Like everyone else’s, my inbox has been full of GDPR emails pleading with me to opt-in, telling me I don’t need to do anything … and everything in between. They can’t all be right, can they?
As consultant advising on data protection (as well as charity governance, compliance and risk-management), I’ve also had calls from clients, and others, asking why there are seemingly so many different variations, so here’s a simple guide:
GDPR tidies up a lot of existing regulations, and introduces a few new ones. Much of what you are expected to do now, you should have been doing all along.
The regulations relate to the handling of personal data by businesses, charities and public bodies, and so encompass a massive array of different organisations doing vastly different things with personal data. Working out how these one-size-fits-all rules work for your organisation is the challenge.
This explains the different approaches seen in all of those emails. Organisations are starting from different points. Some are already fully compliant (or think they are) and are just telling you how ahead-of-the-curve they are by having a new, improved privacy policy. Others have been trying to ensure that they are compliant by getting you to confirm that you are happy to receive emails, because they’re not confident that any consent received previously would stand up to scrutiny or they have no record of it.
Anyone emailing you marketing, promotional or fundraising material must, under a 2003 regulation, already have your consent. This applies to emailing you to ask you to consent to receiving such emails in future! If any of those emails have come from people to whom you never gave consent, they are likely to be acting unlawfully.
“Likely to be acting unlawfully”? Well you could have agreed to their having your data by agreeing to the privacy policy of another organisation that told you that they would share your data. Even so, the specific rules relating to marketing emails and the consent needed would not regard second hand consent as good enough.
Businesses selling goods or services are allowed to use a 'soft opt-in' tell existing customers about similar good or services that they sell. But charities which are not selling goods or services must have specific consent.
Which brings us on to a different point. Consent is not necessarily required for an organisation to hold on to your data, even though it is always required for marketing emails (and texts and automated phone calls). Although there must be a legal basis for ‘processing’ data, it will often be for one of the other allowable reasons – which are too detailed to go into here.
Administrative emails, those dealing with contractual or commercial arrangements and those from business to business (even if they are marketing), are treated differently by the regulations, but when an email (or text) is or is not marketing, business to business and so on is very much open to interpretation.
GDPR covers a huge array of other rights and obligations relating to privacy, security, what kind of data can be retained and for how long, how organisations have to be set up to handle data and what to do if something goes wrong. The current spate of consent related emails is just the tip of one of several icebergs!!!
And because of this, 25 May is not the end of the world, or of your organisation’s obligations. There is an ongoing requirement to be compliant and to be able to show, if ever challenged or in the case of a breach or complaint, that you have the policies and systems in place to minimise risks and any impact, should something go wrong.
If your are affected by any of the issues in this post, please be in touch. You have my consent to contact me here!