email list for GDPR

Do I need to delete my email list for GDPR?

Do you need to make changes or delete your email list for GDPR? We’ve seen many organisations simply deleting all their email data in response to GDPR legislation, often without reason to do so. You will need to ensure that you comply with all the requirements of GDPR and PECR when email marketing but that does not necessarily mean you need to delete all your email data.

What is the GDPR?

The GDPR is the General Data Protection Regulation, which is essentially an update to the Data Protection Act.

It improves the definition of data to include anything that can be ‘identifiable’ about an individual, so that includes things such as a computer IP address.

It also strengthens the individual’s data protection rights to view, amend or have their data deleted by a company.

More information is available from the Information Commissioner’s website.

For organisations there are greater responsibilities to limit the collection and processing of data and a stronger emphasis on acting fairly and responsibly.

The good news is, that if you have been practising good data protection principles then there is not a huge amount that you need to do in order to be compliant with GDPR.

It’s also worth noting that the GDPR goes hand in hand with the PECR (Privacy and Electronic Communications Act) which dictates some of the finer points around email and SMS marketing.

The information below take both into account.

Six legal bases for processing data

The GDPR outlines six bases under which you can legally process data. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Do I need to delete my email list for GDPR?

It is likely that each data set you manage for your business will rely on a different legal basis. The information below will help you determine the action you need to take. For individuals the following might be an appropriate response:

Employee records – legal obligation

As an employer you must retain certain information about your employees so that you can contact them about their job, perform payroll and reporting tasks.

Existing customers – contract

It is necessary for you to retain certain data to fulfil the contract that you have entered into. Once the contract is complete you must determine at which point the individual becomes a ‘past customer’ and joins your non-customer list (see below).

Past customers – legitimate interests

As the individual has bought from you in the past you can assume that they will be legitimately interested in hearing from you again. You must balance their interests with yours as a business and every communication must carry your company details and the option to opt out of further communications. If you have updated your privacy policy in line with GDPR it would be sensible to send them an update with a link for them to review the changes.

Enquirers/non-customers (individuals) – consent

The individual must have willingly opted in to receive communications from you, knowing precisely what they opted in for at the time. Each communication must carry your company details and the option to opt out of further communications.

If these individuals previously opted in to your list in a way which complies with the GDPR there is no need to ask for their consent again, assuming that the relationship is fairly recent.

If your data was collected without a clear opt-in, then you will need to contact them with an option to do so, linking to your privacy policy. If you don’t hear from them you must delete the remaining data.

Enquirers/non-customers (businesses) – legitimate interests/consent

For business-to-business marketing you may rely on legitimate interests as the legal basis for making contact. If you are a training provider, and Mrs S. at Company X has shown an interest in your courses it is fair to assume that she will continue to be interested unless she opts out.

The same legal basis could be used to contact cold prospects – if you feel that your services or products would be relevant to their business you may contact them using legitimate interests as the legal basis for doing so.

Each communication must carry your company details and the option to opt out of further communications.

If however, the business contacts are in fact sole-traders or some partnerships who count as individuals rather than business contacts.

For more information on direct marketing and the GDPR see this guide.

How long can I keep email data?

For all data you must determine a reasonable length of time to retain information, and be clear on your data storage, retention and disposal policy.

For each data set you hold you must make a reasoned decision for the length of time you will keep an individual’s data. Unless there are statutory or regulatory reasons it is up to your organisation to decide on a policy for each data set. Document your reasoning and decisions using our guide to GDPR compliance.

For instance:

Past customers – retained for 12 months in case of returns or exchanges.

Employees – retained for 5 years in case of reference requests.

Enquirers – 24 months unless opted out in the meantime.

For email lists you must decide at which point the individual is unlikely to be still interested in your product or service. If they have not bought from you in 12 or 24 months is it likely that they will still be interested?

It is always better to have a smaller email list of interested people than a larger list of unresponsive individuals.

What else do I need to do?

  • Consider whether you are a ‘data processor’ or ‘data controller’
  • Conduct a review of what data you collect and hold. Our past post and template may be helpful.
  • Update your privacy policy and publish it to your website.
  • Review who has access to each data set and limit access if possible.
  • Review how data is held and tighten up security if possible via passwords or encryption.

The best resource will always be the Information Commissioner’s website.

Any questions? Contact us for help with GDPR compliance.