There is a competition emerging amongst the more writerly of writers, to produce the most postmodern, ironic email which seemingly avoids directly begging for consent to bulk email you once the GDPR is in force, from 25th May.
The GDPR has kept me busy for a good few months.
I wrote a guide on it late last year which Nucleus edited, published and made available for free here. I’ve added a few articles on it on their Illuminate site covering topics I thought nobody had dealt with on the GDPR such as managing GPPs and buying client banks. I recently did a 45 minute webinar for BrightTALK on it which you can watch here.
Data protection consultants have had a field day with the GDPR but very few, if any, seem to understand the specifics around how the rules apply, and in many cases don’t apply, to financial services firms and especially to advisers. Lawyers have directly contradicted one another when advising firms on the correct lawful basis to use and acceptable retention periods. As a result there is very little consistency on what should be a fairly standard industry approach. The will (i.e. money) has been there but there are too many loopholes for anyone to take much comfort on these two points, and whilst I don’t think the ICO will be looking to penalise anyone who at least tried to reach a conclusion, I do think we will see some changes as more clarification emerges.
Aside from using the correct lawful basis and retention polices, the other area I see mistakes regularly made is with email marketing. A good number of the email consent requests issued aren’t required, and others probably are but won’t be issued. A number of firms and individuals are ignoring the future ePrivacy Regulations (currently the Privacy and Electronic Communication Regulations) which will also have a significant impact. These are more relevant and important than the GDPR for electronic marketing, such as email, and in some ways set a higher standard. They don’t allow for ‘legitimate business interests’ to be used as a reason for emailing, for example, but they do allow you to email without consent in some limited circumstances.
There are also some notable companies who have consciously remained silent about what they do with your data because their business models depend on selling it on. You would not give your consent if you knew.
That said, the ICO’s guidance is on the whole a lesson in clarity which others could learn from.
I’m trying to edit an article about all this right now. It’s all tedious detail but the postmodern irony in some consent emails are often covering up a lack of understanding and certainty, which I’m sure will throw up some surprises over forthcoming months.