Email marketing is alive and kicking, and it’s successfully creating meaningful opportunities for millions of…
The most successful people on platforms such as Medium, Vocal Media and News Break build big subscriber email lists, but is what they’re doing legal?
NOTE: This article refers mainly to data protection and the GDPR in the UK and Europe, whilst certain aspects apply to the US and beyond.
Why I’ve written about the GDPR
I would wager that right now you have no idea what I’m referring to in the title when I say you might be breaking the law. That’s completely understandable, and you could be forgiven for having no idea, or even for breaking the law, although ignorance is no defence, of course.
This article is about how our personal data — your personal data — is managed. There are laws in place to enforce the rules, but I’ve written this in spite of the law, not because of the law.
It’s a layperson’s wake-up guide, not a technical or legal document, and it’s not intended to be a definitive guide to the GDPR.
Why you should read this, even if you don’t run a business
Writing on Medium is just writing on Medium. But if you write on Medium (or, indeed, any other platform, including your own website) and are actively building a subscriber mailing list too, well, that’s internet marketing and there’s a good chance you’re breaking the law.
Not just any old law, mind you, but international data protection law, and specifically in relation to Personally Identifiable Information (PII).
PII is any single piece of data that could potentially identify a living human being.
That means your mailing list even if it contains only email addresses, and more so if it contains a name and or any other data — you have more than a duty of care, you have a legal obligation to ensure the security of that data.
But you’re confident, right? You use Mailchimp, Substack, Infusionsoft, Convertkit, Revue or any one of the many email marketing/content distribution platforms available, and you’re 100% sure they have a compliant data protection policy in place, so you’re confident your recipients’ data is safe and secure.
Just take a look at the following questions:
- Have you exported your mailing list data at any point, perhaps for a backup or to import it into a different platform when you decided to move from Mailchimp to Substack, for example?
- When you’re managing your mailing list and have the details displayed on your screen, do you ever walk away from your PC or laptop (baby crying, answering the telephone, parcel delivery) without locking it while other people are around?
- If you’re in the EU and are using a US-based platform, are you aware that the data-sharing agreement between the EU and the US (the Privacy Shield Framework) was invalidated by the European Supreme Court, mainly because US companies have to allow federal access to all personal data?
- If your subscribers unsubscribe at any point, is the process fully automated or do you have to intervene to effect the unsubscribe? Can you be sure you won’t inadvertently resubscribe them if you upload your previously exported backup mailing list to a new provider’s platform?
- If a single one of your subscribers challenged your data protection processes, could you hand on heart, explain in detail the processes you have in place to protect and secure their data?
- So, your chosen platform does have a compliant data protection policy in place, but you could be breaking the law with any one of the above points, let alone all of them. Can you see how easy it is now?
If you do break the law, the chances are you will never get caught and fined or thrown in data protection jail, but that in no way absolves your personal responsibility for the correct, safe and secure management of every single piece of personally identifiable information you hold. It’s only that until now you probably didn’t realise you had to.
Whether or not you know about the data protection laws doesn’t really matter because that’s not how laws work.
Did you know that it’s illegal to drive your car with snow on the roof in the UK, or that it’s illegal to pay with your phone at a drive-through whilst your car’s engine is still running?
No? Well, they’re still illegal even if you don’t know about them, and the same is true of protecting other people’s personal data.
Does having data protection laws in place make any difference?
Legal systems exist to uphold fairness in society, whilst laws determine how people should and should not behave. Despite this, laws don’t prevent people speeding through red traffic lights, selling drugs, committing fraud or killing people, any more than they stop people wilfully mishandling our personal data. And perpetrators of the above are mostly doing so with full knowledge of their actions and the possible consequences.
At the top of the pile (the good guys) are the giants in retail, financial services, and Government agencies who hold staggering volumes of personal data. To a great extent, they’ve heeded the new data protection laws and tightened up their processes to ensure the safeguarding and proper handling of our personal data. Of course, the threat of an infringement fine to the tune of €18million or 4% of global turnover (whichever is the greater) remains an incentive, but they’re doing it, and that’s what matters.
At the bottom of the pile (the bad guys) are the scumbags of society who willfully steal our personal data and sell it on the dark web. Regardless of how devastating the consequences of identity theft can be, no laws will ever stop these boneheads who are incentivised only by profit or glory or both.
There’s another group of really bad guys, like Facebook, who we now know, along with Cambridge Analytica, used and abused our personal data with impunity whilst pretending they were doing the right thing by us. But we no longer trust them with our personal data. Do we? Do you?
Of greatest concern are those who misuse our personal data, but have no idea they’re doing so.
This is known as unconscious incompetence. They are the millions of small companies, sole-trader businesses and innocent individuals (like Medium authors) who merrily go along collecting our personal data, blissfully unaware of their responsibilities to the data and its owners. And, of course, you with that backup copy of your mailing list sitting on your PC’s desktop or on a backup hard drive or that memory stick you can’t find.
Why is knowing about it and understanding it such a problem?
It’s years since the GDPR (General Data Protection Regulation) was introduced in the EU and UK, and the Privacy Shield Framework in the US, yet the average person can tell you very little about either, what they mean or even how they affect them.
This is more bizarre than it might appear because the new data protection laws were introduced specifically to prevent an individual’s personal data from being used or shared without their permission, so you’d think every single person would be interested in what it means to them. Oddly, many are not, and they don’t even question the companies they deal with when handing over their personal data.
The problem, in the UK at least, is that the Government made one set of regulations apply equally to all businesses, whether you’re Amazon or a one-man band. It’s so complex and difficult to understand that most small businesses couldn’t fathom what they needed to do in order to comply.
All small business owners could see, and I am including companies turning over tens of millions in this, was the negative impact introducing new, tighter procedures would have on the day-to-day running of their business. Many simply ignored it or did the minimum they could get away with.
What is ‘Personally Identifiable Information’?
Put simply, PII is any single piece of information that by itself, or in conjunction with any other piece of data could, potentially, identify a living human being.
Pre-GDPR, your mobile telephone number did not fall into this category because if I called your mobile number and somebody else answered, that wouldn’t identify you personally.
Similarly, with your email address, if I emailed you and somebody else saw and responded to the email using your PC or mobile, that wouldn’t identify you either.
With GDPR, any single piece of data falls into the category of being PII.
But why would you be bothered, especially when you know there are already so many bits of your data out there somewhere, everywhere all the time with all the online accounts you have? Why is it an issue? What’s the risk?
Let me give you an example.
Imagine you purchased some goods from a company online. You know this means they hold personal information about you such as your name, email address, phone number, home address, delivery address, credit card details (possibly), and this is standard procedure, something we’ve become used to and are reasonably comfortable with.
However, have you ever considered how the company holds that data, what they do with it and whether the data is secure? Have you thought about how many total strangers will share that data, including the company’s suppliers, other staff in their office, delivery companies, online cloud storage services, website developers and hosting providers, etc? Have you considered how each of these third-party ‘stakeholders’ will handle your data, what security measures they also have in place and with whom they might likewise share the data?
Here’s how one set of your personal data might be distributed from a single online order in the course of normal business:
You can clearly see how the personal data you handed over by placing a single order online can quickly spread to multiple users within a company plus multiple users outside of that company — all to enable your payment to be taken and your order processed and delivered.
Hopefully, this is making you feel a little uncomfortable, knowing how information that could identify you personally is out there, somewhere, accessible by dozens of people whom you’ll never meet and over whom you have zero control.
That feeling is precisely the reason you should be looking at your own processes, business or otherwise, to ensure that any personal data you hold for subscribers, members, customers, suppliers, staff, and so on, is managed properly and secured appropriately. Just as you want yours to be.
Who am I to say anything?
As part of the data protection team since 2017 in a £20m+ turnover/100-ish staff group of companies, I’m sufficiently qualified to say that the UK Government and its regulatory body for data protection, the ICO (Information Commissioner’s Office), did a terrible job of helping people understand the how the GDPR affects them and what they need to do in order to comply with the law.
In my view, the GDPR is brilliant and long overdue. It was a monumental task to create and implement, but in typical Government style, it was a box-ticking exercise. They created it, implemented it, enshrined it in law and left us all to get on with it.
In their defence, they had to create a set of rules that worked for everyone from the biggest companies turning over hundreds of millions and employing thousands nationwide to the one person owner-operator micro-business.
There were, and still are, no Government agents to provide help or to audit your implementation of the regulations.
But if you get it wrong and someone takes you to task over it, or worse still, you leave your laptop on the train with that backup copy of 10,000 names and email addresses on the desktop, well now you have a legal responsibility to report that to the ICO as a data breach. Once reported, it becomes public knowledge and the full force of the ICO (in the EU and UK) will come down on you like a ton of bricks. Probably best to avoid that altogether.
How is the GDPR being enforced?
Years after the GDPR was introduced, companies are still abusing people’s personal data — and companies who really should know better.
October 2020: The ICO fined BA (British Airways) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
October 2020: The ICO fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure, following a cyber attack that affected 339 million guest records.
November 2020: The ICO fined Ticketmaster UK Limited £1.25 million for failing to protect customers’ payment details.
March 2021: The ICO fined Muscle Foods Limited fined for sending 135 million marketing emails and 6 million marketing SMS (text) messages to individuals without their consent, over a period of seven months.
Any one of the above could have included your personal details — information you trusted these companies with.
Where do you go from here?
The first step is to take a close and detailed look at all your day-to-day working practises, walking through every process that involves personal data. It’s likely you’ll be surprised by how many opportunities there are that could, potentially, put at risk the owners of the data you hold.
Be respectful of other people’s data. They trust you to keep it secure and do with it only what they have given you permission to do. Please don’t abuse that trust for your own commercial gain.
If you’re a writer/internet marketer who builds mailing lists, it’s really quite simple.
- Make sure you have permission to use the data you hold from every single recipient. If you’re buying mailing lists there’s a better than good chance the list is not GDPR compliant. Most data brokers will tell you their data is GDPR compliant, but they typically take a cross-section of positive-result test data and extrapolate it.
- Keep no local backup copies of your mailing on any device.
- Any device used to access your email marketing platform must lock automatically. You should never leave the device ‘open’ when other people are around, regardless of how ridiculous and low risk you might think that is. Just get into the habit of locking the screen.
- Do not rely 100% on the policies and procedures other platforms have in place — have your own code of ethics and working practices that you can confidently defend.
- Do not ever pass on your list(s) or any single piece of data to another person without the data owner’s permission.
- Once you have no further use for any data you hold, delete it. That includes any copies you hold (which you don’t have, of course) and all the data held in any platforms you have uploaded it to.
If you have your own website:
If you run a business, however small, and especially if you have even one member of staff:
- If you take card payments for anything — never, ever write the details down, and never repeat the card details out loud to the customer if other people are within earshot.
- Control who, in your office, has access to staff/employment records, past and present. This is highly sensitive information that should only be accessible by individuals who need to see it. Nobody else.
- When recruiting, do not keep any unsuccessful candidate details (application forms, CVs, interview notes). This is also ‘needs based’ data, and once you have no need for it, destroy it. This includes deleting emails. Also, limit the staff who have access to this information.
Think about with whom you need to share customer order information, e.g. third-party suppliers. The fewer the better.
- If there’s a newsletter sign-up form on your website, make sure you provide clear information that explains how you will manage the data you collect from the form.
- On your website’s contact/enquiry form, customers should, ideally, have to tick a box to confirm they are giving you permission to process the data they provide in the form. As ridiculous as this sounds, it’s an important step that could protect you in the future.
- If anyone associated with your business (sales staff, admin staff, researchers, etc.) work remotely with a laptop or mobile phone/tablet that contains, or has access to, company information (emails, email addresses, customer details, staff records etc.), you must be able to control their processes for managing the data they have access to. A chain is only as strong as its weakest link.
- There are so many other aspects to consider, especially if you run a business, but the above is a quick ’n’ dirty, common-sense guide and a good basis on which to start.
To reiterate the importance of the above, consider again how you would feel if any information that could identify you personally was made available to people who either didn’t have your permission to see/use it or had no reason to see/use it. That, in essence, is the point of the GDPR.
The ICO is a mine of information and they will do whatever they can to help you get things right. You will find everything you need to know about the GDPR, even if it’s not all in the most intelligible form because of the language and terminology used.
Below is a link to the ICO’s guide to all things GDPR. It’s a great point of reference for when you get stuck on something, and if you suffer from insomnia, it’ll help with that too: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
Finally, whilst the following PDF was created to help businesses prepare for the GDPR’s arrival back in 2018, it’s still a useful guide and is presented as a simple 12-step process: https://ico.org.uk/media/2014146/gdpr-12-steps-infographic-201705.pdf
The ICO (Information Commissioner’s Office) website: https://ico.org.uk/
Email. Arrange a Zoom call or talk to us.
READ FOR AN AUDIT?
Take The Marketing Audit Health Check
READY FOR A STRATEGY?
Take The Marketing Strategy Health Check
Sign up for our regular, insightful newsletter
You are here: