GDPR - a problem for Irish online retailers?

BarryD2

Don't know about you, but I've received a good quantity of emails looking for me to reconfirm subscription to mailing lists etc. Increasing by the day as D Day approaches.

I think I've clicked 'Confirm' to one or two. The rest I simply don't have the time or inclination to see if they are genuine. With the Gardai warning people of potential scammers exploiting this and just general public apathy, I don't think it's hard to predict that many businesses will find their customer mailing lists decimated as a result.

Was this fully thought through?

I guess in time, I'll resubscribe to various lists and that'll be the general pattern. But in the meantime, a big hole is going to appear in most companies contact lists.

crkcvnirl

Hi,
First off I'm open to correction so if I'm way off the mark would appreciate a correction.

I've been looking at this myself and have viewed a number of info vids and my understanding of it is: As long as a retailer / data controller has contacted their list members, most cases this will be by email, prior to 25th May that the Data Protection people will deem the retained list(s) as valid but moving forward from that date explicate permission will be required.

Of course if a list member removes themselves or requests a removal this removal request must be acted upon.

Thoughts anyone?

Regards

BarryD2

crkcvnirl wrote: »

Hi,
First off I'm open to correction so if I'm way off the mark would appreciate a correction.

I've been looking at this myself and have viewed a number of info vids and my understanding of it is: As long as a retailer / data controller has contacted their list members, most cases this will be by email, prior to 25th May that the Data Protection people will deem the retained list(s) as valid but moving forward from that date explicate permission will be required.

Of course if a list member removes themselves or requests a removal this removal request must be acted upon.

Thoughts anyone?

Regards

So what you are implying is that we can all happily ignore these GDPR email notices coming in this week. And that by doing so, customers will not be struck off? If so, I haven't heard that angle?

jimmii

Yeah I'm not reading it like that at all! Also I'm sure all these massive companies with their huge gdpr teams haven't all got it completely wrong sending us all these emails to opt in to stay in touch! I'm taking a better safe than sorry approach and waiting to see how it plays out. It's been a nightmare trying to sort this all out dealing with a 14k membership database of aging members not all of whom regularly use email!

crkcvnirl

Hi,
Firstly, to clarify my personal interest. It’s regarding the holding of data within a bulletin board and other online systems.

I double checked my interpretation of things this morning by calling the Data Protection office and what I was told is as follows:

1) If users are engaging with a company or business online and are already on a user list, existing consent is implied so the existing users/customers re-consent is not needed.

2) Positive consent is needed for all new users / customers from tomorrow.

Note: Pre-selected consent check boxes won't be acceptable. In most cases check boxes are being used, so just ensure they're not pre-filled.

3) Businesses that are requesting re-consent from their existing email/user lists are doing so as a matter of good practice, but they are not obliged to do so.

4) A business must ensure they have a data retention policy documented and available for existing and potential customers.

What if a business has an old unused email list?
If a business has built up an email list but for whatever reason has never used it, this falls into a grey area. However, they can mitigate the effects of the incoming rules by sending an email to their list today explaining their GDPR and data retention policy etc. This email will be looked upon as the business engaging with their email lists. If following this email users do not request removal then continuing consent will be implied, as per item 1 above. Of course retention policies must be acted upon!

I am not a legal expert so you can verify details of my post by contacting the Data Protection Commission on +353 (0)761 104 800

Hope you find the helpful
Regards

BarryD2

crkcvnirl wrote: »

Hi,
Firstly, to clarify my personal interest. It’s regarding the holding of data within a bulletin board and other online systems.

I double checked my interpretation of things this morning by calling the Data Protection office and what I was told is as follows:

1) If users are engaging with a company or business online and are already on a user list, existing consent is implied so the existing users/customers re-consent is not needed.

2) Positive consent is needed for all new users / customers from tomorrow.

Note: Pre-selected consent check boxes won't be acceptable. In most cases check boxes are being used, so just ensure they're not pre-filled.

3) Businesses that are requesting re-consent from their existing email/user lists are doing so as a matter of good practice, but they are not obliged to do so.

4) A business must ensure they have a data retention policy documented and available for existing and potential customers.

What if a business has an old unused email list?
If a business has built up an email list but for whatever reason has never used it, this falls into a grey area. However, they can mitigate the effects of the incoming rules by sending an email to their list today explaining their GDPR and data retention policy etc. This email will be looked upon as the business engaging with their email lists. If following this email users do not request removal then continuing consent will be implied, as per item 1 above. Of course retention policies must be acted upon!

I am not a legal expert so you can verify details of my post by contacting the Data Protection Commission on +353 (0)761 104 800

Hope you find the helpful
Regards

That is helpful. So essentially there's a bit of ado about nothing here. As long as businesses have been emailing people on subscription lists over the past year or so let's say, then consent for the existing lists is implied.

And all businesses need to do after tomorrow is to seek consent actively.

So all these emails flying in about GDPR and reminding us to confirm our interest are just fluff and meaningless?

crkcvnirl

Yip a bit of a todo alright. Obviously consent mechanisms and retention policies need to be reviewed. As for all these GDPR emails doing the rounds I'd reckon spammers can't contain themselves. It's a dream come true for them.

Looks like a lot of people didn't bother to make that 2 minute phone call to the DPC and paid consultants handsomely for their advice.

It deffo has a Y2K feel about it alright!

If anyone would like to give me money oh I mean needs GDPR advice do PM me!

BarryD2

crkcvnirl wrote: »

As for all these GDPR emails doing the rounds I'd reckon spammers can't contain themselves. It's a dream come true for them.

Golden opportunity alright to catch people out, given the publicity about data protection and privacy etc in past several months. That's bound to have planted an idea in the public mind that people should open and examine all such mails.

witchgirl26

A lot of business are sending them out as a way to "clean house" as such. They have to maintain registers internally noting the amount of data they have, so every individual on a contact list counts as one. Many will have massive listings and asking people to opt in or out allows them to sort these out in advance of the more strict rules around retention of personal data coming in. It's up to an individual company as to which way they want to do it. It also means that they are completely covered in the event of any audits as one of the pieces of information they are meant to maintain is the date of consent. Allows them to keep the lists up to date and be able to show exactly when consent was obtained.

Trojan

I'm not a lawyer; consult your legal counsel for specific legal advice.

That said, here's a few thoughts:

• The regulation does not mention the word "checkbox".
• It does say: "consent" of the data subject means any freely given, specific, informed and unambiguous.
• If you do choose to use a checkbox, you probably should not pre-tick it
• If you had previously gotten consent to contact someone in what would now be a GDPR compliant fashion, then you probably don't need to re-consent.
• If you decide to sent a re-consent campaign this week, I'd put money on you getting about 5-10% opt-in, possibly less. People are sick and tired of these emails right now.
• Removing people who are not interested in receiving your emails is usually a good thing.
• Explicit consent is not the only legal basis to contact someone. Contractual performance, and legitimate interests are two other options. The UK ICO has some good info on this here.

BarryD2

witchgirl26 wrote: »

A lot of business are sending them out as a way to "clean house" as such. They have to maintain registers internally noting the amount of data they have, so every individual on a contact list counts as one. Many will have massive listings and asking people to opt in or out allows them to sort these out in advance of the more strict rules around retention of personal data coming in. It's up to an individual company as to which way they want to do it. It also means that they are completely covered in the event of any audits as one of the pieces of information they are meant to maintain is the date of consent. Allows them to keep the lists up to date and be able to show exactly when consent was obtained.

Perhaps, but one suspects that they are largely wasting their time. Based on people I've talked to, they are mostly ignored and/or deleted.

Maybe it provides a bit of cover in terms of paperwork. And that's about it. In future though, it looks that the process of signing up new customers to mailing lists will be tightened up.

mneylon

A lot of the emails that companies have sent out in the last week or so aren't necessary.
There's a pretty good overview here:
https://iapp.org/news/a/are-all-these-gdpr-consent-emails-even-necessary/

On "consent" - it's a very messy area from a data protection perspective, but pre-checked tick boxes are a definite no go.
Old mailing lists etc - also a no go. If you held onto the data for years and never used it up until now then you really shouldn't be using the data.

As Trojan mentioned, if you're providing goods / services to people you're entitled to communicate with them about that.

Upside to all this confusion is that I've managed to remove myself from a load of mailing lists I'd forgotten about