From scaremongering and the dissemination of misguided information, through to many brands and businesses hitting the panic button as they scrambled around trying to ensure they were compliant; GDPR (the General Data Protection Regulation) was impossible to avoid in 2018.
So much so, the mere mention of those four letters were enough to make customers and marketers alike roll their eyes in exasperation and break out into a cold sweat. The flood of emails hitting inboxes was unprecedented. In fact, on May, 24th 2018, there was a 27% increase in the number of emails sent when compared to Black Friday in 2017 (Litmus) – typically the busiest day for emails in the calendar year. Then Judgement Day (May 25th, 2018) came and went. GDPR became law. Up and down the land there were collective sighs of relief as – “Thank God it’s over” – was muttered in offices from Newquay to Newcastle.
And that’s when the time bomb started to tick. For GDPR is many things, but one thing it certainly isn’t, is ‘over.’ We don’t live in a post-GDPR world; we now simply live in a world where GDPR is the norm and staying compliant with the new regulations means every business has to have their house in order. It’s not a case of adopting the mantra ‘set it and forget it,’ GDPR compliance requires constant work.
Stafford Sumner, Founder and Managing Director at Jarrang, explains more: “We’re asked, on a weekly basis: ‘What should we do if things go wrong?’ Businesses are especially worried after, earlier this summer, the ICO (Information Commissioner’s Office) handed out fines totalling nearly £300 million to British Airways and Marriott for GDPR infringements.
“If you’re a marketing manager or an owner/operator of a business, the most important steps you can take in relation to GDPR and email marketing is to make sure your database is in the best possible shape. This means having a master list – rather than lots of different, smaller lists – to manage all your email marketing data, making sure you are suppressing unsubscribed and non-compliant contacts, and tagging the different groups to which they might belong for future targeted messaging.
“It means only collecting data from your contacts that will help you send better email marketing campaigns to them. By only collecting the data you need to execute your email marketing strategy, you can significantly reduce your risk in the event of a data breach. Ask yourself if collecting something like date of births from your contacts is really necessary to the success of your email marketing.
“It also means removing contacts from your database who aren’t engaging with your content. Set yourself a policy and stick to it. For example, if someone hasn’t engaged with you – whether that’s buying a product or service, or opening an email – for the last two years, is it worth keeping them and is it legally compliant? If not, set a process to automatically delete them.”
Taking the time to put systems, procedures and processes in place is something echoed by Robert Brooks, Data Protection Specialist and Privacy Officer from Stephens Scown, one of the UK’s leading law firms.
“The first thing we tell our clients is not to panic,” he says. “It’s incredibly important to have processes and procedures in place to follow if something goes wrong – like accidentally sending an email marketing campaign to people who you don’t have permission to contact.
“Where we’ve assisted clients and notified the ICO of potential issues, and the client has the right systems and procedures in place – especially where we act as their virtual data protection officer – because they’ve done the training and reacted in a swift manner, there’s nothing the ICO could really do apart from say it came down to human error and they’re not in the business of lining people up against the wall.
“So far they’ve been taking a fairly pragmatic view of it. Where correct elements have been in place there’s been no prosecutions and very little has come of it other than a few action points to take.”
Being prepared is a sentiment shared by Ian White, Branch Director at Lorica Insurance Brokers, who adds: “If you’ve clearly got processes in place and you’ve been seen to do all your due diligence then I think common sense would prevail if the ICO becomes involved after a data breach, like if you use data without consent.
“However, we’re now seeing the strict penalties promised by GDPR coming to fruition and that’s why there’s huge value in businesses having a strong cyber-insurance policy in place. These types of policies ensure you’re covered if you have a privacy breach. For example, a privacy liability clause provides cover for privacy infringement claims and associated legal costs in the event of a breach, which is critical to all organisations that handle or store personal information.
“These types of policies also cover business interruption loss, cyber extortion and reputational damage, among other areas.”
Stafford Sumner concludes: “Essentially, you need to think of the GDPR in the same way as you do health and safety – it’s an essential component of running your business and prevention is better than cure. If you ignore GDPR, you do so at your peril and, if you fail to act, you’re sitting on a ticking time bomb, as British Airways and Marriott discovered.
“We said last year that, once the ICO had caught up with its workload, the fines would start and we’ve seen this come into fruition. Thankfully, avoiding them is relatively straightforward providing you take the necessary steps and work with experts like Jarrang, Stephens Scown and Lorica Insurance Brokers to help safeguard your business and reduce your risk of being in breach of GDPR.”
For further information on the next steps you can take, download this free guide – Navigating Email Marketing & Data Compliance (created by Jarrang and Stephens Scown) – and learn how to manage your email marketing data more effectively.