The GDPR (General Data Protection Regulation) is EU legislation that will give consumers greater powers over the use of their personal data and give businesses a single set of rules to follow to operate in Europe. As a business owner and interim project manager I am keeping an eye on the subject. I am also keen to rid the world of spam email and junk mail.
Unfortunately, the legislation won’t impact the volume of emails I get purporting to be young women who feel I am in need of a prostitute, nor will they be effective for organisations that are based outside the EU or don’t care about the law (think ‘hello I am calling from BT/ Windows Support’ type calls). But it is going to help most of us simplify our inboxes, telephone communications and post.
I am building up this post in the coming weeks and it comes from the perspective of the people whose privacy GDPR will protect. If you run a business you should check this link to the Information Commissioner’s Office (ICO) website. The pdf is a great guide to the legislation.
I am going to cover a few different subjects and talk about my experience with different organisations:
- I am not a legal expert and am not making claims of irregularity.
- The details of the law are still under consultation by the ICO.
- The bill has not been introduced into parliament at the time of writing, but must pass into law by 6 May 2018 and will apply in the UK from 25 May 2018. Even after that date, the application of the law will change as cases are prosecuted (case law).
Companies will be well motivated to comply with the new legislation. The ICO will be able to fine companies up to £20 million. And anyone affected by a ‘breach’ will be able to claim compensation.
Consent – (updated 5 October 2017)
Why start with consent? The GDPR standard on consent means consent has to be clear. If it isn’t yet clear (or fails to meet any other part of the standard) then there is a good chance the organisation hasn’t addressed GDPR. If you are a customer (in the broadest sense) this should set your privacy-sense tingling. If you are a stakeholder in an organisation, then you ask whether you want to deal with the repercussions of failing to comply with the legislation. This link takes you to the Article 29 definition of consent.
Requests for consent must
“meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.” ICO 12 point guide to GDPR
You may have already noticed changes in the way companies ask to use your data. Those who are taking the law seriously and getting ready for it will be considering whether to delete all data (some companies have already done as they know they did not obtain consent in the ways described above, have already had their fingers burnt under existing legislation) or are using mailshot (e and paper) to ask for consent to continue processing our data. Good for them – though they should consider whether this use of personal data is legal or could lead to a fine.
Companies are also changing the way they ask for consent. We must be asked how companies can use our data and the question must be all the things you see above. This should mean:
- No more hidden terms saying that by buying from a company you consent to receive catalogues or other communications.
- No more complex, triple negative opt-in or was it opt-out statements.
- No more pre-completed (ticked opt-in boxes.
- I am hoping that returning post ‘to sender’ with a request to desist will classify as withdrawing ‘consent’.
- No more phone calls from EU based companies trying to sell you something. No-one is sure what will happen to the UK law post-Brexit, but it seems unlikely they will change much and I hope we can agree mutual respect of privacy.
- You should see a decrease in spam from legitimate EU based companies. And may even have to opt into some mailing lists. Again this may change after Brexit, we can only hope not.
On 4 October, I shopped around for car insurance. I tried the big four comparison sites – MoneySupermarket, Confused, Go Compare and Compare the Market. To my mind, only MoneySupermarket complied with the regulations. Of the remaining three one had an opt out and the other two had pre-selected the options. I also tried Avia and DirectLine – they also pre-selected the opt-in options. As mentioned earlier pre-ticked opt-ins will not be legal from 28 May next year.
I also got an email from an agent I use. They recently bought out my previous agent and I started to get spam from them. I will be writing a stern letter as I haven’t consented, nor do they give me the ability to easily withdraw from their assumed consent.
On 5 October I signed up for a Sparks card. M&S made receiving SMS, Email and post a condition of getting my card. I suspect this is legal but isn’t really adhering to the ‘spirit’ of the legislation.
If you want to reduce the paper mail, email and phone calls you are getting now:
a) Use the opt-out provided by legitimate companies (don’t click on any links if you think an email is fraudulent, even then err on the side of caution and see point g below).
b) Email or write to the company secretary or owner (you can find their contact details on the Companies House website). Tell them you will have no hesitation reporting them to the ICO next May (the Information Commissioner, Elizabeth Denham, has informed the Home Affairs select committee that it will need extra resource to manage GDPR and Brexit). Be polite.
c) If cold called, ask the operator if they have seen your consent to be called. If they haven’t, tell them their employer may be putting them in a position of gross negligence (at best) and breaking the law (at worst) and ask them to personally make sure your details are removed from any list – again be polite and use their name. The outcomes mentioned above are an assumption on my behalf.
d) Don’t forget the mailing– and telephone preference services, they work well for legitimate, ethically minded, smart companies. If you get unwanted post and email from charities use the new funding raising preference service.
e) If unaddressed post coming through your letterbox really gets your goat, you can opt out of the leaflets delivered by Royal Mail.
f) Learn how to block numbers on your mobile (apple, android) and if you have a landline ask your provider if they can block nuisance calls (my provider, Plus Net, does). Hopefully, mobile providers will also start to block nuisance calls.
g) Get familiar with your spam filters. Most ISPs (eg BT), web hosts (eg Siteground) and email providers (eg Google) have spam filters. So do many email clients (eg Outlook). But some legitimate email may be blocked so make sure you know how to check your spam folder/ quarantine and recover the email you want.
I hope this short piece is of use to you, I will continue to add my thoughts on other aspects of the legislation and update information over the coming months.