you have consent to call them, post them a letter, or hold any information whatsoever. You can’t segment as a rule like that.
You can use Legitimate Interest if you do it properly.
“Legitimate interest is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.” – The ICO
Sending out emails under a legitimate interest basis could well be a better solution for you, but you’ll still need to comply with PECR when emailing individuals.
Even the ICO state that:
“The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.”
So you can pretty much apply it to your marketing and business to suit you as long as you’re transparent about what you send and why and then how you store the data; and you’ve conducted a balancing test to make sure your legitimate interest doesn’t outweigh the individual’s.
So please stop sending re-consenting emails. You’re basically admitting you don’t have consent and then getting yourself into a pickle with PECR.
Don’t believe us? Ask Honda, Flybe, or Morrisons, who got in deep water by doing just this.
The National Trust mailed post out to their list to get consent. Why? PECR doesn’t apply to the post. Clever.
But, ironically the king of post, The Royal Mail, got fined under PECR.
Messy and ironic.
Stop sending reconsenting emails!
It’s worth noting that you do need consent (or soft-opt in) under PECR – and PECR only applies to individuals. So if you’re sure your B2B (and the B is Ltd company or similar) then you can use Legitimate Interest under GDPR and PECR does not apply.
The two rules are working alongside each other and basically confusing everyone. So don’t email people about opting in for GDPR – you’re doing it wrong and potentially damaging your marketing.
Get some professional advice and set up your systems and processes to follow a Legitimate Interest route (internally and in the inbox) and you’ll be just fine.
The GDPR is not here to destroy your marketing; it’s here to update a very old law.
Stop emailing me to opt-in, OK? Just stop it!
- Desperate to make sure you’re following the rules about personal data?
- Want help?
Speak to us and we’ll point you in the right direction.
Fancy some bedtime reading? Try the ICO’s guide https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
If you suffer from insomnia try the full 88 page long, 99 article regulation. https://ec.europa.eu/info/law/law-topic/data-protection_en
Tags associated with this article
Post a comment
We'd love to know what you think - please leave a comment!