Do you need to delete your email list for GDPR?

Worried about GDPR? Don’t know whether your email list is legally compliant, or if you need to clean it urgently? We explain why you may not need to delete it for GDPR.

Unless you’ve been hiding under a rock in the desert without access to your emails, you can’t have failed to notice the hysteria around GDPR lately.

Because, while GDPR has been creeping ever closer to us for months now, most businesses weren’t really sure what it involved, and assumed it didn’t really apply to them. Much like us, if we’re honest.

But as GDPR is becoming an imminent reality, panic is beginning to set it. We’re all seeing other companies update their privacy policies, and asking us to reconfirm whether we want to remain on their email lists. And as a result, many entrepreneurs are becoming justifiably jittery about their GDPR-readiness, and whether they’re doing enough to comply with the legislation coming into force on 25 May 2018.

And one of the biggest questions we’re hearing businesses ask, especially businesses like ours who exist almost completely online, is whether they need to clean or delete their email list for GDPR.

Do you need to delete your email list for GDPR?

As you might expect with GDPR, the answer to this isn’t a simple “yes” or “no”. There’s much more you need to consider before you relax and carry on as normal. To start with, you need to understand that, under GDPR, there are six legal bases you can process someone’s personal information under:

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

So how does that apply to you? For most businesses, there will be two reasons why you have someone’s email address:

They have bought something from you in the past.
They are on your marketing mailing list (possibly to receive newsletters and offers etc).

What should you do with people on your mailing list?

Depending on which of the two reasons why someone is on your mailing list, there are two different ways you need to treat people under GDPR:

They’ve bought from you in the past – if someone has bought from you in the past, you may not need consent from them to remain on your list. You can use something called legitimate interests to stay in touch with them. You need to do a simple assessment to see if you can use legitimate interests and state that you will use it in your privacy policy. You can email them an updated copy of your new, GDPR-compliant privacy policy, (find out later on how you can get a template for this if you don’t already have one).
They haven’t bought from you – if someone is on your list who hasn’t bought from you, then you do need to confirm their consent to continue hearing from you. And you need to explicitly explain what they are consenting to receive (for example, newsletters, details of products or courses). You also need to reconfirm their consent every two years.

If you are able to segment your mailing list, then we recommend sending a simple email to the people who have bought from you in the past with a link to your privacy policy.

For the rest of your list, you’ll need to send them an email asking them to confirm they still want to receive emails from you after 25 May. If they do not actively confirm they wish to remain on your list then you must remove them.

What are the positives of culling your list?

It’s easy to assume that this GDPR requirement is a terrible thing, and that you are about to decimate your email list. And yes, you may lose a significant chunk of your hard-earned subscribers.

But are they all active subscribers who are keen to hear from you, and who may one day buy from you? Or do some of them not even know who you are?

If, like us, you’ve been growing a list over many years there is a good chance that many on it have forgotten they signed up. They may never open your emails (your emails could even be going directly to spam). Or they may have changed direction in life and no longer be in need of what you offer.

And while your list may feel impressively or comfortingly large, in reality it’s just flabby – and much of it could be trimmed down without impacting your business. Who knows, having to actively confirm they still want to hear from you may remind some dormant subscribers that you exist, and that you do great things!

What should you do now?

Time is running out, and GDPR is creeping closer by the day. And while the GDPR police aren’t going to be knocking on your door on 25 May if you haven’t complied, you never know if someone on your list is aware of their rights and objects to you holding their data.

So if you have a mailing list that is not business to business, and you’re not absolutely, 100% confident that any subscribers who have not purchased from you have confirmed, in a GDPR-compliant way, to hearing from you (and you have evidence of this), now is the time to start taking action and cleaning up your list.

Need more help with GDPR?

Of course, ensuring your mailing list is GDPR-compliant is just one tiny part of ensuring you are legally covered. You also need GDPR compliant privacy and cookie policies, to ensure your data is stored in the correct legal way, and that you are collecting any future data appropriately.

All of this is a headache to small businesses who don’t have an in-house lawyer or GPDR expert, and can’t afford the cost of hiring an expert, or the time involved in becoming one themselves. That’s why we recommend investing in the ease and peace of mind of a GDPR Business Pack, like this one for solopreneurs.

The pack was created by Lesley Cooley, a BCS qualified Data Protection Officer with over 15 years’ data protection experience (and whose advice to us inspired this article). The pack guides you painlessly through the business basics:

How and where the law applies to your business.
What changes you must make NOW.
When you are a ‘data controller’ or a ‘data processor’ – and what the difference is.
How to make sure that your email marketing sticks to the rules.
How long you can safely store information.

The training is presented in bite-size chunks and you get a set of documents you can take away and use in your business right now. This has been specifically designed for soloprenuers and includes:

OVER 30 ‘How to’ videos.
Clearly presented information about GDPR targeted to YOUR small business.
Sample documents you can take away and use straight away.
Customisable downloads that can be adapted to your own small business.
Weekly Q&A Classes.
A FREE Facebook Group.

If you’re not 100% confident your business is legally ready for GDPR, we recommend taking steps and investing in this GDPR pack. Now, we’re off to clean up our own email list…

Photo by NeONBRAND

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 19 days 13 hours 20 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_39226696_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_omappvp	11 years	The cookie is set to identify new vs returning users. The cookie is used in conjunction with _omappvs cookie to determine whether a user is new or returning.
_omappvs	20 minutes	The cookie is used to in conjunction with the _omappvp cookies. If the cookies are set, the user is a returning user. If neither of the cookies are set, the user is a new user.

Cookie	Duration	Description
centerVisitorId	7978 years 5 months 19 days 13 hours 11 minutes	This is a HTTP cookie used to track the individual sessions on the website. It helps the website to compile statistical data from multiple visits. This data is used for lead generation as a part of marketing purpose.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.

Cookie	Duration	Description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
view.ga79y7i4H2VjMus2eRJYqN.4ewaiz7cYMLxo2Fdorod4k	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.5659118702428160	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.5kjS2nejq2YcnYdvBnXie6	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.6M3TmeJYUdaXk4bFFoEsPB	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.AcqHN2Jx4LPTHTaVuvgpj7	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.az9ENbabTdjyzXZhvGZLsH	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.BfndspJeShXfBzLLV9vgf6	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.dExRyANhGorUfWBK88b8He	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.DLQVxHBCjsB8dSGzMQHEG8	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.ecCiQ7LhtWkSkJ7TaZBNeg	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.FQVDyuAXgSZP6EjzQVc8vZ	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.gm24Y7zkcqfXLnVYsG45ua	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.Jngw8VouAHPooyWULt96v8	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.JUp6DgKPEh2GnAKP6Hic9a	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.oXoiDpd347fYcUzoEogUp3	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.PxByyBFy44UYvo87EnhdAT	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.pXcNDvRdAUByFqYPw6mShD	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.QdALHubScinNuHaMzo6r4T	1 day	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.
_drip_client_6898597	2 years	No description
_drip_visitor_6898597	2 years	No description

Do you need to delete your email list for GDPR?

Do you need to delete your email list for GDPR?

What should you do with people on your mailing list?

What are the positives of culling your list?

What should you do now?

Need more help with GDPR?

Related Articles

What difference can a marketing strategy make to your business? Find out how it helped us earn 3,150% more

Three reasons EVERY business needs a marketing plan

How NOT to sell a course: Why our first Twitter course marketing campaign failed (and how we saved it)

Three insider tips to grow your startup through online marketing

Five common marketing mistakes you need to stop making

Why you need to get to know your audience – and five ways you can