HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR and Cold Emailing

As mentioned above, cold emailing is not completely banned or prohibited by the GDPR but it has placed restrictions on how cold emailing can be used. Unrequested marketing materials cannot just be sent out to random email addresses. Doing so could even result in penalties against the organization.

Audience targeting for cold emailing will become much more important under the GDPR. Some strong indication that the recipients will be interested in the subject matter must be able to be demonstrated by the sender. Something such as their job title or business area may be enough to defend contacting the target, but more information should be included when available. Obviously, any information used to support contacting an individual must be obtained legally and transparently. Other criteria that must be met include:

  • Emails should have their subject matter and topics plainly visible
  • The email should be personalized to the recipient. This is another area where target and subject relevance is crucial
  • An unsubscribe option must exist to enable recipients to opt out from receiving future communications
  • The identity of the sender must be clearly marked, with a physical contact address provided
  • It may be good practice for those creating email lists to include how they got the prospects contact information, which information they collected, and why

As the GDPR gives data subjects the right to request a copy of their information held by an entity and the “right to be forgotten” – to have their information deleted from an organization’s database – any group that stores such information must put systems in place so that such a request can be rapidly granted.

The GDPR also requires data to be kept up-to-date – “every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted”. This means that email addresses that are invalid must be deleted from the database.

Another key element of the GDPR is data minimization, meaning that only the data required for the processing you are undertaking should be collected or accessed. In the case of those putting together email address lists to contact highly relevant prospects, this would only include the email addresses, names, and perhaps the names of the businesses or the job titles. If the fax or telephone number of the contact is not relevant, for example, it should not be processed. If other pieces of information are relevant, they can be used, but there must be a clear reason for their relevance. In the case of those offering a sign-up or opt-in emailing service, any information collected as part of the sign up process must be clearly linked to why it is needed and the way in which it will be processed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.