Most GDPR emails are unnecessary or illegal

The majority of privacy policy emails sent by organisations in preparation for the EU General Data Protection Regulation (GDPR) were unnecessary, and some were even illegal, a number of data protection experts have said.

The problem is with organisations’ interpretation of the GDPR’s consent requirements. Many believe that organisations need to obtain everybody’s consent again or else delete them from their records. However, re-consenting isn’t necessary if organisations’ consent agreements were already in line with the GDPR’s new, strengthened rules.

Besides, consent might not even be the most appropriate legal ground for processing. Consent is unreliable, and the tougher requirements for obtaining and keeping it are intended to dissuade organisations from using it. It should only be sought if none of the five alternative lawful grounds – contractual obligations, legal obligations, vital interests, processing in the public interest and legitimate interest – are appropriate.

Breaking the law?

Toni Vitale, head of regulation, data and information at law firm Winckworth Sherwood, is one of many experts who says that the use of consent is not only unnecessary but potentially even illegal.

If the organisation really does lack the necessary consent to communicate with you, it probably lacks the consent to email to ask you to give it that consent, Vitale said.

He added: “In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

GDPR training

The complexity of the GDPR means that there’s always a chance of misunderstandings such as this. However, the potential for fines, other disciplinary action and reputational damage means that organisation should be as careful as possible.

Fortunately, our Certified EU GDPR Foundation Training Course is there to show you everything you need to know about the Regulation. It’s delivered by an experienced data protection practitioner, who will explain:

  • The GDPR’s background and terminology;
  • The six data protection principles;
  • The role of data controllers and processors;
  • Data subjects’ rights;
  • How to secure personal data; and
  • How to report data breaches.

This one-day course is running in venues across Europe. It’s suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.

The course is available in EnglishFrenchGermanItalian and Spanish.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.