Despite rumours to the contrary, it is probable that the vast majority of email marketing companies will have to comply in full with the General Data Protection Regulations (GDPR). Whilst it is true that companies with fewer than 250 employees are exempt from certain provisions of the regulations, there are conditions which effectively mean that they do not apply to us.
The difficulty arises from our need for email marketing lists. These are the main resource for our businesses and the exemptions do not apply to those companies where the processing of personal data is not ‘occasional’. Whilst occasional is not defined, most commentators suggest that in email marketing the one certain thing is that processing is frequent.
When reading the details of the GDPR, and read them you should, just gloss over Article 30, paragraph 5, and the exemptions for small businesses. What you should be doing is ensuring that you comply with the provisions of the regulations.
The Information Commissioner’s Office (ICO) has always provided advice for all sizes of businesses when it comes to legislation and it has recognised the difficulties small companies might experience, especially given the misinformation doing the rounds. The ICO website includes all sorts of articles and other resources to assist in planning. The nicely clear ’12 Steps to Take Now’ .pdf (see https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf) is one of their most downloaded. They are producing a revised one to go live soon.
They also have a helpline specific to businesses with fewer than 250 staff. The number is 0303 123 1113. Select option 4 and you will be diverted to support staff. They will not only answer questions on the GDPR but also on other matters which are regulated by the ICO, such as electronic marketing and freedom of information.
I’ve not used the service but given other contact I’ve had with the ICO, they will advise in non-technical language as far as possible and if they can’t answer a particular question there and then, they will call you back.
The GDPR’s increased penalties for infringements has received a lot of press coverage, and for good reason. Don’t be unprepared; the go-live date is 25 May next year.