Preparing your email marketing for DPDI and continually-changing data laws | DMA

Filter By

Show All
X

Connect to

X

Preparing your email marketing for DPDI and continually-changing data laws

T-steve-henderson-email-council.jpg

The UK is currently finalising new legislation to update DPA 2018, UK GDPR and PECR. The Data Protection and Digital Information (DPDI) aims to create a new data regime for UK businesses and consumers. You can read more about these details and current versions here.

At this point in time the DPDI is still subject to change. And even after it has been finalised and comes into effect as UK law, the best practice guidance and examples will take time to be established.

Because the law and guidance are changing, how do you ensure your marketing programme stays compliant?

Change is Constant

The DPDI is the latest example of what is a landscape of continual change. It doesn’t seem that long ago that we were talking about ePrivacy, the “Cookie Law” and PECR. And I’m sure you can remember (as a sender or recipient!) the panicked sending to re-permission mailing lists prior to GDPR.

And this is just the UK. Globally, data protection and privacy standards are continually adapting to stay relevant in our digital world that evolving more quickly each day. Without change, legislation would struggle to provide consumers with a safe and secure digital environment, leading to diminished trust, and less data being shared; which would impact the commercial needs of marketers and retailers.

So, how do you keep up to date? How can you be best placed to ensure the marketing programmes you are implementing now will adhere to not only current legislation but also future changes?

Industry standards, not legal standards

Legal standards are the absolute minimum standard, with grey areas and boundaries that are subject to change. This is not a good area to focus for email marketing guidance.

Instead, in the world of Email we are very fortunate to have a pretty effective self-regulatory industry, powered by email filters, sender reputation, blocklists and recipient spam reporting.

And then you have your customers and prospects. Your customers demand and expect certain standards. Fail to meet those standards and you lose trust and their business (and data!).

So, in the world of email, this is where things become simple. The laws need to adapt because of what is changing. You can get ahead by focusing on what is not changing, and those are the fundamental concepts of

  • Privacy
  • Information Security
  • Transparency
  • Choice

Understand and apply these principles to the standards expected by your customers, and your marketing programme and you will be adhering to the principles behind the legislation, not just the current legal wording.

How to apply the fundamental principles of Data Protection to your Email Marketing Programme?

Here are the practical steps that you can perform, starting today.

This isn’t a full audit of your data, but is a good place to start. Following these steps will give you a better understanding of your own data, helping to show where you need to review in more detail or make changes.

Step 1 - Data Review:

  • What data you are collecting, where, when and how? Look at every inbound customer journey and data collection source. Document every type of data collected for each data source. Highlight anything even remotely sensitive or risky - what data would you be concerned about sharing?
  • What do you use? Look at your segmentation rules, personalisation, reporting and filtering.
  • What data do you share? With who? Why?
  • Cross reference. What are you collecting that isn’t being used? Why collect it?
  • Do you allow your contacts to update their details?
  • What is the age of your oldest email subscribers? How do you track who is engaged? When do you delete subscribers? How do you ensure your permission is still valid?
  • What are your deletion rules? What is deleted and when? Why is that data kept that long? What is never deleted?

Now think about the above: Could you explain and justify this to your customers? Is this in line with what they would expect?

Step 2 - Information and Choice:

Once you have a good grasp of your data you can now perform the following steps:

  • Look at your data collection processes again, and the information provided on screen (not in your privacy notice). Does the visible information on-screen set the right overall expectations?
  • Do your data collection processes link to a privacy notice, allowing you to clarify and give details?
  • Does your privacy notice include the details of what data you collect, how it is stored, what is shared, how it is used to benefit your customers and what their options are for deleting their data?
  • Does your privacy notice explain how your customers and subscribers can opt-out, how to control what is used, how to correct their stored data and how to delete their data?
  • Looking back at your wording of both the information on screen at the point of data collection and your privacy notice: Did you write it or your legal team? Can you understand what it means? Will your customers understand? Can you make the information more simple?
  • When you collect data, what choices do you give? Do you allow guest purchases, or do you require an account? Do you separate marketing opt-in from terms and conditions?

Step 3 - Automated, Recurring Processes

Instead of manual, ad-hoc, deletions and marketing re-permission campaigns, these should be automated to keep your data up to date and valid.

  • Periodically prompt and remind customers to review and update their contact and preference details, as well as their marketing consent
  • Implement re-engagement programmes to prevent defecting contact data from becoming inactive
  • And when these are in place: Ensure data deletion rules run daily or weekly, in accordance with your data lifecycle and retention policy that you now publish in your privacy notice!

Summary

In an environment where legal standards are changing, you can help ensure legal compliance by understanding the core principles of data protection, and applying them to your customers’ standards, not just the legally required minimum standards.

You can achieve this by reviewing what you do; clearly explaining what you do; and putting choice and control in the hands of your customers.


Want to know more about the DPDI Bill? Tune into the DMA’s Virtual Legal Update on the 18th October to hear about the parliamentary timetable and key marketing changes.

If you’re interested in the work the DMA’s Email Council does and would like to get involved, you can find out more information and apply to join here.

Hear more from the DMA

Please login to comment.

Comments