BLOG 2nd February 2018

Get your email marketing ready for GDPR

GDPR has brought us a new standard for how we deal with our audience's data.

When news first reached me of GDPR, like many of us in arts marketing, I almost went through the seven stages of grief...

Shock and Denial - "Surely this won't really affect me, a small arts organisation?"

Anger and Bargaining - "Do I really have to do this? I don't have time!"

Reflection - "Okay, I've researched a bit more, and I can see a way through."

Eventually, I reached the last stage - acceptance.

Acceptance and Hope "Maybe this isn't such a bad thing after all... It's easy enough once you start."

We have a small enough email marketing database here at thrive - around 350 subscribers. So if you're in a smaller arts, culture, or heritage organisation, you might find plenty here that's familiar to you.

(PS - if you're looking for guidance on postal or telephone marketing list, check out our blog on legitimate interests.)

What's new with GDPR and email marketing?


Consent under GDPR must be clear, use a positive opt-in (no pre-ticked boxes!) and easy to ‘opt-out’ from later. For more info, check out our consent check-list.

From the ICO's guidance on PECR:

You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.

Soft opt-in

If your organisation sells tickets, then soft-opt in is another option available. Soft opt-in can be used when a customer has bought a service or product from you, or negotiated a sale (they may have been part-way through buying tickets and left them in the basket). You have to give them to option to opt-out at the point of original data capture. Not only this, but you must give them the option to opt-out each time you send them an email after this.

Tip: We've put together a GDPR for email flow chart that will help you to decide whether you'll need to use consent or soft opt-in for your email marketing.

Contacting companies, schools, and community organisations

Can you send marketing messages to company emails? In short, yes - if you are emailing a non-personal email address without a name (such as info@ or admin@). If not, you will need consent. However, you can still rely on the soft opt-in. For example, if a school class bought tickets from you before, you can still send marketing messages to the teacher, so long as you include an ‘opt-out’ or unsubscribe link in each subsequent email you send them.

Here's the official guidance from the ICO:

You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.

Where to start

Data audit

We needed to carry out a data audit on all our records for GDPR, so my research into our mailing list records was a part of this bigger picture.

GDPR puts an emphasis on making sure any personal information you store (names, email addresses etc) is secure. So information like this needs to be in a password-protected computer file, password-protected cloud-based storage, or in a locked cabinet.

With the help of the rest of the team, I uncovered where we were storing email lists and deleted or secured them.

If you're not sure why you're keeping something - delete it! The sound of the desktop recycling bin can be a cathartic one.

Make sure to document your data audit as it provides evidence of your compliance with GDPR. Handily enough, we have a GDPR data audit template here that you can download for free.

Privacy notice and subscription forms

Once I had a good idea of where we stood, I started on some prep-work - getting our Privacy Notice and newsletter subscription form wordings up-to-date.


Example of a newsletter sign up form

Have you ever updated or installed software and had to agree to reams and reams of 'terms and conditions' that were written in legalese? Well, the new GDPR is designed to put an end to that. So your privacy notice shouldn't be long and mysterious.

We've created a Build Your Own Privacy Notice toolkit which will help you put your own one together.

Segment your email list

By now, you should have your email marketing list all in one place. It's time to figure what records are a-okay to still market to, and which need some attention.

Identify where you don't need consent

First, identify any emails where you won't need consent:

1. Any non-personal business email addresses

2. Any previous customers.

If you have either of the above, that's great. You can rely on soft opt-in to cover your marketing to previous customers. Just remember to keep your emails relevant to them, and always include an unsubscribe option in each email you send. For business customers, you'll just need to offer them an unsubscribe option in their emails too.

Tip: If you're using MailChimp, an unsubscribe option is already automatically included in the footer of your email.

Divide the rest between consented and non-consented

Next, the hard part - email contacts where you will need to rely on consent. Look through your records and see if there is evidence that they have already given consent, and that it is up to the GDPR standard of consent. Use our GDPR consent checklist to make sure. In my case, I found physical sign up forms from events, email requests for newsletter sign up, and evidence in Mailchimp itself that they had subscribed online. Save this evidence somewhere if it is not already stored in MailChimp.

In MailChimp, you’ll be able to see the ‘SignUp Source’ of all of your subscribers. If it was an ‘admin add’ then someone in your organisation likely typed their name in manually, and you'll need to find evidence of where they asked for this. Same with 'List Import from Copy/Pasted file'.

If you see Embed Form or Hosted Form, then they signed up themselves using your online form. So if these forms are GDPR compliant, this could be evidence of consent.


Re-consent campaign

The next thing you might do is to create a 'non-consented' segment in your overall email list.

  • Then when sending emails, send different emails to youtr GDPR-compliant segment and those you need to get consent for.
  • When sending anything to non-compliant segment, remind them to refresh their consent.
  • Allow them to unsubscribe too.

MailChimp have released a handy collection tool for asking for and recording GDPR-compliant consent. Check out MailChimp's comprehensive guide to collecting consent with GDPR.

How to segment your list into compliant and non-compliant

In order to segment the mailing list into those who needed consent and those who didn't, I needed to manually upload a list of all those who I had no consent for, were not soft-opt in, or business contacts. Once I had this list, then I could create an auto-update segment that consisted of everyone else not on the list.

To create the list of those who needed consent, I found it helpful to use the 'notes' section of MailChimp to record how someone had consented and where this evidence is saved. Then I was able to export the entire list from Mailchimp and alphabetise via the notes section. Those with notes were all compliant so I deleted them from the list. You can also sort by opt-in records if you know that anyone who signed up using double-opt in had GDPR-compliant consent. Then I uploaded the list to mailchimp and named it as 'consent-needed'. I made another auto-update list of that was everyone not in the 'consent-needed' list, and called this 'GDPR compliant'. Then I will update the non-compliant list before each mailing, as people re-consent.


How we asked people to re-consent

Future plans...

Before the May deadline rolls around, my plan is to unsubscribe everyone who is still on the non-consented list. I'll then let them know via personal email that they've been unsubscribed, and give them the link to our online subscription form to give them a last chance to subscribe.

MailChimp have some handy instructions here on how to reconfirm consent this way.

Stay positive

When I first started looking at our email list, I could see only 50 out of 350 people subscribed.

Now we have about half of our list GDPR compliant, and we're sending out re-consent options to these people in each of our monthly newsletters.

It's worrying as a small cultural organisation when you hear talk of compliance and massive fines. But when you read what the information commissioner says, it's clear that they aren't rushing to fine small organisations for minor mistakes.

“Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action… it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements.”

- Elizabeth Denham, Information Commissioner

So the important thing is make a start and have something to show for it. So just having you data audit done and your privacy notice updated is evidence that you are making an effort to be compliant.

With luck, you'll be able to hang on to the majority of your mailing list, while at the same time reminding your audience that you value their privacy and are an honest organisation.

Personalised GDPR Support

If you have a question that isn't answered above, you can leave us a comment below and we'll do our best to answer. We’re also offering bespoke GDPR workshops for cultural organisations for £150 + VAT, so please drop Sarah an email if you're interested.

Note: This is intended to provide an overview of GDPR and is not a definitive statement of the law.

For a definitive guide, check out the Information Commissioner’s Office website.

Understand your audience, develop your strategy today. TALK TO US