GDPR – God Damn Permission Requests
Whether you’ve been involved in implementing systems and processes for GDPR compliance, or you’re inbox has been filled with unnecessary, possibly illegal, messages about it, chances are you’re sick of hearing about GDPR.
GDPR | Intro
May the 25, 2018 the new GDPR or General Data Protection Regulation finally came into play, replacing previous Data Protection Laws. The new rules apply to all businesses operating within the EU. Including those based outside the area, who operate within it. The threat of heavy fines for non compliance, up to 4% of global turnover for serious infringements, combined with large numbers leaving their preparations to the last minute, left many scrambling to meet the GDPR deadline.
One of the main issues faced, leading up to May 25, was that we were only given GDPR Guidelines. A lot of which is open to interpretation.
Where there are grey areas, and a fear of heavy fines, there’s an opportunity to be exploited. Whether through poor planning, misinformation from the media or so say GDPR specialists, charging large fees based on fear who weren’t actually data protection experts, its apparent that many companies have made mistakes.
Possibly causing unnecessary damage, losing large parts of their marketing databases, when they didn’t actually need to. Others may have inadvertently broken the law, as the they scrambled to try and become compliant, but didn’t understand the requirements.
GDPR | Expert Advice
I don’t claim to be an expert on GDPR and this article isn’t giving you legal advice. I’m not qualified to do that. The GDPR Guidelines are exactly that – guidelines, and in my opinion we’ll only understand the full extent of the new laws as legal cases go through the courts. We may not have to wait that long. Tech giants Google, Facebook, WhatsApp and Instagram were issued with lawsuits over “forced consent”, on the very first day, by privacy campaign group Noyb.
Dr Kuan Hon, one of the leading Data Protection lawyers in the UK has spoken in the past about how GDPR has been used as a cash cow by some. Where there’s a lack of understanding and a fear of heavy fines, there’s an opportunity for people to exploit.
Perhaps one of the most damaging mistakes businesses have made is over the lack of understanding about “Consent”. Leading to a flood of “opt in” and “permission requests” in peoples inboxes.
“My biggest concern is that lots of companies, including SMEs, have forked out a lot of money for the wrong advice that may even harm them – as in the re-consenting case.”
Dr Kuan Hon
Dr Hon blames “bad advice being given by non-data protection experts, not helped by media misinformation about the GDPR, all at levels that seem unprecedented”, criticising companies for bombarding our inboxes with GDPR opt-in emails in recent weeks, claiming they were completely unnecessary. She continued: “The proliferation of unnecessary emails asking people to reconfirm their ‘consent’ to receive future communications: most of those have only resulted in organisations losing large parts of their marketing databases when they didn’t need to.”
GDPR – God Damn Permission Requests
Those of us, and lets be honest that’s most, who’ve received untold emails have become pretty annoyed by the constant requests to “stay in touch” and “opt in”. Leading to memes like the one at the top of this page appearing on social media.
The sheer volume of these messages are likely to have driven us to either ignore, even though these messages have said if you don’t opt in your data will be deleted, or to hit “unsubscribe”. I’m interested to see if I receive future messages from those who told me it was my last chance to confirm my consent or be deleted.
The irony is that these companies didn’t necessarily need to do this. Those that have sent requests may have caused themselves needless paperwork. Some may have actually sent out illegal messages. Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said:
“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR.”
Vitale continued “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”
“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”
GDPR | Consent isn’t always required to process data
In other words, if the business had consent to communicate with you before GDPR, that consent probably carries over. Even if it doesn’t, there are five other reasons a company can cite for continuing to process data. What’s more, Vitale said, if the business lacks the necessary consent to communicate with you, it probably lacks the consent even to email asking you to give it that consent.
“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”
The lack of understanding around “consent” under GDPR has prompted the ICO to try to clarify some of the “myths” of GDPR. Steve Wood, the deputy information commissioner, wrote in guidance for businesses.
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
Like Vitale, Wood said asking for marketing consent from people who had not given it initially, could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.
GDPR | Consent Issues
One of the main issues regarding consent are that many businesses to date hadn’t recorded when and how they received consent to contact customers. For years many have just stored vast databases of email addresses.
“Some companies may simply be unable to demonstrate that they have consents, either because they don’t or they do not have a trace of it.” Said Lukasz Olejnik, a privacy researcher and consultant. “This fact, that some companies simply never had consents or are unable to demonstrate having consents, is sometimes discussed among both policymakers and consultants. There are also discussions over companies not respecting even the existing data privacy regulations.”
GDPR | Many in the UK are still not ready
The flurry of activity in the final weeks running up to May 25, made it apparent that many companies had left their preparations until almost deadline day. So much so, that the day before deadline day, the Information Commissioners Office (ICO) website experienced serious issues. Most likely the result of the numbers of companies leaving it to the very last moment.
Apparently, a downloadable PDF guide on the GDPR legislation from the ICO website caused their site to hang. When the PDF finally appeared, instead of the full guide, people trying to access it only got the front cover. On page 2, an error message read
“We’re sorry, but our website is unavailable at the moment. Please try again later.”
Not great for those who had not properly prepared previously!
The new regulations give people in the EU powers to access and control their personal data. They also give regulators greater power to levy fines on firms who mishandle data or fail to be transparent in how they collect and use it.
Yet according to the Federation of Small Businesses (FSB), despite the threat of heavy fines, a lot of businesses in the UK still aren’t ready for the changes brought in by the new GDPR laws.
Mike Cherry, national chairman of the FSB warned many smaller firms were still working on their compliance with the new GDPR laws, stating
“GDPR is here and the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant”
Adding the ICO needed to show understanding in its enforcement of the regulation. “It is imperative that the ICO initially deals with non-compliance in a light touch manner as opposed to slapping small firms with fines. Small businesses must see the ICO as a safe space where they can go for advice and help in making the changes necessary to be compliant.”
The ICO reassured businesses it will not rush to levy large fines the moment GDPR comes into force. Information commissioner Elizabeth Dunham wrote this week that “although the ICO will be able to impose much larger fines, this law is not about fines. It’s about putting the consumer and citizen first”.
Like with PPI and more recently the challenge of fines for taking kids out of school for holidays in term times, it looks like we’ll have to watch this space and learn from the legal cases that unfold. Until then we can interpret the guidelines and try to comply with the regulations, as best we can.