List Building and Cold Email under the GDPR — How to Be Compliant

The General Data Protection Regulation (Regulation (EU) 2016/679) —or GDPR— takes effect on May 25, 2018. This new regulation is going to change the way data processors collect, share, use and destroy data gathered from European residents. If you plan on doing cold email under the GDPR, you want to know exactly what’s going to change after May 25.

Email marketing is at the core of what we do at FindThatLead. We contacted Alessandro Mazzi, Founder & Legal Advisor at AM Legal, to help us detail how email marketing and cold email are going to change after the GDPR goes into action.

AM Legal advices startups and growing businesses by creating policies and educating organizations and employees on how to comply with the new European Data Protection Regulation.

In this post, Alessandro will help us introduce some of the new regulation principles and strategic steps you need to take to ensure compliance, so you can keep doing cold email under the GDPR.

The regulation will affect not only financial institutions, sales departments, HR departments, and insurance companies but will be extended to all companies, startups, and freelancers. Basically to anyone that collects and processes data from European residents. Due to its extraterritorial effect, such regulation will not only be enforceable to Europe based companies, but to any entity processing data of a European resident.

The GDPR still holds true to the previous directive, but brings many changes and strengthens the rules that were previously left to different interpretation.

Discover also why to use virtual leads.

GDPR’s Major Changes

Stronger Conditions for Consent

Request for consent must be given in a comprehensible and easily accessible form, with the purpose behind the data processing attached to that consent. We’ll go in detail about these changes and the new conditions for consent below.

Data Subject Rights

• • Right to access: individuals can obtain information on whether their personal data is being processed, where it is stored and for what purposes. They can also ask for a copy of their personal data, free of charge. Companies that currently charge a fee to provide this kind of information, won’t’ be able to do it after GDPR kicks into motion.
  • Data portability: recipients will receive their personal data in a ‘commonly used and machine-readable format’.
  • Right to be forgotten: recipients have the “right to be forgotten”. This means they can ask, at any point in time, to have their personal data erased and block further data processing.

Extraterritorial Jurisdiction of the GDPR

The regulation applies to all companies processing personal data of data subjects (your customers, leads, sales targets) residing in the European Union, regardless of the company’s location. It doesn’t matter where your business is based on. Just as an example, this will have a great impact on all United States-based companies processing data of EU residents.

Understanding the Principles Behind the GDPR

Know the Rules and How They Apply to Your Company

The first step is to understand the basic principles of the Regulation such as express consent, right to be forgotten, data controller and the implications of non-complying with the Regulation.

Seeking advice from a professional with a legal and technical background at an early stage will allow you to take the necessary measures to mitigate risks.

Access Your Data Sources

Where is the data you are collecting now coming from?

You must answer this question by tracking down and auditing what type of personal data is being stored and used across your organization. Identifying where that data was or will be stored will make it easier for you to find and manage it (e.g., erase it or update it upon request from the data owner).

This is not just for convenience. Under the new regulation, it’s your company’s obligation to keep track of all the data being processed from its very origin. The GDPR requires organizations to prove that they know where personal data you collect is stored and where it isn’t.

Identify the Data Your Business Is Processing

Now that you have identified the sources from which you collect data, you should be able to track what type of Personal Identifiable Information (PII) you are processing (e.g., email, date of birth, name) from EU residents and classify such data into categories.

This will allow your organization to understand where the data is being stored, who you can share it with and the person responsible for controlling such data within the company.

Choose the Data You Collect with Care (Data Minimization)

Fines under the GDPR are high, up to 20 million Euros or 4% of the annual global turnover. You don’t want to be held liable for GDPR breaches especially when the data you collected won’t have a real impact on your business. The best advice is to keep the data you really use and delete all of it that doesn’t bring added value to your business.

At this stage, consider completing a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all your company’s security policies and data life cycles. These assessments should be done from origination (collection) to deletion of the data upon request, also known as “right to be forgotten”.

Make sure you have security policies in place to protect your data. You can explore tokenization and data encryption as security measures.

Secure Processes and Safety Across the Entire Organization

When you finalized your processes and implemented them into your company’s operations, you should ensure the entire organization understands the data policies you have created and is able to implement those during your business growth.

The GDPR and Email Marketing

Before we dive deep into cold emailing and its relationship with the GDPR, let’s fully understand what consent means under the new regulation.

The GDPR describes consent as:

“Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The main changes regarding consent, compared to the old regulation, are in bold. Let’s explore them in detail.

#1 – No Room for Doubt

When processing personal data from an EU resident, you have to be positive that the way consent is collected leaves no room for doubt about the subject’s intentions in providing their agreement to their personal data being processed.

In practice, this means that the EU resident you are storing data from should be fully aware of the purposes behind you collecting their data. Is it to offer them your services? To discuss potential partnerships? To explore potential employment opportunities? Whatever the reasons may be, you have to state them.

#2 – Express Agreement

There should be a positive indication by the EU resident to share their personal data with you. This indication cannot be based on silence, pre-ticked boxes or inaction on behalf of the data subject.

These marketing techniques used to remove friction and increase data collection won’t be allowed after May 25.

The data subject should expressly agree (e.g., by actively ticking a box) to have their data processed for specific purposes.

#3 – Informed Consent

Lastly, consent should be informed. The data subject should have clear information before they give their consent about who you are, how to withdraw their consent and other information that will ensure fair processing.

To see a full list of all the information you need to provide to subjects, read Article 14 of the GDPR.

What’s Going to Happen with Cold Email under the GDPR?

If you are a lead generator or marketer who’s sending tens or hundreds of emails a day to leads and potential customers through cold email campaigns, this is where you want to pay extra attention.

Do you have to stop doing cold email under the GDPR? Absolutely NOT.

Will you have to consider some changes? Yes, read on for a detailed list of changes you need to address.

Changes You Need to Do to Keep Sending Cold Email under the GDPR

The new regulation affects cold emailing. Under the GDPR it will not be allowed to contact an EU resident to advertise your services/product without their express consent.

The GDPR only changes the game for EU residents —people residing in the Union, regardless of where their company’s based at.

Here’s a list of the current member countries of the EU.

You can still contact the rest of the world following current regulations. Keep your lists targeted and make sure to apply certain tactics for people inside the EU.

Prospects’ emails will have to be collected and used for a specific purpose. Consent must be given for each purpose and not bundled together. This means you will have to ask the same person for explicit consent for each different campaign or product you are contacting them for.

How will this look in practice?

The data subject consent has to be obtained prior to sending them marketing material and the consent has to be active. A box that the lead has to tick is or a reply to a clear question on your first email is sufficient consent given that you clearly indicated the purpose behind emailing them.

The lead should also be informed meaning that he/she will have to know specific information about the company and the data controller (again, see Article 14 of the GDPR).

All Emails are Considered Personal Identifiable Information

Be aware that it doesn’t matter if it is a personal or work email. In principle, if an email contains certain information about a person (name, surname, initials) is already enough for the email to be considered data protected by the GDPR.

Non-personal emails should* be outside of the GDPR’s reach. Emails like [email protected] or [email protected] are not associated with any identifiable information, so cold emailing without a consent to these accounts should* be fair game.

* This issue is still not clear yet. Remains to be confirmed after the law goes into effect and new cases appear.

Here’s a summary of the common steps you need to take to be on the safe side when doing cold email under the GDPR, or sending unsolicited emails to potential future customers.

Obtain Consent Pursuant to the GDPR Through a Consent Form or a Reply

The safest option you have to continue using emails for lead generation is to create a “Consent Form”. Send this to the potential customer before you send any commercial or marketing material. This Consent form should contain at least the following information:

• • Your company’s identity
  • The purposes for which the data will be used at your company
  • Any further information that is necessary to enable the lead to understand the data processing to which they are being asked to consent (e.g., third parties with whom the data may be shared)
  • The existence of the right of access to, and the right to rectify, personal data
  • The existence of the right to object to processing and the right to be forgotten
  • The existence of the right to withdraw consent

Do not store lead’s email addresses in a CRM or similar software before obtaining express consent from them.

Keep Your Data Safe and Secure

Setup a system (secure backup and archive copies) where you collect all completed consent forms.

Keep Data Accessible at All Times

To assure compliance with the “right to be forgotten” principle you want to make sure the system you build lets you erase emails and data collected on subjects in a very simple way.

Conclusions

If you are doing cold email under the GDPR targeting European residents, you need to understand the regulations principles first and then take the necessary steps in order to comply with such principles.

• Be clear with the data subjects about your identity and the purpose of why you are contacting them.
• Make sure you have obtained consent for sending commercial emails
• Safely store all consent forms.
• If you are cold emailing, ask for consent in your first email and absolutely avoid including any commercially-related content on this form.
• Respect the data subject’s rights to access to and edit their personal data, to withdraw the given consent and consequently their right to have all data you process erased (right to be forgotten).
• Make sure your recipients can identify your company when they receive your emails and that the system you have created enables you to store and erase data subjects’ consent easily.

About the author

Alessandro Mazzi is an International Legal Consultant. He specializes in European Law compliance, Intellectual Property matters, tech startups and Commercial Dispute Resolution.

He is the Lead Legal Consultant at AM Legal, a firm experienced in advising startups and growing businesses on numerous matters including data protection compliance, European Privacy law, Blockchain and innovative technologies, International Contracting and building strategic Startup legal infrastructure.

Contact Alessandro at [email protected] for a free introductory consultation. He will be happy to get to know your startup, walk you through the regulation principles and help prepare a compliance strategy for your organization before the deadline in May 2018.

Disclaimer: This is a general guideline about the use of email in light of the upcoming GDPR. It is not intended, and should not be taken, as legal advice. For legal advice on email marketing regulations please contact a data protection expert and/or a lawyer.