A practical guide to GDPR and email marketing – Part 1: The data auditing essentials


Posted by: Gareth Hughes


Part 1: The data auditing essentials

So where do we start when it comes to GDPR? First and foremost, it’s important not to be scared by the changes to the legislation. In fact, as marketers, it’s something we should welcome as it brings more clarity as to what we can and can’t do with data.

You’ll have a more engaged database (which means increased conversion rates), you’ll spend less on the volume of emails you send and this is the perfect opportunity to ensure your database is fresh.

The first step in doing this is to audit all of the data you hold on the subscribers to your email marketing lists. This means finding out where it’s stored, where it came from, what you use it for and how you use it.

Whether that’s sign ups from your website, transactions from your ecommerce store or email addresses you’ve collected at a trade show, make sure you know what you’ve got and where it came from.

Here’s some guidance to help you:

What data do you hold? This will vary hugely from business to business. It might be you only hold an email address or, equally, you might have detailed profiles for each of your contacts. When you audit your data, make sure you know what data you hold, why you have that data and why you use it.

Where does this data come from? You should also know where each subscriber to your list comes from and when they joined. Have they signed up through your website? Are they a customer? Did they enter a competition you were running? Did they give you a business card at a trade show or networking event? It’s important you map out every source of your data – and if you’re following best practice guidelines for email marketing you will know this already.

How often do you send emails to your database? Again, for best practice, you should know how frequently you send emails and who they are being sent to.

How engaged is your database? An engaged subscriber is someone who is opening or clicking on your emails, although as a rule of thumb, subscribers who click on links in your emails are more engaged than those who just open them. As best practice, you shouldn’t be sending emails to people who aren’t engaging with you, that’s why at Jarrang we often only send to an ‘engaged’ segment – for example to someone who has opened or clicked on an email in a 12 month period. How this engagement segment is defined will vary from business to business.

For example, if a hotel had a guest two years ago and they stayed once, and their email data was collected legitimately for email marketing purposes and they have been sending to them regularly in that time, but they haven’t opened a single email, they should probably delete them from their database. The same goes for data they collected over two years ago who haven’t been sent a single email – there’s no way a regular sending pattern can be proved, let alone engagement, and the chances are they won’t be interested anyway.

Ben Travers, Head of IP and IT at Stephens Scown, adds: “There is no set time frame under GDPR for removing a contact from your database. Once you have carried out a data audit you can then decide on a series of compliant policies relating to how long you hold customer Personally Identifiable Information (PII). To arrive at this you can look at the transactional history of current customers and measure their purchasing lifecycle. This fits into something called the Privacy by Design concept and the need under GDPR for accurate records of processing.”

How do you manage your lists, including unsubscribes and bounces? We’ve worked with hundreds of business and have seen it all when it comes to list management. Typically, businesses tend to have multiple lists in many different places. You need to know how these lists are managed and how you manage your unsubscribes and bounces in order to be compliant with GDPR. Again, if you already follow best practice guidelines, you should already be doing this.

In summary…

  • Carry out an audit on all your data
  • Gather all your different ‘pots’ of data into one place
  • Establish what data you have an where it comes from
  • Confirm the engagement rates of your database
  • Have a plan in place for cleaning your data and updating your privacy policies

In Part 2 we will answering the question: “Can we carry on sending emails to our existing database?”

Get your practical guide to GDPR & email marketing


Download the Guide