Email Marketing List GDPR

[mekondelta]

Ive just started working with an organisation as a web developer/tech support. They didnt even have a cookie banner which made me wonder whether they'd done any GDPR compliance. Which it appears they havent. The organisation is slightly complicated as they are a seperate part of a larger organisation, something I dont really understand, so theyve got a link to the parent organisations privacy policy but that is it I think. They have a number of external data processors that are specific to the child organisation and they are controlling and processing data via the website and another couple of applications. Ive spent the last week or so trying to get things in shape and was involved in GDPR compliance project at a previous organisation so I know a bit but I'm not an expert. Just working my way through checklists. One thing I remember, but cant specifically find reference to in the lists I am using is getting consent 'retroactively' for email newsletter signups. They have about 30000 contacts in one of the major email marketing service providers. At this point it would seem a strange email to send to their contacts 'we missed the deadline by over a year, but would you be ok for us to continue emailing you'. Have I got this correct that this needs to be done? I seem to remember previous org getting explicit opt ins on all previously gathered contacts...

 

[Mike Kilby PC.dp]

Email Marketing Lists come under the Privacy and Electronic Communications Regulations 2003 and nothing has changed. Despite the hype in early 2018 about gathering consent, these rules have been in place for 15 or so years and haven't changed, so if the list was compliant before, it probably is now.

If the emails are "corporate subscribers", i.e people at Limited Companies, plc's or government departments, you don't need consent and can email them providing you give them an opportunity to opt out of future mailings. You would need to complete a Legitimate Interest Assessment for this which would document why you think you can email them.

If the emails are "individuals" (so not Ltd, plc, gov but including sole traders and partnership businesses), then you would need explicit consent. Simply put, for individuals, it must have been an explicit "sign up to receive", or tick this box to receive type message at the point of gathering the email addresses.

You could likely get away with an email along the lines of, "thanks for subscribing to our email newsletter in the past. We'd just like to check you'd still like to receive it and if you don't that's fine, just click the link below to tell us yes, or no" and assume that if they don't respond, they've either not read the email in which case there's no point emailing them, or they don't actually want to receive it any more.

Any email sent should include a link to your privacy policy and specifically, an unsubscribe/opt out of future mailings.

 

[mekondelta]

Many thanks Mike, thats really helpful.