Subscribe

To send or not to send

A company's e-mail marketing could land it in legal trouble in the EU.

Alison Treadaway
By Alison Treadaway, director at Striata
Johannesburg, 16 Mar 2018
Alison Treadaway is a director at Striata SA.
Alison Treadaway is a director at Striata SA.

Any business that sends out e-mail marketing campaigns may need to comply with the European Union's (EU's) General Data Protection Regulation (GDPR) or face legal sanction. With the GDPR coming into effect on 25 May, this leaves business very little time to get their houses in order if they haven't started already.

Any business that provides a service inside the EU has to comply with the GDPR, an EU data protection directive. Given the global and virtual nature of many business transactions in the Internet era, it is often difficult to establish where a customer or potential customer resides, or to determine where the 'service' takes place. It is this that makes the GDPR applicable to South African businesses.

The crux of the matter comes down to consent - does a business need to have consent from a person in order to send them e-mail marketing? And if so, has the business obtained it in a manner which the GDPR considers satisfactory?

Determining whether or not a company requires consent is relatively simple. It does not need consent from customers with whom it communicates as part of providing a contracted service, for example, by sending statements, invoices, and so on. It does require consent from someone who has signed up to receive marketing communications from the company, but otherwise has no legal relationship with the business.

Clear and cautious

The purpose of the GDPR is to force businesses to be transparent and careful while processing personal information when providing services in the EU, regardless of where it is processed or whether the data subject is a citizen. The type of information protected under this legislation is broad: identity, contact, banking, medical, employment, education. The definition of processing is also broad - anything from collecting, storing, using and sharing.

As such, the GDPR requires the company has consent from people in order to send them marketing communications, and it requires the company has a record of their explicit agreement (ie, opt in, not opt out), and is able to show when and how they gave their consent and what they agreed to receive.

If the business sends e-mail marketing communications that may result in a service being delivered in the EU, then the safest approach is to act as if the GDPR does apply to the company, and take steps to comply.

There are two options here: get hold of everyone on the company's marketing databases and get their explicit consent; or go through the company database and remove everyone for whom the company does not have recorded, explicit consent before the 25 May deadline.

For a company that aims to contact everyone, there are two important things it needs to know. Firstly, its needs to ask its contacts to opt in, not to opt out - so communications must explicitly ask if the customer wants to 'switch on', not 'switch off', marketing communications from the company. Secondly, if it has no record of how someone got onto its marketing database, e-mailing them to get their permission is illegal, even before the GDPR comes into effect. Flybe and Honda, to name two, are being fined for doing this.

Companies are probably going to take a hit on their databases, as the majority of their current databases will likely ignore their requests, and they will have to remove these contacts. However, this gives firms a golden opportunity to start building a legitimate database of people who are genuinely interested in receiving information on products and services, obtained through a legally compliant process.

Not complying, by the way, could land companies with a fine of up to 4% of annual global turnover, or EUR20 million (whichever is the larger), for breaching the regulations in the GDPR.

Share