GDPR | The Penguin in the Room Blog

Step One: Identify Those That Need to Reconfirm

If you have explicit permission from your customers that you can store their data for the express purpose you are storing their data, then you do not need to send them a re-consent email.

However, if you acquired their data via a ‘lead magnet’ (e.g. download this awesome video in return for your e-mail address!) or via a GDPR non-compliant opt-in form (e.g. a pre-ticked box or one that does not explicitly tell the customer how and why you are storing their data) then they need to re-consent.

Implied consent is not active consent and therefore is not GDPR compliant.

Step Two: Give Them A Reason To Stay

We all get flooded with e-mails we ignore and there are going to be a lot of re-consent emails flooding our inboxes in the next few months.

You want to re-affirm that your product, your brand or your content is useful to them, that it will add something to their day that they need (check out our post on how to add value to your customers this way)

You can do this in a number of ways:

Give them exclusive access to something

Give them a discount

Give them a freebie

Whatever works for your brand and your product. Weigh the value of the giveaway/discount against the value of losing their custom.

Step Three: Make It Important

You want to ask your list to take action, to re-consent, so scream it at them. Maybe put ‘ACTION NEEDED’ or ‘IMPORTANT’ in the header of your email.

You want to try and get them to reconsent before the date passes, so make your e-mail scream OPEN ME.

You can run several emails as part of one campaign, so why not try A-B testing the first and re-deploying your more successful campaign header to those who didn’t open the email the first time around?

Penguin in the Room @prartsmarketing is a group of creatives with an arts marketing dream: penguin stepping our way into the arts industry and helping other creatives flourish! Specialising in online marketing, social media, branding, copy writing, media coaching and web design for actors, artists, casting directors, agents, production companies, theatre companies and creative individuals.

This May, new Data Protection laws will be coming into place, specifically, the Data Protection Act will be replaced by the General Data Protection Regulation.

What’s the difference? The GDPR will have new rules around the storage and handling of personal information and there will be stricter punishments in place for those who fail to comply.

Why the new law? The short answer is because hackers are more easily able to access data from small to medium businesses than they are to hack huge, well-protected corporate networks.

Changes in Consent

At the moment it’s sufficient to ask someone to tick or even to untick a box in order to consent to the storage of their data.

Under the new laws, consent means active agreement. This means you cannot pre-tick a ‘subscribe me’ button.

Not only this, but companies need to be able to show a clear audit trail of consent, including screen grabs or saved consent forms.

Individuals also have the right to withdraw consent at any time, and it has to be effective and efficient. When someone withdraws consent all of their personal data must be immediately and permanently erased. It is not enough to remove them from the mailing list.

If you are subject to a data breach, you also have to inform the relevant authorities immediately and you must notify all individuals affected within 72 hours of the initial breach.

What does this mean for people that use e-mail marketing (and am I one of those people?)

If you have a newsletter that people subscribe to, or if you send e-mails to a database of people on whatever basis, this concerns you.

And it doesn’t just concern all the new data you might collect. It concerns all the data you currently have.

Any kind of personal data you keep has to follow these rules and you and you alone are responsible for being able to prove that someone has consented to have their data kept on file by you.

This means you can no longer capture e-mails through a competition and then add them into your mailing list, or you cannot auto-subscribe (for example) people that have bought a ticket to your show to your newsletter.

Does the GDPR apply to my personal blog?

The GDPR applies to all enterprises. So if you run a business from home, or if your blog/website is engaged in “economic activity” i.e. you use it to make money – this applies to you.

It does not apply to people processing personal data in the course of a purely personal or household activity. I.e. if you have your plumber’s email address on file, that’s fine. If you’re sending your plumber an email telling him that you have a new kind of product available for sale, that’s not fine.

So what do I do now?

For every e-mail address in your system, you need to go back and seek explicit permission from the person to continue to send them whatever communication you are sending them.

If you cannot provide evidence of consent, you cannot send them emails and you must delete their data permanently.

This means you will need to launch a re-permission campaign and bring your entire database up to GDPR standards.

What are the consequences of non-compliance?

Fines. These are tiered based on the level of non-compliance and the severity of the violation, and they are capped at 4% of an annual turnover of €20million.

Ouch.

Check out our next post on how to run a GDPR compliant re-consent campaign.