It’s time to embrace the GDPR

We all know that ‘bigger’ doesn’t necessarily mean ‘better’. Yet often, marketers agonise over the size of their database, believing that a large database equates to more people to market to and engage with.

Anxiety around list size has peaked since the announcement of the General Data Protection Regulation (GDPR), that requires marketers to gain lawful consent to use their customers’ data in a transparent manner by 25th May 2018.

Marketers must now keep a record of how and when a customer gave consent, and ensure that their existing methods of obtaining consent comply with the new regulations. If marketers cannot prove that their customers’ data was rightfully obtained, they are left with no choice but to suppress the contact from their list indefinitely.

But just how valuable are all those customers? Is your database size worth all the stress?

It’s about quality not quantity

The commonly known Pareto principle (also known as the 80/20 rule) showed us that about 20% of the peapods in Pareto’s garden produced 80% of the peas. In other words, 20% of the resource contributed to 80% of the outcome. This is a rule of thumb that can be applied to a number of situations including email engagement.

We send billions of emails each year on behalf of our clients, and have a lot of data which we can analyse. When looking at one of our luxury retailers for instance, we measured their subscribers’ contribution to engagement and uncovered that roughly 18% contributed to 80% of the engagement over the year. Just 18%!

Therefore 82% of our client’s database were not interested in receiving their emails. Furthermore, analysing the engaged audience showed that only 55% of them were contributing to revenue.

By analysing open rates and levels of engagement, marketers will often reveal that the ‘huge’ audience they are anxious about losing are not the prime audience and are not actually listening. Evaluating data can give you the assurance to honestly say there’s no need to panic about the GDPR.

Consent is key

The GDPR was set up to strengthen and regularise data protection for all EU individuals, and give people more say over what companies can do with their data. Marketers must now ask customers for their data, tell them what they will do with it, why they’re asking for it, and make sure they sanction and understand that relationship.

This consent isn’t just for your customers’ benefit; it is for your own benefit too – your reputation hinges on the way that you behave in public. Contacting subscribers without consent is disrespectful and results in a bad customer experience and poor brand perception.

It’s important to think about your existing audience and consent. Whether your data was collected from an app, social media, your website, in-store or via a third party you must prove with documentary evidence the following:

  • The Language you’re using to gather that information
  • The Method in which you got the person to consent – was it a checkbox? A yes/no option?
  • The Specificity – was it clear what that person was getting themselves in to?
  • Use of incentives

If you don’t have consent, what next?

Between now and May 2018 marketers have the right under the existing consent, to refresh and update the consent they have with their audience. This is a great opportunity which you should take.

If you’re concerned that your subscribers have not given a level of consent deemed appropriate by the GDPR, or if you simply want to check that your opted-in subscribers want to continue receiving your emails, then you should design a re-permission programme.

Be careful though. If your list was purchased and you don’t have confidence in that list and the evidence needed to say you can use that data – then you cannot send re-permission emails. Likewise, if you cannot prove sufficient consent to contact those people to get the consent you need in future – then you cannot them. Failure to adhere to this can result in substantial fines for companies, for example Honda and Flybe both fell foul of this legislation earlier this year.

How to get started with re-permissioning

Segment your audience based on their risk i.e. how recently they have interacted with you – don’t start with those who have never interacted with you before, this can damage your sender reputation. Segment your audience into high, medium and low risk groups based on method of sign-up and previous engagement.

Design your re-permission campaigns – what do you want it to say? Clearly outline the reason for the request and the process to stay subscribed – it’s up to you how you do this – you could be upfront and say it’s because of new regulations in GDPR, or you may choose to be more indirect.  Get the programme approved by your chosen legal advisor.

Set up your data flow from your ‘refreshed sign-up’ form. Control your rate of communication, you don’t want to do this all at once. Finally, Launch, Test, Learn, Optimise – carefully test and optimise your communications.

Embrace GDPR – it’s a good thing

Marketers need to stop worrying about their list size. Much of your list may not actually be contributing to engagement or revenue. Whilst the GDPR may result in a reduction of your subscriber base, the ‘best practice’ checks and procedures in place will actually do you and your subscribers more good than harm.

A re-permission campaign is all part and parcel of list hygiene. If someone is engaging with you already, a re-permission email from you will not destroy that relationship – they will more than likely jump through the necessary hoops to continue the relationship with you.

The GDPR gives individuals control of their data, which is the way it should be. Companies need to maintain a sanitised database of subscribers who have given their explicit permission to receive specific messages. And these subscribers will be the most engaged subscribers, and the most likely to become customers.


By Daniel Kennedy, Head of Consulting, Cheetah Digital

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at