The Courier & Advertiser (Fife Edition)
Questions answered on data protection rules coming in next month
GDPR: Companies must ensure they comply with new legistlation
Most, if not all, organisations process personal data to some degree.
Currently, this is governed by the Data Protection Act 1998.
However, as part of the European Commission’s attempts to “make Europe fit for the digital age”, data protection is undergoing significant reform.
On May 25, the General Data Protection Regulation (GDPR) will become effective in the UK and organisations must be compliant.
If they don’t they could expose themselves to penalties to the greater of 4% of turnover or €20 million.
Organisations will have to consider what steps to take to become GDPR compliant and an area of particular interest is marketing by email, an activity most organisations partake in.
Here are answers to some common questions about GDPR: Q: Do I need someone’s consent to send them an email marketing message?
A: Possibly. Organisations have two options to justify sending email marketing communication – consent or “soft opt-in”. Q. What does GDPR expect for “consent”?
A: The GDPR has completely revamped the concept of consent, stating it must be freely given, specific, informed and unambiguous. It will no longer be acceptable for organisations to rely on pre-ticked boxes or to make access to a service subject to receiving customers consent to marketing. Q. What is the “opt-in option”?
A. Where an organisation obtains the email contact details from an individual during the sale of goods and services, the organisation can email the individual to promote its similar goods or services and use this soft opt in as the justification for the marketing email.
However, the organisation must give the individual the opportunity to object at the time the contact information was first collected and present that opportunity to object with each email communication.
An “unsubscribe” button would satisfy this requirement. Q: I’m not sure if I have consent or can rely on “soft-opt-in”.
Can I send a blanket email to my current database, asking them to opt in and provide GDPR compliant consent?
A: If you do not have consent or a soft opt- in documented that complies with the current regime then no, you cannot.
The Information Commissioner’s Office (ICO) has concluded that this in itself is a marketing email and violates the rules on how an individual’s personal information should be treated when sending marketing emails.
The ICO head of enforcement stated that “sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law… businesses must understand they can’t break one law to get ready for another.”