Is your email list GDPR compliant?

Share this article

Simply knowing that people signed up to your list many moons ago will not be sufficient as GDPR demands much more detail including when & how they signed up and what they were told they were signing up to receive.
If breaking the law isn’t enough to put you off, there’s always the potential €20 million MINIMUM fine for failing to comply with GDPR that will make you think twice. A failure to report a data breach within 72 hours which is then reported by another source, could result in the fine being doubled.

Why GDPR matters?

With several breaches of personal data making the news in recent times, its little wonder that people’s privacy is set to be taken a lot more seriously. If you’ve ever completed a form and thought “why do you need that information” then you’ll likely find GDPR a refreshing relief. It basically boils down to ensuring that businesses only hold personal data that is absolutely necessary for a particular reason and that the person in question has agreed that they are able to hold this information for that reason and that reason alone.

Who is accountable

The new Accountability Principle brought in by GDPR requires the nomination of a Data Controller for any held information at a business. It is this Data Controller’s responsibility to ensure that the business complies with the regulations. Failure to do so can lead to prosecution.

Key points for compliance

Below are some key points of GDPR with which your email list will have to comply:

• Data collected must be for a specific purpose
• Data must not be used for any other purpose
• Only essential data must be stored
• Data must be kept up-to-date
• Data should only be kept for as long as necessary
• The data must be securely stored

Steps to take

Here are some basic steps you can take to be on your way towards complying with GDPR:

• If you’re not sure if your current database is GDPR compliant – Reach out to everyone on your list and ask them to re-confirm they want to receive your emails. Assuming they want to is not classed as having clear consent.
• Regularly update your email list – If you know that a person’s information has changed, update your list to remain compliant at all times. If a person requests that their information is updated (or even removed) this must be done as soon as possible.
• Keep a record of permissions – Make sure you have a copy that lists exactly what people have signed up to receive on your email list. Also be sure to keep this updated if circumstances change.
• Delete any unessential information – Unless your emails will contain specific information that only certain people have agreed to receive (e.g. age restricted content may require a date of birth), only keep the information essential for your list.
• Store data securely – Access to your email list should only be given to the people in your organisation who really need it. The easiest way to comply here is to ensure that the list is password protected with a strong, unique password.