Do you need to delete your email list for GDPR?

Worried about GDPR? Don’t know whether your email list is legally compliant, or if you need to clean it urgently? We explain why you may not need to delete it for GDPR.

Unless you’ve been hiding under a rock in the desert without access to your emails, you can’t have failed to notice the hysteria around GDPR lately.

Because, while GDPR has been creeping ever closer to us for months now, most businesses weren’t really sure what it involved, and assumed it didn’t really apply to them. Much like us, if we’re honest.

But as GDPR is becoming an imminent reality, panic is beginning to set it. We’re all seeing other companies update their privacy policies, and asking us to reconfirm whether we want to remain on their email lists. And as a result, many entrepreneurs are becoming justifiably jittery about their GDPR-readiness, and whether they’re doing enough to comply with the legislation coming into force on 25 May 2018.

And one of the biggest questions we’re hearing businesses ask, especially businesses like ours who exist almost completely online, is whether they need to clean or delete their email list for GDPR.

Do you need to delete your email list for GDPR?

As you might expect with GDPR, the answer to this isn’t a simple “yes” or “no”. There’s much more you need to consider before you relax and carry on as normal. To start with, you need to understand that, under GDPR, there are six legal bases you can process someone’s personal information under:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

So how does that apply to you? For most businesses, there will be two reasons why you have someone’s email address:

  1. They have bought something from you in the past.
  2. They are on your marketing mailing list (possibly to receive newsletters and offers etc).

What should you do with people on your mailing list?

Depending on which of the two reasons why someone is on your mailing list, there are two different ways you need to treat people under GDPR:

  1. They’ve bought from you in the past – if someone has bought from you in the past, you may not need consent from them to remain on your list. You can use something called legitimate interests to stay in touch with them. You need to do a simple assessment to see if you can use legitimate interests and state that you will use it in your privacy policy. You can email them an updated copy of your new, GDPR-compliant privacy policy, (find out later on how you can get a template for this if you don’t already have one).
  2. They haven’t bought from you – if someone is on your list who hasn’t bought from you, then you do need to confirm their consent to continue hearing from you. And you need to explicitly explain what they are consenting to receive (for example, newsletters, details of products or courses). You also need to reconfirm their consent every two years.

If you are able to segment your mailing list, then we recommend sending a simple email to the people who have bought from you in the past with a link to your privacy policy.

For the rest of your list, you’ll need to send them an email asking them to confirm they still want to receive emails from you after 25 May. If they do not actively confirm they wish to remain on your list then you must remove them.

What are the positives of culling your list?

It’s easy to assume that this GDPR requirement is a terrible thing, and that you are about to decimate your email list. And yes, you may lose a significant chunk of your hard-earned subscribers.

But are they all active subscribers who are keen to hear from you, and who may one day buy from you? Or do some of them not even know who you are?

If, like us, you’ve been growing a list over many years there is a good chance that many on it have forgotten they signed up. They may never open your emails (your emails could even be going directly to spam). Or they may have changed direction in life and no longer be in need of what you offer.

And while your list may feel impressively or comfortingly large, in reality it’s just flabby – and much of it could be trimmed down without impacting your business. Who knows, having to actively confirm they still want to hear from you may remind some dormant subscribers that you exist, and that you do great things!

What should you do now?

Time is running out, and GDPR is creeping closer by the day. And while the GDPR police aren’t going to be knocking on your door on 25 May if you haven’t complied, you never know if someone on your list is aware of their rights and objects to you holding their data.

So if you have a mailing list that is not business to business, and you’re not absolutely, 100% confident that any subscribers who have not purchased from you have confirmed, in a GDPR-compliant way, to hearing from you (and you have evidence of this), now is the time to start taking action and cleaning up your list.

Need more help with GDPR?

Of course, ensuring your mailing list is GDPR-compliant is just one tiny part of ensuring you are legally covered. You also need GDPR compliant privacy and cookie policies, to ensure your data is stored in the correct legal way, and that you are collecting any future data appropriately.

All of this is a headache to small businesses who don’t have an in-house lawyer or GPDR expert, and can’t afford the cost of hiring an expert, or the time involved in becoming one themselves. That’s why we recommend investing in the ease and peace of mind of a GDPR Business Pack, like this one for solopreneurs.

The pack was created by Lesley Cooley, a BCS qualified Data Protection Officer with over 15 years’ data protection experience (and whose advice to us inspired this article). The pack guides you painlessly through the business basics:

  • How and where the law applies to your business.
  • What changes you must make NOW.
  • When you are a ‘data controller’ or a ‘data processor’ – and what the difference is.
  • How to make sure that your email marketing sticks to the rules.
  • How long you can safely store information.

The training is presented in bite-size chunks and you get a set of documents you can take away and use in your business right now. This has been specifically designed for soloprenuers and includes:

  • OVER 30 ‘How to’ videos.
  • Clearly presented information about GDPR targeted to YOUR small business.
  • Sample documents you can take away and use straight away.
  • Customisable downloads that can be adapted to your own small business.
  • Weekly Q&A Classes.
  • A FREE Facebook Group.

If you’re not 100% confident your business is legally ready for GDPR, we recommend taking steps and investing in this GDPR pack. Now, we’re off to clean up our own email list…

Photo by NeONBRAND