GDPR Email Marketing Checklist: Where do you rank?

GDPR is a European Union initiative to protect users' data and rights. This is a checklist.

This is the definitive list for your GDPR email marketing, in order to be in compliance with the new EU GDP regulation, effective May 25, 2018.

We have successfully passed the ISO 27001 compliance examination and are now adding the finishing touches to our GDPR fine-tuning. Having spent a great chunk of our time on meetings with our GDPR-specialists, attorneys, GDPR updates, GDPR blog posts, GDPR documents, we gathered the steps you need to take for GDPR compliance.

Here’s the golden checklist we put together for you – it will be kept updated to the best of our knowledge, as new regulations or edits are being made:

1. Choose a GDPR-compliant tool. Wink, wink.

Choosing Moosend as your GDPR compliant tool of choice is a no-brainer for many reasons, beyond double opt-in and easy access, modification, export, and delete your data (which make part of our services’ feature gallery). Here’s a few more:
✓ We are ISO 27001 certified which, on the transparency and user-security continuum ranks higher than GDPR, to begin with.
✓ Also, we store all of our data in European Union data centers.
✓ We have scrutinizingly revised our privacy policies to adhere to new regulations, including, but not limited to, privacy policy and terms of service.
Moosend never sells or shares your personal data or your subscription data with third parties.
✓ The scope of data processing of our sub-processors is consistently and regularly audited and strictly limited to prestigious, reliable, world-class companies like Google (for Google analytics) and PayPal (for credit card transactions).

2. Create a data mapping spreadsheet.

Make a comprehensive list of the following data and information:

  • Map the total of personal data you are a holder of.
    Consider the exact custom fields (categories of personal data) you ask of your subscribers. These could be first names, last names, birthdays, email addresses, contracts, decision-maker names, signatures, and so on. Essentially, anything that can be matched directly or indirectly to a specific individual’s identity is considered to be personal data. Transfer all this information over to a spreadsheet. Use the final document as an overview of what you use and for what. Grab a spreadsheet template here and here to get started right away!
  • Map individuals’ access to this data.
    This is a a very crucial step, but just before you get started determining who can access your users’ personal data, it is important to raise awareness among your employees about the new privacy protection regulations. In that context, an open mindset and corporate culture and an encouraging mentality towards supporting and implementing data-protection compliance throughout the practices of the business is essential. Precisely, it will help ensure that all stakeholders realize their level of responsibility when accessing or processing this data. The individuals could be internal or external to your business, namely members of staff or third-party solution providers (i.e. software you use). For example, if you send data through software solutions such as Salesforce, Slack, or Moosend, this must be clearly stated in your data mapping spreadsheets. Again, recipients of the personal data, or categories of recipients of the personal data must be clearly stated. You know what might come in handy? A spreadsheet template! And another one!

3. Add double opt-in to nail your GDPR Email Marketing.

One of the most important parts of the regulation is getting your subscribers’ consent and holding proof of this consent. To achieve this for your GDPR email marketing activities, the easiest way is to switch to double opt-in for all your mailing lists, available with your Moosend account.
a. Do you have proof of consent of your users allowing you to use their personal data? If you can provide adequate and satisfactory evidence of your users’ consent to receive emails (place, date, and so on), it appears that there is one thing less to worry about. Move on to the next step!

b. If you do not have proof of consent, you must reach out to your existing customers to get consent. It is highly recommended to start implementing the steps necessary as soon as possible, in fact, before GDPR comes in effect (May 25, 2018). You must get your customers’ updated consent. To help you in the process, we prepared two short drafts to reach out to your customers, and follow up with them (see below).

c. To find out more about double opt-in and get up to speed with how double opt-in works, check out our help docs here or here.

Email notification:

“Want to keep our exclusive offers coming? Make sure you click at the link below to remain on our mailing list with giveaways and freebies all year long. By clicking, you are also participating in our contest for 10 tablets and 30 tickets to [this] Broadway show!

I WANT IN!

You are receiving this email because you signed up to receive special offers and the latest updates from acme.com! To review our updated privacy policy, please click here: *****.

If you have enquiries, please feel free to contact our GDPR department to provide you with additional details: gdpr@acme.com.

Best Regards,

John Smith”

Follow-up email:

“Last chance to confirm your email address and personal details with acme.com!

As soon as you hit confirm, you enter our contest to win 10 tablets and 30 tickets to [this] Broadway show runs for another two weeks. Maintain access to exclusive material such as our previous publication of *** or sneak peek of ***, by clicking below!

Last, if you have enquiries, please feel free to contact our GDPR department. They will provide you with additional details. To contact our Data Protection Officer (DPO) directly, here: dpo@acme.com.

Best,

John Smith”

4. Update your privacy policies.

However well-written and eloquent your current privacy policy is, it must be tweaked. Rewrite it to include an explicit declaration of your data protection policy and an end-user update on their rights. When should you update new users? As soon as you obtain their private data shared with you, that is. Find out more on these rights below, all of which are already in place for Moosend accounts and users.

5. Let your users know what changed, as soon as your privacy policy is up-to-date.

This corresponds to your users’ right to be informed.

6. Update your users on their right to access their personal data.

Your users can access their personal data which they have shared with you, at will.

7. Inform your users they can rightfully correct the personal data they have provided.

Ensure that your GDPR email marketing tool enables this modifications. Moreover, establish processes for your business to monitor that this information is accurate. Hint hint: how we achieve this.

8. Notify your users that they maintain the right to ask you to completely “forget” them.

Overall, devise your own process to “forget” about a user. Practically, once an individual wishes to withdraw from your company’s communication and records, you should stick to the process you have set up so that they are permanently deleted from your GDPR Email Marketing and Automations platform, your CRM platform, even your phone records!

With respect to GDPR email marketing, find an email marketing service provider that has a secure process to delete a subscriber from your records. In other words, make sure your users can be “forgotten” without leaving a trace or them getting an email if they belong to another mailing list. Also, note that there is a data retention requirement, whereby a business may exclude an individual from their communication but retain the data for a specific period of time, as defined by the legislation in effect. Make this process easier for you by joining forces with Moosend; Moosend offers a handy “Suppress/Delete” option, to increase efficacy and security.

9. Make sure you don’t store more data than you need.

Run through all your custom fields and make sure all of them are used only for personalization or segmentation purposes. For example, consider the following: if your are in the business of technology and gadgets, asking for individuals’ age group or academic background is acceptable. However, asking a technology aficionado to provide their weight is not your definition of GDPR email marketing definition. Therefore, bear in mind that your users maintain their right to limit processing of their information.

10. Ensure you can easily export your customers data in a format that you can later transfer to another service.

As a case in point, CSV or Excel documents are the best fit for the purposes of data portability. Moosend enables these portable export file types for your entire list or part of your sub-lists.

11. Educate your users on their right to object to their personal data being processed at all.

In the case of GDPR email marketing, for example, the Unsubscribe link serves this purpose.

12. Find out if your business needs to elect a Data Processor Officer (DPO).

Finally, a DPO is charged with educating the company and staff on compliance, as well as training both parties on best practices. Other tasks include monitoring, auditing, maintaining records of all activities, while bridging every business with the GDPR authorities.