[News] Drowning under GDPR emails

[thedonkeycentrehalf]

To [MENTION=3649]hitony[/MENTION] 's point, some companies have gone into complete panic about this and are trying to cover every possible eventuality, all of which will make the day to day work for a lot of people very difficult. Others have gone for a more pragmatic, risk based approach.

My own organisation started off with someone who was a pragmatist but that person moved on and the new person is now getting paranoid about the consequences.

To give a couple of example questions that have been raised: 1) If someone passes you a business card does that imply consent to add them as contact? 2) If you speak to someone at a customer site and they pass you a colleagues details as the person to speak to, can you still do that as they haven't given their consent to be contacted?

I'm sure it will all settle down in the future but like many of these things, if you apply some common sense, you shouldn't go too far wrong.

 

[Gazwag]

bonkers. that'll last a few weeks until an important email is binned by recipient as spam because they couldnt read it.

Exactly, its crazy

 

[timbha]

bonkers. that'll last a few weeks until an important email is binned by recipient as spam because they couldnt read it.

and will take us back to managers getting their secretaries to send their emails

 

[Lush]

Isn't there this thing called 'implied consent'? I.e. If Florrie wants her knob fixing and contacts the builders to arrange it, it implies that she's agreed to being contacted about it. However there is no implication that she's agreed to being sent your annual newsletter or to you passing her details on to a firm of estate agents.

 

[beorhthelm]

Isn't there this thing called 'implied consent'? I.e. If Florrie wants her knob fixing and contacts the builders to arrange it, it implies that she's agreed to being contacted about it. However there is no implication that she's agreed to being sent your annual newsletter or to you passing her details on to a firm of estate agents.

think thats good example of the confusion. the headline requirement for explicit consent for marketing is being misunderstood as meaning explicit consent for any form of communication or data storage. if data is necessary for business, that you can collect and keep it just not share it, which you couldn't before anyway.

 

[jasetheace]

Business as usual doesn't need to suffer and we will be taking "The Donkeys" risk based approach.

First and Foremost.

Get your privacy policy done and accessible.

Tell people where and how you get data and who you share it with and why (on publicly visible stuff, electronic or physical)

and then enshrine process and procedure that allows for the rights enshrined in the new legislation;

To be informed
To correct
To delete
To restrict
To Transfer
To object

You don't even have to always agree to do these as long as you provide an explanation when rejecting these requests.

Some furrowed brows on this thread. Perhaps understandably. We can blame "Big Data". But your next pint of Harvey's is around the corner..

 

[Goldstone1976]

You surely don't need to go through this rigmarole every time the good lady's pipes need examination.

And you thought nobody had noticed.

I think other legislation covers the consent required in this situation.

 

[Brovion]

I have to abide by my companies "anal" rules as they pay my salary and you dont!! it really pisses me off when a reply like yours comes back as you don't work for my company, I gave all the details in a close manner but no....you know better!!!! .................whilst I appreciate you have an opinion on issues and facts and i think its clear as glass that I DON'T AGREE WITH THIS CRAP!!! I have to abide by my companies rules.......Hopefully you see that? ......it is a large national company by the way.........I will not change their ways.......

I think when he said 'you' he meant 'your company', not 'you' personally. As you say you have to abide by your company's rules, but your company have either received poor advice or have misinterpreted the advice they've received.

 

[Brovion]

Isn't there this thing called 'implied consent'? I.e. If Florrie wants her knob fixing and contacts the builders to arrange it, it implies that she's agreed to being contacted about it. However there is no implication that she's agreed to being sent your annual newsletter or to you passing her details on to a firm of estate agents.

That's exactly how we've interpreted it. If a customer wants an order, we can email them, ring, them, fax them, write to them, send carrier pigeons to them, etc etc about that order. What we can't do, without their explicit consent, is add them to a database and send them newsletters etc.

 

[Westdene Seagull]

I don't disagree that gung ho third party marketing approaches triggered the review, but GDPR is much, much wider that this, including data security, accuracy, retention, etc, etc. The whole regime needed a big shake up because the big boys (and the little ones) got complacent and sloppy especially when the Info Comm had no teeth.

Indeed. One of the lesser known elements but interesting ones is that if you apply for credit, the lender uses a 'non-human' to determine if you get the credit and it's refused then you have the right to have a human re-assess the application.

 

[Westdene Seagull]

think thats good example of the confusion. the headline requirement for explicit consent for marketing is being misunderstood as meaning explicit consent for any form of communication or data storage. if data is necessary for business, that you can collect and keep it just not share it, which you couldn't before anyway.

BUT you must say that you're doing so at the point of collection.

 

[Audax]

Right, we had a meeting today, I am going to give a very simple but factual example of how it is supposedly (not) going to work for us.....I build new houses by the way...

Scenario......Mrs White rings into customer services, her kitchen door handle is sticking and won't function properly...........At this point we would issue the defect / snag to our Carpenter for that site, give him Mrs Whites contact details (Phone / E mail address etc) he will contact her make an appointment and rectify the issue.....

What we were told today.........We (company) write (must be a letter as an e mail can be doctored etc) to Mrs White asking her if we can give our Carpenter her contact details, we also explain she MUST write back to us (stamped address envelope included in the out bound letter) giving us permission, a form is included as well...........we then forward the details to the carpenter who has to abide by her contact rules and hopefully arranges an appointment.

Now, Mrs Whites door handle is really not a major issue, as I asked, what do we do when Mr Brown rings up saying he has water leaking through his ceiling very likely to do with a copper / plastic pipe issue.......... After they looked at each other.......I suggested that maybe we used "next day delivery mail" as by then hopefully only the downstairs will be ruined!!

It is all bollocks!!!!! as is the anal claim world we live in!!! CRAP!!

Someone at your company doesn't know what they're talking about when it comes to GDPR. It's a shame they appear to be in charge of getting the company ready for GDPR, as the approach you describe sounds more likely to get them *into* trouble than avoid it.

It’s ironic that from the numerous GDPR emails I’m receiving there are so many different approaches being taken - opt back in, do nothing, re state your preferences. I’ve even had one that says we’ll continue to contact you if you do nothing, implying a very light touch approach. It kinda defeats the point. They can’t all be right!

The reason for the variation in approaches is because of two things:

1. Companies taking different "risk" based views on what they need to do. Some are going for the "no risk" approach, others are taking a more "small risk is acceptable" approach, and yet others are heading to the casino hoping they can slip a few cards out of their sleeves without getting caught. Given the penalties that can be imposed have been ratcheted up significantly, and that those penalties are assessed against the *parent* company in cases were a subsidiary is in breach, there will be some companies out there that could be exposed to penalties that would immediately send them into administration if they get it wrong.

2. It also depends on how a company approached marketing opt in / opt out historically. Those who already had an explicit opt-in system only need to notify of an updated privacy policy. Those who used dark pattern "by ticking this box you agree that you don't agree to us not sending you marketing material from third parties" trick language (I have no idea what I'd be agreeing to with that, and I wrote it just now!) are now in a situation where they need to ask for explicit opt in. And there's a whole range in between as well.

I suspect hitony's company is the victim of some over cautious legal advice. I accept this does not help his situation but I doubt what the lawyers are suggesting is necessary.

It's all about taking 'reasonable' steps as far as I can see and if you need to forward Florrie Blennerhasset's details on to someone doing work on your behalf that's probably reasonable. What wouldn't be reasonable is if the company you forwarded it on to then used it to bombard the aforementioned Florrie with loads of junk email or whatever. But surely that is their responsibility, or one sorted out between hitony's company and the third party, not Florrie.

This. GDPR still makes a clear distinction between data gathering and processing for "provision of service" communications vs "marketing" communications. It also still allows for the transfer of data from one company to another where doing so is required in order to deliver a product/service that has been contracted. So Company A *can* pass data to Company B so that Company B can complete work on Company A's behalf, but Company A must ensure that Company B only uses the data for the purposes it was explicitly provided for, and then deleted once the work is completed. Company A just needs to have an appropriate Privacy Policy in place.

In which case you put in some tenancy agreement (or whatever) - that you have with Florrie - that she - by signing this agreement - agrees that her details can be passed on to sub contractors who need to look at her pipes (or whatever). Then you agree with the subcontractors that they must not use Florrie's details for any other purposes. You surely don't need to go through this rigmarole every time the good lady's pipes need examination.

Yeah, all Company A needs is a Privacy Policy that is clearly presented to all customers that includes a few lines that specify that Company A might share data collected with partner companies / subcontractors where necessary to deliver the product / service.

Got a marketing email from a company I have never heard from before. I emailed askepknig to be removed from their marketing list. The response was

“Thanks for your email.

I have forwarded your email to the XXX Plc company that we receive our mailing lists from. Unfortunately, it is not our database so we cannot unsubscribe you ourselves. I apologise in advance if we receive another list with your details in it, and inadvertently send you another event invitation.

Warm regards,...”

Yeah, they'll be in big trouble (and very broke very rapidly) if they keep trying this after the 25th.

The main thrust of the legislation is targetting the slightly gung-ho way in which third party marketing has been handled over the past few years (which results in the vast majority of junk email and mail that people receive). This is when you sign up with a particular company and then opt-in to 'third party communications', which is essentially the company you've just registered with selling your details on to whoever they see fit. Under GDPR, that's going to be a lot more difficult to do and *should* stem the flow of nonsense received.

Essentially, it is about giving people more control over their data - who has it, what exactly they have, what they use it for.

Yeah. Where it comes to spam emails, the primary benefit of the new GDPR rules is that it will do away with the tricks a lot of companies were using so that they could send marketing comms. Things like dark pattern tick-box copy, hiding the tick box in the T&Cs, not even presenting a tick box and instead just stating that you agree to being marketed to if you sign up, etc etc.

To [MENTION=3649]hitony[/MENTION] 's point, some companies have gone into complete panic about this and are trying to cover every possible eventuality, all of which will make the day to day work for a lot of people very difficult. Others have gone for a more pragmatic, risk based approach.

My own organisation started off with someone who was a pragmatist but that person moved on and the new person is now getting paranoid about the consequences.

To give a couple of example questions that have been raised: 1) If someone passes you a business card does that imply consent to add them as contact? 2) If you speak to someone at a customer site and they pass you a colleagues details as the person to speak to, can you still do that as they haven't given their consent to be contacted?

I'm sure it will all settle down in the future but like many of these things, if you apply some common sense, you shouldn't go too far wrong.

I know you're speaking hypotheticals, but for anyone reading who maybe doesn't know the answer: as long as you don't use the information received in the pursuit of marketing and only use it purely for the legitimate purposes for which it was obtained, then there's nothing to worry about.

Isn't there this thing called 'implied consent'? I.e. If Florrie wants her knob fixing and contacts the builders to arrange it, it implies that she's agreed to being contacted about it. However there is no implication that she's agreed to being sent your annual newsletter or to you passing her details on to a firm of estate agents.

think thats good example of the confusion. the headline requirement for explicit consent for marketing is being misunderstood as meaning explicit consent for any form of communication or data storage. if data is necessary for business, that you can collect and keep it just not share it, which you couldn't before anyway.

So ... there used to be a concept of "implied consent" for marketing that created loopholes that could be used to enable companies to send marketing when it probably wasn't actually consented to. Implied consent is what allowed some companies to avoid having opt-in tick boxes entirely ("By signing up you agree..."), and others to pre-tick the opt in boxes, and yet others to use weasel-words language designed to trick people into giving consent when they thought they weren't.

GDPR enforces explicit consent for marketing, and retains implied consent for any communications that are required in order to the deliver the service / product. Obvious example being that you don't need to collect explicit consent to send someone an order confirmation and receipt via email if you're an online retailer as long as there is no marketing content included as well. You would need to have explicit consent if that order confirmation email included *any* marketing material in addition: so GDPR means the end of "you just bought this ... so we thought you might also like this, and this, and this..." loopholes.

 

[Audax]

On a related note, but a little tangential to previous replies:

There's a lot of folks out there who are getting the new "Right to Erasure" (aka "Right to be Forgotten") wrong as well. Anyone who thinks this right means you can force a company to delete anything and everything that company has ever received from them is going to be very disappointed. Companies are allowed to refuse a RTBF request, or to only partially fulfill it, as long as they can put forward a reasonable "Continued Use Justification" for the data they want to retain. The CUJ's are pretty tightly defined, but it does mean (for example) that Bozza doesn't have to delete every single post Wozza has ever made on NSC if Wozza makes a RTBF request. He could instead offer to just anonymise the content by renaming the account "Person_Who_Shall_Not_Be_Named" and removing any personally identifiable information (eg email address) from their profile.

 

[knocky1]

On a related note, but a little tangential to previous replies:

There's a lot of folks out there who are getting the new "Right to Erasure" (aka "Right to be Forgotten") wrong as well. Anyone who thinks this right means you can force a company to delete anything and everything that company has ever received from them is going to be very disappointed. Companies are allowed to refuse a RTBF request, or to only partially fulfill it, as long as they can put forward a reasonable "Continued Use Justification" for the data they want to retain. The CUJ's are pretty tightly defined, but it does mean (for example) that Bozza doesn't have to delete every single post Wozza has ever made on NSC if Wozza makes a RTBF request. He could instead offer to just anonymise the content by renaming the account "Person_Who_Shall_Not_Be_Named" and removing any personally identifiable information (eg email address) from their profile.

Reminds me of when I went to an Irish friend's funeral a few years back. Met one of his brothers in the pub before hand. When mentioning this individually to the other brothers later on, each said "the brother who shall not be named" and changed the subject.

 

[Brovion]

Someone at your company doesn't know what they're talking about when it comes to GDPR. It's a shame they appear to be in charge of getting the company ready for GDPR, as the approach you describe sounds more likely to get them *into* trouble than avoid it.

*Excellent advice then follows*

Thanks for taking the time to post all that, it does match how we've interpreted things. (And I think this another example of NSC at its best! Good advice freely given)

If I can just take the piss a bit and ask for some more free advice: What about sales follow-ups? As stated we can no longer send by default the "Hey, you bought this, now how about one of these?" emails, but what about someone from the Sales team ringing a customer and saying "Hey, you bought a load of widgets from us six months ago. Do you need any more?"

Is the answer to that "No, not unless they've given their explicit consent."? And by extension does this outlaw cold calling?

 

[Audax]

Thanks for taking the time to post all that, it does match how we've interpreted things. (And I think this another example of NSC at its best! Good advice freely given)

If I can just take the piss a bit and ask for some more free advice: What about sales follow-ups? As stated we can no longer send by default the "Hey, you bought this, now how about one of these?" emails, but what about someone from the Sales team ringing a customer and saying "Hey, you bought a load of widgets from us six months ago. Do you need any more?"

Is the answer to that "No, not unless they've given their explicit consent."? And by extension does this outlaw cold calling?

Oof, now you're getting into areas I'm less certain of. Where I work that's not a scenario we need to consider.

In theory, I think GDPR just flat out kills cold calling of any sort given cold calls, by their very definition, don't have prior explicit consent. For the sales follow up, I suspect the answer is no, not allowed without explicit consent. But I can't be sure (see above disclaimer). Might be a bit of a grey area if the widgets concerned are ones where repeat purchase over time would be expected and the call can be (loosely) defined as a service delivery call related to the original purchase. The risk there being that even in that instance, the call is specifically designed to try to sell (more of) the widget and it's you contacting the customer rather than the customer contacting you - you'd need to be pretty confident that you can justify the call in relation to the original purchase. To be on the safe side, if I was the customer I'd want the company to have checked with me at the time of the original purchase - something along the lines of "You've bought X widgets, which should last you X months. Would you like a courtesy call in X-1 months to confirm if you'd like to purchase more?"

No, if the original purchase of the widgets was set up as a recurring subscription, and the courtesy call was made to confirm that the next purchase was needed or not, then that would be perfectly fine (as I understand things, anyway) as that is clearly service delivery rather than marketing.

 

[Triggaaar]

Think we need to give Hitony a little bit of space��

 

[Westdene Seagull]

excuse an old luddite but how do you do that?

Sorry - missed this. With email just keep it on your Exchange server or store it in your CRM. Most companies now record all phone calls and the recordings can be sent to a CRM system at the click of a button.

 

[JamesAndTheGiantHead]

West Sussex County Council has basically gone back 20 years.

There were contractual agreements in place under the Data Protection Act which allowed us to share sensitive information between contracted service providers with the verbal consent of the individual, however the need for 'positive consent' means written, 'affirmative' consent, which means Mental Capacity Assessments need to be carried out in a lot of cases before you can even ask for someone to give permission for their information being shared.

So it's back to posting assessments and support plans out to people for them to pass onto services themselves, which is all well and good until you need to action something quickly.

Can see a lot of fines coming for local authorities.

 

[Brovion]

Oof, now you're getting into areas I'm less certain of. Where I work that's not a scenario we need to consider.

In theory, I think GDPR just flat out kills cold calling of any sort given cold calls, by their very definition, don't have prior explicit consent. For the sales follow up, I suspect the answer is no, not allowed without explicit consent. But I can't be sure (see above disclaimer). Might be a bit of a grey area if the widgets concerned are ones where repeat purchase over time would be expected and the call can be (loosely) defined as a service delivery call related to the original purchase. The risk there being that even in that instance, the call is specifically designed to try to sell (more of) the widget and it's you contacting the customer rather than the customer contacting you - you'd need to be pretty confident that you can justify the call in relation to the original purchase. To be on the safe side, if I was the customer I'd want the company to have checked with me at the time of the original purchase - something along the lines of "You've bought X widgets, which should last you X months. Would you like a courtesy call in X-1 months to confirm if you'd like to purchase more?"

No, if the original purchase of the widgets was set up as a recurring subscription, and the courtesy call was made to confirm that the next purchase was needed or not, then that would be perfectly fine (as I understand things, anyway) as that is clearly service delivery rather than marketing.

Thanks for your reply, I appreciate your time. Yeah, actually it's not my concern either, but I work for a company where the situations I described occur a lot. I'm not sure what they plan on doing, I might run it past the Sales Director next time I see her.

Thanks again.