Email marketing is big business. MarTech Advisor reports that it is the best-performing channel for a company’s ROI, and 61% of consumers prefer to receive offers via email, as opposed to only 5% who prefer social media offers. However, many organizations are concerned about how the GDPR, the European Union’s new, sweeping data privacy law, will impact their email marketing programs. The concern is valid; organizations found to be out of compliance can be fined up to 20 million euros (approximately $24.6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

With the May 25 deadline to comply with the GDPR fast approaching, here are five things all organizations need to know about the GDPR and their email marketing programs.

1. Companies outside Europe must comply with the GDPR, too.

Even though the GDPR compliance deadline is almost here, many companies in the U.S. still aren’t prepared; quite a few of them erroneously believe that the GDPR does not apply to them. Compliance with the GDPR is not based on where your organization is located, but on where your customers are located. If you collect data on any individuals or organizations in the European Union, you must comply with the GDPR.

2. Marketers must get explicit permission to send communications, using clear, simple language, and keep a record of it.

The GDPR puts an end to black-hat and gray-hat marketing tactics such as using pre-checked boxes to automatically subscribe users to mailing lists (they’re prohibited), combining multiple agreements into one box (also a no-no), or burying information regarding opt-in and opt-out in a mountain of legalese. Marketers must now get users’ “freely given, specific, informed and unambiguous” consent to receive email or text communications. In clear, simple language, users must be informed what data is being collected from them, how it will be used, and how they can opt out and have their data deleted. Marketers must also keep records of when subscribers consented to communications and be able to produce this proof on demand.

3. Marketers must let subscribers be “forgotten.”

Under the GDPR, users will have a “right to be forgotten.” Upon demand, organizations will have to scrub all trace of a user from their systems, or at least anonymize the data.

4. Marketers must ensure data security.

In addition to data privacy, the GDPR addresses data security. Organizations will be required to bake data security into their products, policies, procedures, and systems from day one, and disclose all breaches to the authorities and the affected parties within 72 hours of discovery. Organizations that handle very large amounts of data will have to appoint a Data Protection Officer (DPO).

5. Organizations can’t pass the buck if a third-party vendor is breached.

If your organization outsources its email marketing, be aware that the GDPR will hold your organization responsible if that company, or any other third-party vendor that processes or stores information for you, is breached or found to be out of compliance. Make sure you do business only with reputable service providers that are compliant with the GDPR.

The GDPR Is an Opportunity for Savvy Firms

Rather than seeing the GDPR as a regulatory burden, smart email marketers will see it as an opportunity to improve their data governance, cyber security, and ROI. Ensuring that marketing emails are being sent only to subscribers who are truly interested in receiving the messages and demonstrating to customers that their data privacy matters to the organization will increase conversion rates and build brand loyalty.

Is your organization prepared for the GDPR? Click here to take Continuum GRC’s free GDPR readiness assessment and download your report today.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.