Lately, we’re getting lots of questions from Woodpecker users about GDPR (General Data Protection Regulation). This seems like a topic that still needs some clarification. That’s why we’ve put together a GDPR FAQ – a list of frequently asked questions about the regulation along with our answers. Hope you’ll find here some useful clues and practical tips about processing data and managing your email campaigns according to the GDPR principles.
Disclaimer: You should treat this post as a guide that will help you understand GDPR. Please do not treat it as legal advice. If you’re looking for legal advice, contact a lawyer after reading this post and ask them for advice and answers to specific questions about your case.
Q1: I’m based in the US, do I have to be GDPR compliant?
It depends. GDPR is designed to protect EU citizens, so it’s not really a matter of your company location. It’s about whose personal data you process. If your company is based in the US but some of your clients, partners, subscribers, prospects are EU citizens, you should process their data in a way that is compliant with GDPR. That’s your obligation as a data administrator.
If you have a company that offers a piece of software, and this software allows other data administrators to process data, I think it would be reasonable to assume that at least a part of this data will belong to EU citizens. GDPR defines some obligations not only for data administrators but also for data processors.
So in short, if there’s a chance your US-based company is an administrator or a processor of personal data of EU citizens, you should be GDPR compliant.
Q2: I’m sending numerous email campaigns a year. Should I stop doing that when GDPR becomes legally binding?
No. First of all, GDPR has not been designed to kill email marketing or cold emails. It’s not even a regulation about emails, or marketing, or business. It’s about protecting personal data.
You have to remember, though, that sending your email campaigns, doing marketing, running a business you probably process personal data. If at any point you process personal data of EU citizens, this processing should be GDPR compliant – that is to follow certain principles.
So no, you don’t have to stop your email marketing campaigns, or your cold email campaigns when GDPR becomes binding. You should make sure the data used in those campaigns are being processed according to the rules of GDPR.
Q3: Can I send cold emails to people under GDPR?
Yes, you can send cold emails to people at companies under GDPR. Those need to be B2B emails that meet certain requirements.
Firstly, you can’t send them to just anyone. You need to target your prospects very carefully. You need to have a strong reason to claim that the company the person works for can benefit from what your company offers in the email. Moreover, your business activity should be logically connected with the business activity of your prospect. That will be a legal basis to send someone an email without their previous consent to process their data.
Secondly, in each of your email messages, you need to inform your cold email recipients what personal data you are processing, for what purpose, and how they can remove their data from your mailing list, or change them. That’s how you fulfill the information duty described in GDPR.Thirdly, you should not process your cold email addressees’ personal data for longer than it’s necessary. GDPR does not specify any particular period of time. We advise removing from your lists the data of prospects who have not replied within 30 days from sending them your first message. That’s how you abide by the data storage limitation principle while sending cold emails.
In practice, that means the end of the spray and pray approach.
Q4: Is follow-up email a violation of GDPR?
Sending follow-ups does not violate GDPR as long as it meets the three requirements described in the answer above.
Processing data in case of sending a follow-up is not much different from processing the same data to send the first message. The only thing that changes is the time you have for sending follow-ups to non-responsive prospects in the EU. Again, GDPR does not define a time span for that, but we advise to remove from your lists the data of prospects who have not replied within 30 days from the first email you sent them.
Q5: Do I always need to have consent before emailing anybody?
You can send B2B cold emails without previous consent of your addressees to process their personal data only if the emails meet the three requirements described in detail in the answer to Q3 above:
- a legal basis for data processing
- fulfillment of information duty
- compliance with data storage limitation
Q6: What about my current list of email subscribers? Should I remind them why they are on my list and ask them again for permission to continue sending them the emails?
If you asked their permission at the very beginning and they granted you their consent to process their data for specified purposes, you don’t need to ask them for permission again.
However, if the purpose of data processing has changed, or you plan to change it soon, you should inform them about the change and give them an easy way to decide if they agree to the new purpose of processing their data.
Or, at the moment of their sign-up to your newsletter, they were informed that their data will be processed for a specified period of time, and the period has already ended — in such a case you should also ask if they agree to further data processing for specific purposes.
Q7: Should all outbound emails (or emails in general) have an unsubscribe link included as mandatory under GDPR now?
The GDPR unsubscribe rule states that all emails: outbound messages and email marketing messages should specify clearly the way in which the recipient can remove his or her data from your list, or change it. GDPR does not specify the way, so it does not say “you should use the ‘unsubscribe’ link”. It only says it should be an easy way, understandable for each person.
The ‘unsubscribe’ link is a common practice in email marketing messages, we add such a link to each of our marketing messages. It is neither required nor very popular in cold emails. There are other ways you can grant a way to opt out to your cold email recipients. You can read more about them here:
Q8: What if I outsource list building. I have nothing to do with personal data gathering. Does it mean I have to be concerned with GDPR?
Yes, if you’re going to use the personal data that some other company gathered for you and if the data owners are EU citizens. Remember that GDPR is not about gathering data, or storing data only. It’s about processing data in general. According to the regulation:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
So, if at some point you will get the data to use them, e.g. send emails, you will process it as well. Remember that if you decide about the purpose of the data collection and use, you are the data administrator. And as the data administrator, you definitely should be concerned with GDPR. You should also make sure that the company you outsource list building to, should collect the data in a legal, fair, and transparent way. In other words, you should know exactly how they obtain the data and be able to explain to the data owners, how and why you got their data.
Q9: What does “privacy by design” mean?
Privacy by design means developing every part of your solution in a way that it ensures the highest level of data privacy at every stage. In other words, you have to think of protecting the privacy of your users/subscribers/customers all the time while planning the processing of their personal data.
Q10: I don’t want to hire a GDPR specialist. Does that mean I won’t have a chance to comply?
Data Protection Specialist does not have to be a new person to hire at your company. You can appoint one of your present employees to take the role of Data Protection Specialist, or you can become one yourself.
Note that Data Protection Specialist and Data Protection Officer are two separate roles with different sets of competencies. If you run a small or medium business, and you don’t process any sensitive data and there are no high risks when processing data at your company, you don’t need a qualified Data Protection Officer. You can appoint a Data Protection Specialist, who will analyze the data processing and who will advocate solutions that will provide the highest possible level of personal data protection.
Q11: Where can I get a GDPR certificate?
There is no such thing as an official GDPR certificate, at least yet. Various security certifications, like ISO, also aim at better data organization, processing, and security. Getting them will definitely be a step towards GDPR compliance. But you are not obliged to get any kind of official certification to be GDPR compliant. You can simply follow the principles described in the very regulation.
Q12: I got a cold email from someone and I feel it’s illegal under GDPR, how can I inform them that I don’t want to receive emails from them?
In such a case, you can reply and verbally request the deletion of your data from their mailing lists. If they still don’t respect your request, you can try to verify what service they use to send the emails and contact this company as the processor of your personal data. As a data processor, they will also be obliged to help you get your data removed from a list you don’t want to be on.
Q13: How does Woodpecker prepare for GDPR?
After hosting our second webinar related to handling email outreach and email marketing under GDPR, we wanted to add a couple more questions.
Q14: Can you send a B2B cold email to a personal email address (such as Gmail) if the email is still targeted at the job position of a person?
If you’re certain that it is their work email or they expressed their consent they want to receive the message from you on that email, then yes, you can.
As with any type of communication under GDPR, your process of obtaining their personal data need to be legal and transparent. You need to be able to trace back how you got the email address and prove that your message is relevant to that person.
Let the person know why you’re contacting them and give them a clear way of opting out of your emails. You don’t need to do that via posting unsubscribe link. They can simply write that they don’t wish to receive any further messages from you. Once they do so, respect it and delete their email address.
The crucial thing when it comes to B2B cold emailing is to make sure that you’re contacting the right person at the right position who represent companies and fit your ICP. Untargeted emails may get you in trouble.
Q15: Is keeping a list of contacts in Woodpecker making me the owner/processor of the personal data?
When you upload a list of prospects into Woodpecker, the prospect whose personal data you process is the owner. You are, in that case, a data administrator. You decide whose and what kind of data personal data you want to process.
Moreover, you’re responsible for adhering to the storage limitation principle. The storage limitation is a principle that was introduced by GDPR. It means that you cannot process the data longer than its necessary for the purpose of processing it.
Additionally, what comes from that is that you need to respect the personal data owners wish to be deleted from your prospect list and not being contacted ever again. You’re being held accountable if you abuse the storage limitation principle as well as any other GDPR principle.
Woodpecker, on the other hand, becomes a data administrator when it processes your personal data as the app user or a newsletter subscriber. It should treat your data with due care. And comply with GDPR.
Q16: How can I compile a base of contacts in a legal way?
Quick answer: target carefully. GDPR doesn’t prohibit cold emailing. If you follow the advice I give you on this blog, you’ll be fine. You just need to be a tad more careful.
GDPR stresses out that you should have a strong reason to contact your prospects. Make sure both sides are likely to benefit from such a potential business relationship and that the offer you put in your cold email should be logically connected with their business statute.
Moreover, you should obtain any personal data for your prospects’ lists in a legal and transparent way, and be ready to explain how and why you decided to process personal data of specific EU citizens.
What is important is that GDPR introduces a new principle of data storage limitation, which does not allow you to process personal data longer than it’s necessary. The exact amount of time is not specified in the document. We advise removing the data of non-responsive cold email addresees after 30 days from your first contact.
In case of opt-in lists, you can process the data in clearly specified ways the data owner has agreed to, for as long as they granted you their consent, or until they express their wish to withdraw it.
Any kind of data you ask for should be justified by the purpose for which you want to process it. Don’t ask for a phone number if you want to send someone an ebook. And if you do want to collect their phone number, tell them straight that you may want to call them.
Give your cold email recipients as well as your opt-in list subscribers a clear way to opt out from further correspondence, and instruction on how to change their personal data, or completely remove it from your list. The ‘unsubscribe’ link mechanism is a popular one, but it’s not the only one you can use for that.