The great GDPR kerfuffle
The May deadline for GDPR compliance has passed, and it became obvious in the run up to that date that many businesses and organisations had left it to the very last minute to address privacy issues.
GDPR is a European-wide overhaul of data protection regulations and has been in law since 2016 in the UK, but companies and organisations were given a two year grace period to achieve compliance. It is clear that many companies read this as meaning that GDPR requirements could be ignored until May 2018, leading to this last minute ill-informed scramble to respond to the deadline.
The confirmation deluge
The most obvious impact of GDPR in the final week before the deadline has been a deluge of mails in our inboxes from companies telling us they have changed their terms and conditions and asking for consent to keep our addresses on their mailing lists. I even had emails from companies I have never heard of before asking me to confirm that they can continue to hold me on their database. Legal experts have pointed out though that many of these emails were unnecessary, and the rest were probably illegal misuses of data they should never have held in the first place.
For the recipients of these "GDPR Compliance" emails, this has hopefully been a great way of finally getting off some of those lists, much to the distress of marketeers who think everyone plus their dog should be carpet bombed with their advertising mailshots. Legal experts have also reiterated that consent needs to be affirmative. You cannot treat no response to your email as implied consent.
Consent requires a positive opt-in
This newsletter has been running for over ten years now and has always required confirmed opt-in. When we receive a sign up request, we send an email to the address we have been given and ask the recipient to confirm that the request really came from them and that they wish to receive the newsletter. Unless we receive a positive confirmation, our system will not add the address to the mailing list.
Consent must be informed
People are being advised not to bury consent information inside terms and conditions documents. At Skill Zone we have long had a practice of spelling out the relevant privacy policy next to the forms at the point of data entry and in plain English, so that people don't have to wade through pages of legalese designed to intimidate. Usually our statement on the form is one designed to reassure, e.g. "We will use your details only for the purposes of responding to your enquiry. You will not be added to any mailing lists and we will not pass your details on to any third parties".
Consent must be freely given
You cannot make the use of other services conditional upon giving consent for use of personal information, although many websites currently do just that. In the case of this newsletter, we mail it to people who wish to receive it in their inbox, for which we need a minimal amount of personal information, namely their email address. We do not ask for any other personally identifiable info such as age, gender, or social group. We also publish a copy of the newsletter on our website where anyone may read it without any need to register with us or reveal any identity information at all. Unlike many well-known websites which pop up consent to cookie requests in order to use this site, our site does not use any form of tracking cookies, and you can use it without any fear of tracking or profiling, (unless you are trying to hack into it, of course, in which case we log everything as we are legally entitled to do).
Keep evidence of consent
I have lost count over the years of the number of times we have received mails from spammers (which we had not consented to) which offered mailing lists for sale and included an unsubstantiated statement that the people on it had all consented to receive mailshots. Equally, there have been numerous times when I have complained to companies about receiving junk mail from them and asked how they obtained my address or phone number, only to be told they supposedly came from "other reputable organisations they work with", but are unable to provide me with any details. Under GDPR, you need to be able to show where and how you obtained consent, and saying you bought a mailing list in good faith does not make you GDPR compliant. If you look at the bottom of this email, you will see that it states quite clearly how we verified your email address and consent, even if you subscribed ten years ago when this newsletter started.
People must be able to withdraw consent easily
In the past, some organisations have simply ignored requests to be removed from mailing lists, and others created obstacles, such as requiring you to find a well-concealed and confusing form on the website to fill in even more information, with still no guarantee that they would honour the request. In some extreme cases, you have to register with an organisation just so that they can send you an unsubscribe email. With this newsletter, there is (and always has been) a link at the bottom of every single email we send out which allows the recipient to opt out with just a couple of clicks, no questions asked, and unlike many mailing lists, this takes effect immediately. We don't roll out that old chestnut of "it may take up to 28 days to action your request".
GDPR isn't that difficult
Organisations which have a culture of respecting privacy should have little trouble complying with the high standards set by GDPR.
30th May 2018
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.