Will Your Mailing List Break the Law?
A guest post by Jessie Scoullar, CEO Wicksteed Works.
Bring it on, 2018! New projects, new campaigns, and new metrics to measure your artist’s success. We also need to understand and adjust to the changes to Facebook’s Newsfeed, Twitter’s character count, YouTube’s interface and whatever is going on with Snapchat. And maybe amid all of this flux, you’ve been taking heed of the constant urgings of folks like us here at Wicksteed Works, to focus on building your mailing list (yes?!).
What’s not to love about a mailing list, giving you direct access to your fans? Perhaps you’ve been collecting customer data from tour pre-sales, and sales of music and merchandise from your webstore. You may have names, email addresses, mobile phone numbers, postal and billing addresses, belonging to people who live in the UK, elsewhere in Europe, and beyond. You do?
You might also have heard about this GDPR thing and how it’s going to affect how you use consumer data – particularly your mailing list.
TL/DR
Review your mailing list set-up before 25 May to confirm:
– consent is crystal clear at the point of sign-up, and you’re keeping a record of consent for every subscriber
– you have a historic record of valid consent for every subscriber; or you may need a re-opt in process
– every email includes an “unsubscribe” option
– you’re not holding onto more personal data than you plan to use
– personal data is stored and shared within the EU only. If you’re sharing outside the EU, key criteria must be met
– you have an updated privacy policy on the website
– you have procedures in place in case of a data breach
See the checklist at the end of this story for more detail.
GDPR – the what now?
On 25 May 2018, a new law called the General Data Protection Regulation (GDPR) comes into force across Europe, including the UK. The GDPR will affect the way that organisations, including us in the music business, collect and process personal data.
The GDPR is intended to provide individuals with greater control over their data and what they see and receive, to prevent unwanted communications and improve data security. It will do this by regulating how organisations (including artists) collect, store and use personal data belonging to EU citizens. And unusually for European law, the scope of the GDPR is global, which means it’s applicable to any organisation, anywhere, that is collecting and storing the data of EU citizens.
So, if you’re collecting and storing personal data of EU citizens, then the GDPR will apply to you. Here’s what you need to know.
Does it really apply to me? (Hint: yes)
If your organisation is based in the EU, you have residents from the EU signed up to your mailing list, and you have customers transacting from the EU, then the GDPR probably applies to you. This is the case even if you’re outside of the EU, because of what’s called the “extraterritorial clause” within the GDPR. This means that the regulation may be applicable to any organisation anywhere in the world, across all industries and sectors.
And if you’re wondering, why should I care? Two answers. First, the maximum financial penalty for non-compliance has been increased to an eye-watering €20 million. Second, there are reputational risks. At one end of the spectrum, it’s not worth upsetting a disgruntled individual who might take to social media, and at the other, it’s just good practice to take data protection seriously, and minimise the risk of a security breach.
What is personal data?
Personal data includes the below, and chances are that you’re already storing some of it in your artist mailing list:
— name — address
— email address — credit card number
— mobile phone number — driver’s licence/passport number
— bank account details — genetic/biometric data
Assess the data you hold, and consider why you have it, and whether you need it. If you only need a name and an email address, *then you should delete the rest*.
Check your workflows
In a perfect world, personal data would be collected, stored and used from a single point. Wouldn’t that be nice? In reality, this is seldom the case – there are spreadsheets from this project or that, your marketing campaign or a ticketing pre-sale, combined with your historic and master list CSVs. Inevitably these are scattered across various email accounts and hard drives, possibly uploaded into your customer relationship management tool, or more often, an email service provider. Streamlining this process within a single application (with regular backups) will ensure security and data accuracy.
Location, location, location
Personal data for EU citizens should be stored and accessed within the EU – no change there. This means assessing the partners and suppliers you’re using, who may transmit or access the personal data you’re collecting.
There’s a good chance that you’re using marketing tools based in the US, which means collected data may be stored there, and that there may be cross-border transfers at some point. For this to be permissible, certain conditions must be met. For example, marketing automation platform Mailchimp has a certified agreement within the Privacy Shield Framework, which constitutes an “adequacy decision” under the GDPR. This is a decision by the European Commission that an adequate level of protection exists in this instance.
Check with your marketing platform and/or email service provider and the suppliers of any other marketing tools you’re using to collect data, to check their compliance.
Clear consent
How are you ensuring you have consent when you collect personal data? Be sure that you are clearly explaining how you intend to make use of the data you’re collecting, before you collect it.
Where you’re using a sign-up form, make sure it requires double opt-in, meaning the fan must confirm their email address. The form itself should include clear, specific language, explaining that you intend to use the email address for the purpose of periodically sending news and updates about your artist. For example, “We’ll use this information to contact you no more than twice a month, to keep you informed about our music, live events and other activities.”
This rules out any use of data which hasn’t been explicitly agreed to. If you intend to use ticket purchase data for marketing purposes for your artist, be sure that the checkout process includes a clear message inviting ticket purchasers to opt in to receive marketing. Avoid pre-ticked boxes to ensure absolute clarity with regard to consent. It’s also important to maintain a record of the subscriber’s consent, and to ensure you’re receiving records of consent from any personal data that is shared with you – for example from ticketing or ecommerce partners.
In addition, be sure to include a reminder of how you acquired the contact information on each communication you send. This is usually a sentence or two in the footer of your emails, for example “you’re receiving this because you bought tickets to see us live”, or “you’re receiving this because you signed up through our website”.
Refreshing consent
If you have an existing list, you’ll need to check it thoroughly to determine whether subscribers’ consent is valid under the new rules. It must have been:
- freely given
- specific for each intended purpose
- informed
- unambiguous
Clear records must be kept to demonstrate this consent: who was told, when, how and what. In practice, where you are using a reputable email service provider, they will probably record this within your account – but do check! Where you import subscribers manually – for example, data generated through a marketing application such as a Spotify pre-save campaign, or if you change email provider – you will need to maintain the record of consent yourself. This may be a column in your CSV file record, which will then form a part of the necessary “paper” trail to demonstrate consent.
Where it is not possible to point to consent for your subscribers, the tricky prospect of “refreshing” consent rears its head. Nobody wants to risk asking their mailing list to please confirm that they do in fact want to be on the mailing list, because the risk of low uptake feels scary and hard. However there are upsides to ensuring that your list is populated only with fans who actually want to engage with you: performance rates are likely to increase, and money wasted on uninterested recipients will be reduced. Refreshing consent calls for a creative approach to win the attention and imagination of your list, while staying within the bounds of the law.
Include an opt-out
Every communication you send must include an unsubscribe link. Further, individuals will now have the right to have their information erased completely – also known as the “right to be forgotten”. This means ensuring that your marketing platform or email service provider enables the full deletion of data – beyond just shifting the contact to an “unsubscribed” list.
Data controller vs data processor
This sounds wordy, but it’s actually really important! The GDPR makes a distinction between data controllers and data processors. If you use an agency, marketing platform or another supplier (like a ticketing or ecommerce supplier) to capture data and process it for you, they are deemed a “data processor”, as they are being instructed on what data to collect and what to do with it. Your email service provider is a data processor. As the person making decisions about how to use the data, you or your organisation are the “data controller”.
The Data Protection Act 1998 requires every data controller – that is, every organisation which determines to collect, store and use personal data (that is, YOU) – to be registered with the Information Commissioner’s Office (ICO). More than 490,000 organisations are currently registered. Registration is straightforward, and for most organisations costs £35 per year.
Privacy policy
Now’s the time to update (or create) your organisation’s privacy notice. This should be easily accessible on your website, concise, and readily intelligible. It ought to include details on the controller, spell out the processing purposes, name any processors used, and contain an explanation of the subscriber’s rights. Where data is acquired through a third party processor, the controller should point to the privacy policy at the time of first communication with the subscriber, or within one month in any case. The ICO provides further guidance on what to include in your privacy policy here.
Security breach procedure
While a mailing list may not contain sensitive information, it’s still personal data within the GDPR, and as such it’s important to maintain internal procedures for dealing with a security breach. Controllers must keep records of all breaches, including the facts and effects, and any remedial action taken. Processors must notify controllers without delay, and in some circumstances, controllers must notify the ICO. Either way, the controller must document the incident. For more information on managing a data security breach, see here.
Make a start
In the UK, the ICO is the first reference for the GDPR, and information on its application will continue to evolve in the coming months. A working party on consent is due to publish final guidance in February. The UK’s Data Protection Bill is expected to pass in March, and will provide some additional detail on how the GDPR will be applied in this country.
See below for a checklist to get you started with your own mailing list compliance. While it may feel overwhelming and even a little excessive, do take these practical steps now to ensure you’re compliant. Ultimately, the GDPR is intended to safeguard the rights of the individual. Building a stronger relationship with fans is at the heart of direct-to-fan strategy, and it’s important to ensure the security of fans’ personal data as a part of that contract.
GDPR and your mailing list: compliance checklist
If you check either of these boxes, then…
– My organisation (artist, management company, label, publisher) is based in the EU
– We collect EU citizens’ personal data, including any of the following: name, email address, mobile phone number, address etc
Then before 24 May 2018, be sure to:
– Review your workflows and map out your processes to check where you are asking for personal data and where you are transferring data to other parties
– Confirm your email service provider is or will be compliant with GDPR requirements, for example confirm that personal data is stored in the EU
– Check any marketing tools you’re using to collect personal data are or will be GDPR compliant
– At the point of sign-up, be very clear that your fans are signing up to receive marketing communications (or anything else you’re intending to do with their data)
– Confirm that your existing subscribers’ consent is valid and you have clear records to demonstrate this consent
– If consent isn’t demonstrable: prepare to eat the frog and refresh consent
– Confirm that your marketing emails include an unsubscribe link
– Confirm that your marketing platform/email service provider enables individuals to opt to have their information erased should they withdraw their consent
– Register with the Information Commissioner’s Office as a data controller
– Update (or create) privacy and data breach policies
– Get started now to ensure you’re compliant by 25 May 2018
You can download the checklist here.
Wicksteed Works is a boutique consultancy laser focused on empowering musicians to maximise their audience and sales potential through connection, communication and coordination of kick-ass direct-to-fan campaigns. Click for more information and help with reviewing your organisation for GDPR compliance.
UPDATED: this post was updated on 14 February 2018, adding information on penalties, refreshing consent, privacy policies and breach management.