A practical guide to GDPR and email marketing – Part 2: Can we carry on sending emails to our existing database?


Posted by: Stafford Sumner


Part 2: Can we carry on sending emails to our existing database?

In the second instalment of our series of articles exploring the impact GDPR will have on email marketing, we’re going to answer the burning question on every marketer’s lips: “Can I carry on sending emails to my existing database?”

There’s been a huge amount of fear-mongering around GDPR, with many people now petrified they’ll have to jettison huge swathes of their email marketing database. However, we’ve always been of the view that GDPR should be welcomed. It will lead to people having a better quality database with more engaged subscribers who are more likely to convert (eg spend their money with you) alongside reducing the quantity of emails sent when the focus shifts to delivering quality, relevant emails to every subscriber.

We put the question of whether people can continue to send emails to their existing contacts to legal experts Stephens Scown, who we’re working with to bring clarity to the relationship between email marketing and GDPR.

Here’s what Partner and Head of IP and IT, Ben Travers said:

The answer to the question is, generally, yes, because you can rely on your legitimate interests as a business as the legal ground for processing this data for direct marketing purposes, providing you’ve also complied with the, still current, electronic privacy law (the Privacy and Electronic Communications Regulations). For existing B2C contacts, you can use electronic marketing where you meet the “soft opt-in” rule, this only applies where:

  • You obtained a person’s (customer) details in the course of a sale or negotiations for a sale of a product or service;
  • Where the messages are only marketing similar products or services;
  • Where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

You need to be aware that you can only rely on the “legitimate interests” ground under GDPR if you have carried out a written balancing exercise between your legitimate interests as a business and the rights the people you are emailing.

So what this means is, essentially, you can continue sending emails to your existing database and your legacy data, providing:

  • You can prove that someone has been a customer in the past (for example you have a transaction date, booking reference or date of last check-out);
  • You have been sending to them regularly with an evidenced sending pattern (e.g. once per month);
  • They have engaged with your emails or organisation ‘recently’ (eg within the last 2 years);
  • You continue to clean your list by removing unsubscribers immediately, regularly removing hard-bounces and contacts who haven’t engaged within a predetermined period of time (eg 2 years).
  • You have carried out a written balancing exercise between your interest and the rights of the people you are emailing, and their rights do not outweigh yours.

For example, take a customer who purchased something from you two years ago. During that transaction you collected their email address, and you have since emailed them once a month, with the last email they opened being two months ago. In this case it’s fine for you to continue emailing them.

For any data you collect moving forwards, where it is more prudent to rely on consent, there will need to be a specific opt-in box ticked to confirm that outside of the transaction, they would like to be contacted for marketing purposes… but there will be more on this to come!

In summary…

  • You can continue to email existing contacts in your database providing they have been a previous customer, you have been sending emails to them regularly with a regular pattern and they have engaged with your emails recently.
  • Our advice would be to take this one step further and remove or suppress contacts from your database who haven’t engaged with your emails within a 2 year period.

Please be aware there is not a ‘one size fits all’ answer regarding GDPR; every organisation is different and the specific treatment of data will depend upon on how it was originally collected and stored.

This series of articles are only looking at GDPR in relation to email marketing and do not set out to look at the wider reaches of the law, if you want specific legal advice for your own circumstances, you should contact Stephens Scown at ip.it@stephens-scown.co.uk to talk to their Data Protection Team. If you would like support with your email data management, contact Jarrang on 01326 219540.

Next up we will be looking at how we treat non-customer data, particularly in a B2B setting.

Get your practical guide to GDPR & email marketing


Download the Guide

About the author

Stafford Sumner

An expert in developing businesses through email marketing, Stafford founded Jarrang in 2003, and since then has worked with hundreds of business across the globe helping them grow and succeed.