The impact of the GDPR on sending emails and networking
Thank you to Ian Grey of WADIFF Consulting for his guest blog clarifying some of the important points we will all have to adhere to in 2018
On 25 May 2018 the General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA). The aim is to give individuals more control over how their personal data is used and get businesses to be more transparent over how it will be used. The UK Government have confirmed that Brexit has no impact. Businesses will have to think differently over how they use personal data and be prepared to justify the use if asked by an individual. There are a lot of myths and scare stories of what is going to happen. This was not helped by the Sun saying “Builders, cleaners and gardeners could face huge fines just for sending an EMAIL to drum up business thanks to draconian EU laws on data protection”. The Information Commissioner did a blog to say it ‘is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that”.
We still don’t know everything, but that should not stop a business starting to prepare for May 2018. This blog looks at the impact on sending emails and on getting business cards at networking meetings. Guidance on how to interpret the GDPR for day-to-day use has been coming from the Information Commissioners Office (ICO), the Article 29 Data Protection Working Party (who advises on Data Protection) and the equivalent of the ICO in different EU countries. The GDPR is not the only relevant legislation. There is also the Privacy and Electronic Communications Regulations (PECR) which sites alongside the DPA. This is going to be replaced by the ePrivacy Regulation that aligns it with the GDPR. But there is a problem. It was due to be ready for May 2018 but this looks increasingly unlikely due to the number of issues raised on the draft. As the GDPR sets more stringent requirements for dealing with personal data, let’s go with those.
The first step is to see what is meant by ‘personal data’. This is defined in Article 4 of the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. A much wider definition than under the DPA, but one that reflects our online world.
Emails such as firstname.lastname@example.org or email@example.com are not personal data as you cannot identify an individual (aka data subject). firstname.lastname@example.org definitely is personal data. But what about email@example.com or firstname.lastname@example.org? They should be considered as personal data as they could be indirectly linked to a person if combined with other data.
In the brave new GDPR world you need to know the lawful basis for sending an email (which is a type of processing). The Information Commissioner did a blog on 16 August 2017 about this. The likely ones for a business are consent, legitimate interest, contractual or legal obligation. If you decide that consent is the lawful basis, and that will probably be the case if you send out marketing emails you need to make sure you have a record of when consent was given and that the person had the details required by the GDPR. This includes:
- Details about the data controller
- Contact details about the controller’s Data Protection Officer (if one exists). This could be a generic email address such as email@example.com as the person in the role could change over time
- What processing is done and the legal basis for doing it (consent, legitimate interest, contractual requirement etc.)
- Who data will be passed on to, if that is applicable. It is no longer valid to say something like ‘our carefully selected partners’, it must be more specific
- How long data is retained
- How to exercise the right to have data erased, to withdraw consent, to lodge a complaint with a supervisory authority etc. This will probably be a generic email address such as firstname.lastname@example.org
As you are unlikely to have that for existing contact details you need to go back and ask for it, giving the required information so when consent is given it will be valid. But you should only do this once. And make sure you don’t ask someone that has told you that don’t want to be contacted, Flybe were fined for doing this.
You are at a networking event and come away with business cards of people you want to talk to later. As I am sure you would have said this to them at the time, and they verbally agreed to it, there is a legitimate interest to send an email follow up to arrange a call or meeting. As part of that email, you could include a link to a page where they could sign up to your email updates. There is also a view that a follow up email is allowed as handing someone a card is an affirmative action and there is a reasonable expectation of a follow up. Covered under ‘consent through a course of conduct remains valid’. What should be avoided is adding to mailing list and using MailChimp etc. to send out the follow up email or adding them to your mailing list straight away.
And finally, I have to say ‘this is not legal advice’ as I am not a Lawyer.
Information and Cyber Security Consultant
If you would like further information go to WADIFF Consulting or give Ian a call.