Companies are making mistakes in their GDPR ‘opt-in’ emails, effectively breaching data protection rules.
Companies are making mistakes in their GDPR ‘opt-in’ emails, effectively breaching data protection rules.
What does a man getting hit by an ambulance, a fire station burning down and most of the GDPR consent and compliance emails that have been sent out in recent weeks have in common?
Well, as well as all being unfortunate, they are all great examples of irony. That is my slightly roundabout way of saying that most of the GDPR emails that have been sent out by companies – both large and small – plainly breach GDPR.
This isn’t nit picking on unsubscribe buttons being in the wrong place or poorly worded subject lines – a substantial number of GDPR compliance campaigns are intrinsically flawed to the point that they are not worth the paper (or email) they are written on.
Recently, I’ve received emails that bundle consent to receive marketing emails with other offers, some that demand my compliance lest I see a reduction in service, others that ask for blanket approval, and some that even prepopulate consent.
If you were being cynical, you would say that these companies are seeing how far they can bend the rules ahead of the GDPR compliance deadline on May 25th. Indeed, from the less than clear language that is used in a lot of these messages, it’s fairly apparent that a number of companies are, at the very least, not adhering to the spirit of GDPR.
However, my view is rather more straightforward – they still don’t understand GDPR. Despite the reams of material online, armies of paid-up consultants touting their wares, and the tsunami of publicity on data privacy following the Facebook data scandal, businesses have still not got their head around the sheer scope of GDPR.
In some ways this is understandable. If you cast your mind back a few years to the ‘Cookie Directive’, there was a lot of hand wringing before it came into force. As it transpired, complying with the directive consisted of a website pop-up for users to click ‘yes’ to.
My suspicion is that many business owners and senior managers are underestimating GDPR due to this experience. They seek to pay lip service to the legislation without truly understanding what it actually says or are in denial that the ICO will actually do anything to enforce it.
The reality is, that getting your customer base to legally consent to receiving marketing messages in a post-GDPR world is critical and can’t be treated like any other communication campaign.
Making sure you’re compliant
The starting points are that companies must gain affirmative consent which is, ‘freely given, specific, informed and unambiguous’, to be compliant. ‘Silence, pre-ticked boxes or inactivity should not constitute consent’, and finally – ‘the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.’
That last bit is a little complicated, but it basically means you must keep consent request separate from other terms and conditions or services. Put simply, the EU Commission is wise to all the tricks companies could use to game this process – something many companies, or the clever people these companies are consulting, have not yet realised.
All in all, the ICO has written a 32-page guide on consent. It covers issues such as how emails must have a clear and easy unsubscribe button, any unnecessary hurdles to revoking consent such as logging in must be removed and guidance on how you should include a link
to your updated privacy terms and conditions. The thoroughness of the guidance basically acts as a template for how these consent campaigns should operate.
Beyond the actual sending of the email campaign, companies also need to ensure that their back-end data management system is in order. This is because a clear record of consent needs to be stored. In some cases, a business will send out several types of marketing email. For each flavour of marketing campaign the customer needs to provide consent.
Therefore, your system needs to be intelligent enough to sort what each individual has and hasn’t consented to receiving and your marketing team needs to be data literate enough to be doubly sure that person doesn’t receive a campaign they haven’t explicitly opt-ed into.
I would hazard, given that most companies can’t even get the content of their GDPR emails compliant, that they have given little thought to ensuring their data management procedures and infrastructure is fit for purpose.
Naturally, if you’re a business owner there’s a temptation to either do the bare minimum and see how GDPR plays out or do whatever it takes to gain consent to maintain your customer marketing database.
Both tactics are incredibly short sighted. Ask yourself, why wouldn’t you want your customers to know that you adhere to the highest data privacy standards? Similarly, what is the point of tricking customers into continuing to receive marketing messages from you?
Viewing GDPR as an inconvenience is to completely miss its point. By empowering your customers and giving them control over what they receive from your company you can build trust. This is a much more powerful commodity then simply retaining data on a database.
A poorly executed GDPR compliance campaign is, at best, a waste of time and money as it’ll be found to be in breach and you’ll have to run it again, and, at worst, a mechanism for completely undermining consumer confidence in your brand.
Julian Saunders is CEO and founder of personal data governance company PORT.im.
Thanks for signing up to Minutehack alerts.
Brilliant editorials heading your way soon.
Okay, Thanks!