Lawmakers and journalists have made bold claims about the EU General Data Protection Regulation (GDPR) over the past few years. ‘It will mitigate the threat of cyber attacks’. ‘It will give individuals more control over their personal data’. ‘It will lead to strict punishment for poor data protection practices’.
These are all true, or at least there’s ample evidence to suggest as much. But some people have claimed that the GDPR will signal an end to one of the biggest annoyances to people’s Internet experiences: spam emails.
That, we’re afraid to say, isn’t quite true. The GDPR won’t stop the sort of spam that contains bogus links and malware, because such emails have always flouted the law and there’s no reason to think that the GDPR will stop that. However, the Regulation will make it less likely that you’ll receive unsolicited emails from organisations you barely remember giving your contact details to. This is because of drastic changes to consent requirements.
Current data protection laws are soft on consent. When signing up for something, organisations will often include an option that says ‘contact me about future offers’, which might be pre-ticked, buried in the small print or written in confusing double or triple negatives. It’s therefore easy to give your consent without meaning to or even knowing that you’ve done so.
The GDPR addresses this, mandating that consent must be given using “clear, affirmative action”. Requests must also:
- Be separate from other terms and conditions;
- Allow individuals to consent to some, all or no options;
- State which third parties will be relying on consent;
- Be documented, so that the organisation has a record of who consented to what;
- Give individuals the option to withdraw their consent at any time; and
- Not take advantage of an imbalance in the relationship between the individual and the organisation (such as an employee and employer or a tenant and a housing association).
These requirements mean that unwanted emails from legitimate organisations should disappear altogether. Individuals need to take deliberate steps to agree to receive emails, and if they change their mind, they can unsubscribe. The GDPR states that it should be as easy to withdraw consent as it is to give it, which will usually mean little more than checking/unchecking a box and clicking a button.
Organisations might criticise the toughness of these requirements, but it’s really a win-win situation. Unwanted emails almost always go into users’ trash folders unopened, only serving to waste the organisation’s time and make potential customers resent them for sending apparently unsolicited messages. Under the GDPR, organisations will have a leaner, more concentrated pool of email recipients who are genuinely interested in their products and services.
There are other ways for organisations to collect personal data. Consent is only one of six lawful grounds for processing individuals’ information, and it’s generally the least preferable option. We’ve focused on it here because it’s the most appropriate ground for sending marketing (or ‘spam’) emails, but organisations should also consider the validity of legitimate interests.
They should be careful, though, as the Regulation states that the interests of individuals should always supersede those of the organisation. It adds: “Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her.”
With supervisory authorities pushing awareness of the GDPR and individuals’ right to object, organisations might find that using legitimate interests is more trouble than it’s worth. Those who don’t want to receive emails will object, forcing the organisation to provide individuals with a copy of any data the organisation holds on them and then, in all likelihood, deleting it.
Whatever lawful ground is used, it only remains valid for as long as it meets the purpose for which it was originally collected. You could argue that organisations intend to send marketing emails indefinitely, meaning individuals’ personal data is always meeting its purpose. However, experts have refuted this, saying that any lawful ground needs to be reviewed and updated at least every two years.
The complexity of the GDPR means that anyone involved in handling individuals’ personal data ought to spend considerable time studying the Regulation.
Our GDPR Staff Awareness E-learning Course provides a flexible way of introducing your staff to the Regulation’s compliance requirements. It’s suitable for all staff, and covers the scope of the Regulation, the key data protection roles, the principles for collecting and processing personal information, and how to apply the requirements to your organisation.
We also offer in-depth GDPR training for those looking to begin or advance their career in data protection. Depending on your level of expertise, you might be interested in:
The courses are available in both classroom, Live Online and distance learning formats.
Book these courses together in our combination course and save 15%.