If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.
I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.
Therefore both of the following are true:
- The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
- The providers of the guidance had no clue what they were doing
I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.
Here are some of my favourite vendor emails [paraphrased]:
- “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
- “Unless you read and sign our new terms and conditions we will cease all communication.”;
- “Our database of customers’ email addresses, including yours, will be deleted.”
- “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
- “Our website is not available to any European member state…”
As I’ve said a thousand times, I am NOT a data protection expert, but even a single reading of the GDPR gave me enough background to know that these ridiculous actions are NOT what to the GDPR is all about. GDPR is NOT about getting in the way of doing business. And these are not small companies doing this, these are household names!
For the examples above:
- You cannot use implied consent under GDPR, this is one of the most basics tenets of not only the GDPR (Recital 32), but the upcoming ePrivacy Regulation (Para. 24). Maybe ‘soft opt in’ could apply in some cases, but not in these;
- Why would you use consent as the lawful basis for processing for the accounts you already have? What’s wrong with legitimate interest (for example)? As long as you didn’t collect this information in some nefarious fashion, and you can provide appropriate ‘modalities’ for the application of all data subject rights going forward (access, rectification, erasure etc.), consent should be your last resort;
- If your user database is so pointless that deleting it has no impact on your business, what the Hell were you doing with it in the first place? The sheer stupidity involved in this decision is truly astounding (yes, I’m looking at you Wetherspoons);
- This was from one of my own service providers. They actually said they would stop sending me emails relevant to services I was PAYING them for if I didn’t follow a link to opt in. To make thing worse, they bundled this consent with receiving marketing emails:
- Seriously? You are actually going to miss out on the entire EU market because of GDPR? You make Wetherspoons look like geniuses.
I mean really, just who the $£@% are these people listening to!?
I have been criticised for my far from positive stance on the GDPR Practitioner ‘certification’, but my issue is not with the course, or even the certification itself, it’s with the people using it to give guidance that they are in no way qualified to provide. While I have no idea who was involved in making the above decisions for those unfortunate businesses, I can tell you they were incompetent.
However, in every one of these cases, the organisations making such awful decisions brought it on themselves.
- First they have obviously ignored GDPR until the last minute or they would have sent these emails out 2 YEARS ago when the GDPR passed into law;
- Second, if someone in the organisation had actually read the GDPR (and yes, perhaps even taken a course or two), they would have been able to either avoid these egregious mistakes, or ask the right questions of the ‘experts’ they intended to hire;
- Third, if their data had been appropriately mapped to their business processes, the resulting lawful bases for processing would have made the next steps clear. This would include the subsequent approach to their data subjects.
Obviously there may be extenuating circumstances of which I am not aware, but I strongly suspect this is the work of either unqualified internal resources, self-proclaimed external experts, or a combination of both . And honestly, I can empathise, the real experts are not only expensive, they are few and far between. But are they really more expensive than having to redo your customer notifications because you got them wrong, or losing your entire marketing database?
However, despite these teething problems, we are already starting to see some benefits from GDPR, the whole reason it’s here in the first place:
- Organisations that had databases full of personal data, but could clearly could not adequately monetise them, are actually getting rid of them (Wetherspoons);
- Organisations that are incredibly irritating and invasive, are being stopped (Keurboom);
- Organisations that know full well their services would never survive transparency and consent can’t do business here (Unroll.me)
Unfortunately, organisations who are perfectly justified in doing what they are doing are lumping themselves into these categories. If they had just slowed down, they could probably have saved themselves a lot of pain.
And if that’s takes longer than May 25th, so be it, it’s not a bloody deadline!
[If you liked this article, please share! Want more like it, subscribe!]