22.05.2018

Some GDPR emails maybe be illegal

A large number of emails are flying into inboxes at the moment from companies wanting to keep customers and prospects on their mailing list. Some of these emails may be illegal according to privacy experts. The reason why companies are contacting people is due to a change in data privacy laws (GDPR). This change is advising companies that they need to ask the owner of personal data they hold to allow them to contact them about the services and products the company provides. Failing to meet the GDPR requirements can lead to a fine in excess of €20Million or 4% of the annual turnover.

One member of a law firm said “If the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent”. The same member of a law firm said “In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email”.

In general, there is a lack of understanding around when and why consent is needed under GDPR. The Information Commissioner`s Office is looking into some of the myths surrounding GDPR. The deputy information commissioner said “We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily”.

One members of a law firm said “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act”.

A privacy researcher and consultant, said “Part of the problem was that many businesses were not in the habit of recording when and how they received the initial consent to contact customers, instead just storing vast databases of email addresses. Some companies may simply be unable to demonstrate that they have consent, because they do not have a trace of it.” 

Before you spend too much valuable time and money on a project to gain consent from old data records that you hold, take a moment to review the legislation. Ensure you know who and what you are asking and why. You will most certainly find that some consent you already have and others you have no legal basis to ask for.