Ironically, GDPR demands privacy policies and terms of conditions to be written in simple language anyone can understand, while the regulation itself seems to be difficult to interpret for people around the world.
It is in light of these doubts that we are sharing this overview of GDPR and why it is important, especially when it comes to sending emails.
Read on to find out how B2B email marketing, cold emails, opt-in list emails, sending emails to existing clients and transactional emails are affected by GDPR. In the summary of this post, you will also find a link to download our Checklist for GDPR Compliant Emails.
Table of Contents
- What is GDPR?
- Why was GDPR created?
- Which countries does GDPR cover?
- Which organisations does GDPR apply to?
- What is personal data in terms of GDPR?
- Where can data be stored under GDPR?
- What does GDPR mean for companies?
- How will GDPR affect email prospecting and marketing?
- In short – How to send GDPR compliant B2B cold emails
What is GDPR?
This is precisely why GDPR was created – data protection. Whenever you are feeling it is unfair, remember that.
Why was GDPR created?
GDPR is all about protecting personal data of EU citizens, ensuring that their information is secure, and not about digital marketing nor outbound sales.
Naturally, since digital marketing nor outbound sales, demand processing personal data, GDPR will make some operations more complicated, although it will in turn benefit your business in some ways.
Which countries does GDPR cover?
General Data Protection Regulation covers countries of the European Union and its citizens’ data, wherever in the world it might be processed.
Which organisations does GDPR apply to?
GDPR applies to any organization or entity which processes data of EU citizens, regardless of where in the world that data is actually processed.
If EU citizens are your:
or cold email targets
Even if your company is not in the EU, you must be GDPR compliant.
What is personal data in terms of GDPR?
But, is an email address PII?
Check out the following personal data examples from the GDPR email policy:
email@example.com does count as personal data. It is a work email address of a specific person within a company. The corporate email points at an individual at a business.
firstname.lastname@example.org does count as personal data. It is the email address of one specific person.
email@example.com does not count as personal data. It is a generic business email address which helps you determine the company, but not one specific person.
Where can data be stored under GDPR?
GDPR does not specify your storage options, but your in-house, in the cloud or hybrid storage option must be easily accessible and manageable with privacy and protection as its foundation.
Moreover, you will have to understand your infrastructure and data architecture and that of any third-party services that you might use. Any customer relationship management (CRM) storage option that you use must be GDPR compliant.
What does GDPR mean for companies?
A company should appoint either a Data Protection Officer or a Data Protection Specialist, depending on the level of sensitive data processing you conduct.
You don’t actually have to hire a new person, you can pick someone from your team.
If your company does not process sensitive data, it is enough to appoint a Data Protection Specialist to make sure that the company’s policies on processing data are updated, clear and applicable.
If there are high risks (to rights and freedoms of EU citizens) during personal data processing at your company, you have to appoint a Data Protection Officer.
What type of personal data does your company process?
How is that data processed?
Which third-party services do you use in your data processing?
How can the data owners edit their data?
How can the data owners delete all their data from your database?
How can the data owners report a breach of GDPR to you?
A good idea to avoid GDPR fines (up to €20 million, or 4% of last year’s revenue, whichever is higher) would be to assess risks for your company.
For starters, identify whether you are a data controller or a data processor.
Who is a data controller?
Even when the controller does not process data on their own, but uses a third-party service, they are still in control of the data, having specified the ways in which it will be used and therefore, the responsible person.
Who is a data processor?
Market Republic is actually a data processor. That means that we work according to our clients’ instructions. Whether it is account and contact data list building or SDR outsourcing, our services are GDPR compliant.
How will GDPR affect email prospecting and marketing?
Let’s say this once again – GDPR is not here to kill email marketing. Email marketing and sales emails under GDPR will actually reap some benefits for you conversion rates as well as database maintenance.
However, as a collateral of data protection efforts, the ways in which companies go about it will become more regulated.
Targeting and accuracy of email lists will have to reach a whole other level, and you will have to find out exactly when consent is required (this can differ from country to country, but more on this later in the article).
Follow these GDPR principles to avoid fines
GDPR outlines six principles that organizations must comply to when dealing with personal data:
Lawfulness, fairness and transparency
Integrity and confidentiality
Lawfulness, fairness and transparency
According to the first principle, organizations have to regulate their data collection processes to avoid breaking the law. They have to make sure that their data subjects know exactly what kind of data they collect as well as the reason for collecting it.
Personal data should only be collected for specific purposes which are clearly explained, and should not be kept for longer than necessary for that purpose to be completed.
Only the personal data needed for a specific purpose is to be processed. If sending cold emails is the purpose for data collecting, then there is no need for you to collect a prospect’s phone number.
Inaccurate or incomplete data has to be edited, updated or erased. Data owners have the right to request that their data is edited or erased within 30 days of placing such request.
Personal data collected must be deleted when it is no longer needed. It is argued that companies should keep the data for as long as the data owner is considered a customer. However, this time period differs from country to country so we recommend that you consult your lawyer.
Integrity and confidentiality
GDPR holds that security measures must be taken to ensure that personal data is protected against unauthorised or unlawful processing of the data, destruction or damage. The organization is also required to possess documentation to be able to prove this.
Now that we have gone over these principles, let’s review emailing under GDPR and principles directly affecting these practices.
Can you cold email according to GDPR?
In short, the answer is yes, but not like before. While sending unsolicited emails is still allowed, your usual practice will have to be modified to be in compliance with the principles of GDPR.
Lawfulness, fairness and transparency – How you got their data
Whether you are making you contact list yourself or having someone make it for you, the manner in which you obtain this data has to be legal, fair and transparent.
What this actually means is that if someone asks you about where and how you obtained their personal data, you have to be able to clearly answer this question. Be clear and honest when you tell them how you did this – legally, fairly and transparently.
Data minimisation and purpose limitation – Have a legitimate interest
The age of “spraying and praying” is officially behind us.
Emailing a huge list of random contacts is intrusive and a violation of GDPR.
In addition, when you consider the fact that you will be emailing people who have never heard of your services or do not in the least need them, it is a waste of time and money.
You have to target someone who could actually benefit from what you are offering, someone who is logically a potential customer.
Forget about quantity and focus on quality instead.
Spend time researching and then customize cold emails. Having a cold email sent to a person that you know needs your product, and having it personalized to their needs seems like time spent much better.
It actually heightens the chance of your prospect converting, an instance in which GDPR proves good for business.
However, remember that whether this is allowed depends on the Member State and is something that you should look into.
Even if the offer is relevant for the owner of the business address, Germany, Austria, Spain and Italy still demand that you get consent first. It is therefore suggested that your initial email asks for consent before resuming marketing or sales activities. Another option would be to call the company phone and get consent that way.
On the other hand, in the United Kingdom, France, Finland, Ireland and Sweden, sending such emails is perfectly okay.
If you have properly researched and targeted, your prospect should not be surprised to receive an email from you. You would not be surprised to see a tutoring ad at your University, would you?
As soon as they read the cold email, they should be able to make a logical connection between what you do and what they do under what is known as legitimate interest, a lawful reason for data processing.
Data sourcing under legitimate interest, which Market Republic does, is one of the best ways to collect data. The lists are up to date (data is 2-3 days old at max), the data is 98% accurate and really strict ICP and buyer persona profiles are defined according to legitimate interest.
Nonetheless, there are certain aspects that have to be included in your cold email:
When emailing an individual at a business, you have to let them know that you are processing their data;
You have to be able to clearly tell them why they are on your prospect list;
You have to include instructions on how the recipient can edit their data, exercise the right to be forgotten and the right to assist in data deletion.
As far as limitedness goes, collect only the data you need. By collecting data that you do not have a plan for, you are only heightening the risks in case of a data breach and making your database more difficult to access and manage.
Therefore, if you do not plan on calling your prospect, their phone number is completely unnecessary. That is the precisely what the principle of data minimisation entails.
And there is a bonus – not only will respecting this rule mean that you are GDPR compliant, but it will also make your database less cluttered.
Accuracy – Update, edit and clean your database regularly
Make sure that your obtained data is accurate and updated. Enable and clearly describe to your contacts the process of editing their data or having it removed altogether.
Or this is another service that Market Republic can provide you with – we can update or source your data according to your specific instructions.
As was already said, be sure to include a way for the recipient to edit or delete their data in your cold email.
There is no rule about how this should be formulated except that it should be clear and simple.
Storage limitations – Keep data no longer than you need it
A new principle introduced by this regulation, it refers to the fact that you shouldn’t process data for longer than was intended for the original purpose. However, the time frame necessary is not specified by GDPR.
We suggest researching your industry to figure out how long without a reply shows that the recipient is not interested in your product. Their data should then be deleted.
What about opt-in lists? Is my email GDPR compliant?
Sending marketing emails to your opt-in lists is still allowed, as long as your list and emails are in compliance with the principles of GDPR.
Lawfulness, fairness and transparency – Tell people exactly what they sign up for
As far as opt-in lists go, you have to tell people exactly what they are signing up for.
If you tell them that it is so that you can email them the magnet checklist, then do not send anything else. If you plan on emailing them again or forwarding their address to the sales department, they need to be told that when filling out the form. Send email newsletters as frequently as you first intended. Be transparent.
And one more thing – if there are any checkboxes on the mailing list sign up form, they have to be unchecked by default. GDPR is all about active consent.
Double opt-ins are not in the official GDPR email rules, although they could be useful in documenting when, why and how consent was expressed.
Check out the infographic below for some GDPR email marketing consent form examples:
Data minimisation and purpose limitation – Only collect the data that you need
This might be starting to sound repetitive, but collect only the data that you need.
Do not make an opt-in form with ten fields, six of which you do not even have a plan for. If it is an email subscription, it’s more than likely that you won’t need the person’s phone number. Finally, justify what you need the certain data for on the form.
Accuracy – Update, edit and clean your email lists
Just like your prospect lists, your opt-in lists should be accurate and up to date.
Every email that you send out needs to have clear instructions that allow the data owner to edit or delete their data altogether.
Moreover, they need to have an option to opt-out of the list. Note that the form this is supposed to be in is not specified by the regulation.
The “unsubscribe” button in every email has become the norm for this, but you can do it in any manner, as long as it is clear and simple.
Reminding the data owner of the way they first opted-in to this list should be included as well.
For example, take a look at Woodpecker’s GDPR compliant Mailchimp email footer which includes this information:
Storage limitation – Keep data until said otherwise
In contrast to cold emailing, since the person gave consent to what you were offering, it is okay to process their data until they withdraw said consent.
Can I still email existing customers?
Yes! As the result of a business agreement, you can process client’s data for its duration. The question posed here is how long after the expiration of the agreement is the data owner still considered a customer.
After the agreement expires, the exact time frame for data processing depends on the laws of the country your company is founded in. Definitely look into this depending on the location.
Can you send transactional emails?
Yes! Although it does fall under GDPR because invoices contain personal data, for the most part you will be able to legally keep such data.
For accounting obligations, as businesses are obligated to produce taxation reports and financial records, you are able to keep contact details and contact history.
As for B2C marketing, you would have to have them explicitly opt-in at the time of purchase with the checkbox unchecked by default.
When it comes to business to business marketing under GDPR, you can do this based on legitimate interest which has been discussed previously.
In both cases, the users have to have the option to withdraw consent.
In short – How to send GDPR compliant B2B cold emails
GDPR cold email requirements are as follows:
The email should be targeted and relevant
Justify legitimate interest
Have easy opt-out options
Clean your database at regular intervals
Have justifications ready in case of complaints
1. The email should be targeted and relevant
Collect only the data you need. Moreover, you have to make sure to target the right people who would actually benefit from your service. They shouldn’t be surprised to receive an email from you. The collaboration between the two of you should seem like a logical possibility.
2. Justify legitimate interest
You have to be able to explain why the company you emailed is a legitimate interest, and include the explanation in your email. It is suggested that you check out whether your service supports one of the company’s aims, their client history for similar companies, etc.
In your email include the following:
Statement letting them know that you are processing their data
Justification on why they are on your prospect list
Instructions on opting-out or editing their data
3. Have easy opt-out options
There is not one appropriate form for this. It only needs to be easy and quick. Once someone opts-out, you should immediately delete them from your database.
However, note that some countries demands opt-ins prior to sending cold emails. Moreover, under GDPR, the opt-in boxes should be unchecked by default. You need active consent.
4. Clean your database at regular intervals
You shouldn’t keep personal data for longer than it is necessary. There is no established time period for deleting the data, but some norm is that you should delete it after 30 days with no response.
5. Have justifications ready in case of complaints
Although your cold emails are probably targeted precisely, they are still cold emails and some people find them intrusive.
They might make complaints or ask questions. Under GDPR, you have to be to explain to them why you have collected their data, how it has been processed, and where it is being stored.
To make sure your email doesn’t violate GDPR, download our free Checklist for GDPR Compliant Emails.
GDPR is not about ending email marketing strategies, it is here to regulate data protection and data processing by giving data owners indisputable rights of controlling their personal data. As a result, the established email marketing processes will have to be modified.
Data owners have to give you explicit consent, either email consent or through opt-in forms, as long as it is active consent, which they can withdraw at any time.
Your organisation has to be clear when justifying the collection of certain data, and may only use said data for the original purpose. After the purpose has been achieved, the data is to be destroyed.
Sending emails to a random list of people is not allowed. Contact list building should be precisely targeted and accurate. This certainly pays off in the long run, although it is time consuming. But, hey, we can help!
To increase your sales by prospect list building or SDR outsourcing, Market Republic is your best option.
Do you want to hear about how we can significantly contribute to your sales growth? Contact us!