There’s still plenty of unease and uncertainty surrounding the new GDPR legislation due next month, and understandably so. I’ve read more articles about the subject than I’d want to count, but as with all such things, I’d rather offload the responsibility to someone who’s more confident in their legal understanding. I imagine you’re the same. However, here’s what I reckon we should be doing.
On the big question of whether we can continue to email everyone in our database, I can’t see that there’ll be any problems if we’re just being reasonable to recipients. I’d say that as long as our marketing mailings are reasonably frequent (and we can demonstrate that), and have contained a way of opting out, it’s fair to say we assume they want to hear from us, because they haven’t objected. But I also think we should declare a period – say a couple of years – during which we should insist on hearing from people who didn’t explicitly ask to receive our mailings in the first place. If we don’t hear from them, we should take them off the list. If we don’t know when they joined our list, we should stop mailing them until we get their consent.
That means if someone becomes a customer, I think we’re fine to send them marketing material for a defined period, provided it has an opt-out. After that, it should not continue without their explicit consent. Once we’ve got that consent, I think it’s reasonable to send them material (with an opt-out) indefinitely. If there’s anyone on our list who we haven’t heard from in that period, we should stop sending them material unless we do get consent from them.
I also think that we should commit to only sending material related to whatever led us to have a relationship with the recipient in the first place. That will probably cover most things the company wants to promote in the future, but makes it clear that the contact details will not be used for unrelated products and services.
Whatever you decide, write all this down as a policy document and I think it’s a reasonable approach to compliance. Include details of where the data is held (imagine you’re writing instructions for your successor), and where requests to join and leave the list can be found.
(Please note that you should take legal advice on this – the above is only my own interpretation)