GDPR Compliance in 2020 (Email Marketing Edition)

What is GDPR?

GDPR means "General Data Protection Regulation." It is a European privacy law that came into effect from 25 May 2018 to regulate the collection, use, and processing of personal information of the individuals living in the European Union. Proper guidelines are there to prevent any misuse of personal data.

GDPR governs the collection and further use of email addresses by the businesses. The main aim is to protect the personal information of the individuals. The law extends to the European companies and the companies which are doing business with any European contact.

Seven principles of GDPR

European Union has defined personal data as any information which relates to an individual. It can be his or her private, professional, or public life information, from a name, a photo, an email address, bank details, their posts on social networking websites, their medical information, or even, computer's IP address.

According to the GDPR, the seven principles for the lawful processing of this personal data are:

1. Lawfulness, fairness, and transparency

The companies must gather, process, and use the personal data of the individuals in a fair, lawful, and transparent manner.

2. Purpose limitation

The use of collected data is limited strictly to the explicitly specified legitimate purposes.

3. Data minimization

The processing of data should be minimized in relevance to the stated purposes only.

4. Accuracy

The stored data must be up to date. The companies should delete or rectify incorrect information without delay.

5. Storage limitation

The data stored with an organization should be in proper form. It must allow the identification of data subjects. Moreover, it can't remain stored longer than is necessary for processing the specified purposes. GDPR requires several measures on account of the safety of the rights of individuals.

6. Integrity and confidentiality (security)

The primary concern is the security of individuals' personal information. The companies need to adopt proper measures to ensure there is no unlawful processing of data, destruction/damage, or accidental loss in any scenario.

7. Accountability

All the entities using and processing individuals' personal information are ultimately accountable to them.

Who will be affected by GDPR?

The GDPR EU applies to all those companies that collect and process data of any European citizen, no matter whether the company is based in Europe or not.

However, the law doesn't hold in case the European citizen is living outside Europe at the time of data collection.

How will GDPR impact email marketers?

GDPR email marketer must collect freely given, specific, informed, and unambiguous consent (Article 32). You have to take into account new practices as,

1. New permission rules of customer opt-in

2. The consent storing systems proof

3. A procedure through which consumers can ask if their private information has been removed or not.

The GDPR applies to both B2B as well as B2C businesses. No company can use soft opt-in and soft opt-out approach.

Apart from that, you have to check the third party data. The third-party solutions must adhere to the GDPR guidelines on processing as well as storage of data. The transfer of data outside Europe is only possible if you meet the adequate requirements and ensure privacy protection through 'Binding Corporate Rules.'

The scope of GDPR expands to Profiling. You need to comply with the same; otherwise, there will be a risk of a fine.

You can appoint a data protection officer, if necessary.

What is GDPR compliance?

Given the GDPR, the companies and other organizations need to have transparency concerning the European citizens' data. They have to state everything clearly, what data and information are they collecting? How will they use it? From which source are they gathering it? Where are they storing it? And, whether they will share it with anyone else or not? They require the consent of subjects for processing the data.

If in the future, they plan to use it for some other purpose, then they have to take permission from the respective individuals. GDPR requires more safety measures on the part of the companies for data transfer across borders. You must state about the servers in other countries (if any) in your privacy policy or display it on your website.

Consumers have the right to check and see any information stored about them with you. They can ask you to correct if there is any incorrect information. Also, they can revoke their saved data with you and further switch to some other service. The company needs to remove the data from all the sources in case the consumer decides to revoke the permission.

The businesses must have records of all the step by step processes. For example, how people are opting to be on their marketing lists? What measures are they taking to protect sensitive information? Consumers have the right to ask for valid proofs along with supporting documents.

The organizations must notify the consumers within 72 hours if there is any data breach.

The non-compliance to the GDPR results in some severe consequences, including a considerable amount of fines. It can range up to €20 million or 4% company's global revenue annually, whichever is higher.

How to send GDPR compliant b2b cold email?

GDPR mainly focuses on the personal data protection of the EU citizens. There a few points you can follow to send a GDPR compliant business email:

1. Appropriate Targeted Prospecting

As per the Data Minimization principle, the personal data you're collecting must be adequate and also relevant to the processing purpose. Be precise in terms of your ideal prospects and segments. You must customize your copy and campaigns accordingly.

2. State Your Legitimate Interest In Email Copy

You must specify in the email copy why you're contacting a particular prospect, and how is your offering relevant to that person? You have to mention how you've processed their data to contact?

Article 6, Clause 1 of GDPR states, legitimate interest is legal only if the processing is necessary for the legitimate interests being pursued by the controller or by a third party. There is an exception where such interests are overridden by the interests or fundamental rights of the data subject, which need the protection of personal data, in particular where the data subject is a child.

Your basis of legitimate interest can further be contested. Therefore, you must ensure your interests are in line with the individual. Whatever your offering is, it should relate to the specific business activity as declared by the company statute.

You should do some background research beforehand. The email copy should specify some context of the same.

You can add the following three critical pieces of information to include legitimate interest in your email copy:

1. A statement

It should contain information about how you've processed the individual's data.

2. A brief explanation

It should specify the reasons why you're precisely processing their data?

3. Instructions of change/removal

It should've instructions of the procedure following which recipients can change or remove the data.

4. The Option to Unsubscribe/Opt-out

Whoever sends the cold business emails, you must give people a clear way to opt-out or unsubscribe. The recipients should be able to exercise their right to erasure and right to restriction.

For this, you can add an unsubscribe link at the bottom of the email.

The opting-out process needs to be simple and easy to follow. You must ensure its enforcement at your end.

5. Clean and maintain your database regularly

You must check the CRM database regularly. Keep it up to date. Delete any unresponsive/inactive leads.

Assign appropriate labels and tag the data to record how you have collected and processed the data. Some companies outsource these data cleansing services.

Data security is essential. The software and system should comply with GDPR. You've to regulate the data access and maintain a proper record of levels of data clearance. You can anonymize or pseudonymize data or even do encryption for more data security. Ultimately, your systems and processes should be secure.

6. Be prepared for the GDPR questions and complaints

You should be ready with an informative reply to tackle fundamental questions and complaints from the GDPR prospects.

Well-supported by the relevant details, the companies should answer the questions reasonably and explain their stance clearly.

So, that's how you can send b2b cold emails while adhering to the GDPR.

Latest Articles


What are the best email verification and validation tools?


Creating interactive email newsletters with AMP emails


A step-by-step Domain Warm-up Guide