GDPR emails, were they necessary?

Companies may be unnecessarily decimating their database of customers, a leading expert in GDPR has warned.

We are all getting them: emails requesting consent to continue sending us emails. It feels like a contradiction. If you don’t have permission to email someone, that means you don’t have permission to email them asking for permission to email them, either. Marketers have to be more creative than that in securing consent.

If you do have permission, then you don’t need it twice.

Yet that is precisely what companies have been doing. And in the process, they are subjecting us to lots of emails, few of us either have the time or inclination to read them, so the sought after permission is not granted.

According to Nicola McKilligan-Regan, Senior Partner at the Privacy Partnership, as well as the founder and CEO of Smart Privacy, some companies “have taken bad advice.”

Ms McKilligan-Regan, who is also the author of ‘A Pocket Guide to the Data Protection Act,’ told GDPR Report that they have “decimated their databases by seeking new unnecessary opt-ins.”

Under GDPR, there are several legal bases for processing personal data. Consent is often cited as the gold standard, the ideal legal basis, but under GDPR no one legal basis is better than any other.

Consent carries a number of strict conditions: it must be proactive, freely given and specific. You may have consent to process data for a specific task, but if that task changes slightly, the consent may not be insufficient.

Another legal basis, legitimate interest, may be more appropriate. Recital 47 of GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

But the legal basis can’t be a bit of both. It can’t be half consent, half legitimate interests. When companies email customers asking for ongoing permission to carry on emailing them, they do seem to be suggesting that legitimate interests are not sufficient in this case, otherwise why ask for permission in this way? If they don’t get a response, which given the number of such emails that are being sent out seems likely, then they do seem out of options.

To find out more about what marketers should be doing to comply with both GDPR and PECR, attend the next GDPR Summit London which aims to provide actionable, practical advice for organisations to continue their drive to achieve ongoing GDPR compliance and gain a strategic advantage over competitors.

By Michael Baxter, Editor, Fresh Business Thinking

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

Latest articles

5G will advance all of society as we know it

How empathy, ahead of tech, will be the key driver of business recovery post-coronavirus

Automation: a faceless route to customer alienation or a productivity driver?

The importance of data collaboration for marketers

Post-lockdown – planning for your business’ road to recovery

The 4Ps plus purpose are the key to thriving in the 2020s

Join today’s data privacy and cyber security virtual event

Behavioural change, nudge theory and ultimate benefit – why isn’t the trial COVID tracking app harnessing the best in tech?

Turning Global Data Protection Into Global Opportunity

Weathering the storm: How cloud technology can help marketers to succeed remotely

Data Legislation Education: Businesses Must Boost Knowledge

Are you a digital polluter? Why advertisers must now end online waste in order to survive

Three key questions businesses should ask themselves before investing in AI tech

Hidden stakeholders: Why CISOs hold the key to successful digital transformation

The IAB Europe Guide to Cookies: Privacy Promises Should Do More Than Crumble

GDPR emails, were they necessary?

By Michael Baxter

Posted in GDPR on 31 May 2018, 09:00, 0 Comments.