Telephone +44(0)1524 64544
Email: info@shadowcat.co.uk

GDPR and the Mailing List

Introduction

Tue Apr 3 06:30:20 2018

The General Data Protection Regulation(GDPR), is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a waiting phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

In this article I am going to be discussing my take on owning a mailing list and complying with the GDPR.

A Land of Confusion

There is a lot of confusion over the usage of mailing lists and the GDPR, particularly as most of the advice seems to stem from the notion that you will have to 're-subscribe' everyone or seek new levels of consent. The truth, of course, is not so clearly defined.

There are a few things that you will have to do to continue your list and also a few things you have to consider as to whether you need to seek consent again. I am going list the most common practices for getting people on a mailing list and some of the usual ways we use the lists and the general advice regarding what you should do.

An important early distinction is that email mailing lists used solely for marketing, or whose primary purpose is for marketing are more strictly regulated than those that are more information based. So a mailing list for a club, society or sports organisation that contains no direct marketing beyond stating the activities of the club is likely to be considered as legitimate interest and expected. This is the same for mailing lists that are actually discussion boards that have no marketing or company focus. However the following advice might still apply to this type of list.

In the following sections I am going to list some of the more common questions and what action you should consider taking if you do them.

Banner linking to GDPR site for Shadowcat to help you start your GDPR journey

  1. If the email address and name you store is not personally identifiable information but a general business address. You will not need consent (though this varies for sole traders and make sure businesses that use firstname.lastname@businessname as their email as this is likely to be considered personally identifiable).
  2. Consent for the mailing list was because they used your services. Yes you will need to ask their permission to continue using the email address beyond using the data for immediate fulfillment of a service or legitimate reasons such as financial records.
  3. Consent was via a pre-ticked opt-in box. Yes, you will need to re-ask for their consent, pre-ticked boxes are not acceptable.
  4. Consent was via an opt in box they had to tick. You should not need to re-ask consent as long as the opt in was clearly defined and not part of any other service.
  5. They signed up to the mailing list on your site. You should not need to re-ask consent.

Purpose

  1. You stated clearly what the mailing list is used for and have that information available in an easy to understand form. You need not seek consent.
  2. You have never said how the mailing list will be used. You should seek consent and clearly state how the list is used.
  3. You have never provided an easy way to unsubscribe. You should seek consent.
  4. You have never provided a way to change details or delete. You should rectify this to do that, provide information on how a person can do this and who they should contact. You shouldn't need consent.
  5. You have changed the original purpose of the mailing list. You will need to re-ask for consent.
  6. The list is used for more than one purpose. You must state what the list is used for, how the data is used, provide a method to opt-out of any processing or transfer of data, you should seek consent for each individual purpose.
  7. You change the purpose of the list, or add a new process, after gaining consent. You must re-ask for consent for the new process or purpose and update the details

Conclusions

For many mailing lists of small businesses, clubs and societies, that followed the previous advice of the existing data protection act where consent was via an opt in process, or sign-up, that was not pre-selected there should be no change and no need to re-ask for permission.

The usage hasn't changed; the consent was by the data subjects actions; the consent remains valid. If however you have changed any purpose, use it for more than one process or used any form of automatically adding people until they request to leave you will have to ask for their consent for each action individually.

A basic rule of thumb for me would be:

  • If they were added automatically, or by a pre-selected means, then you will need to ask consent.
  • You will always need to list what the list is for, how to access, change, delete, be forgotten or move their details.
  • You should always supply a method for them to unsubscribe in every email.
  • Consent should be granular, listed individually, for each purpose you use the mailing list for.
  • Keep a record of who signed up and the method they used. If you can keep a record of any changes so that you can inform people and if necessary re ask for consent, this is especially true if you sell or provide the list to a new processor, third party, or move it across an international border.

Advice

Make sure that whichever list service you are using, assuming it isn't self-hosted, is compliant with the GDPR. You need to ensure that they have a good level of security; do not conduct processes that you or your list recipients are unaware of; do not profile the data without a clear process and consent; do not transfer data to a 3rd party, across international borders or outside their organisation without clearly stating this; have a contract with you that details their actions.

Most of the larger mailing list providers will have already done this and you will be able to find the information with a quick search of their website. Use a search engine and list the service name with +GDPR as the search term. Whether you need to ask for consent or not the new rules give the data subject, your mailing list recipients, a greater range of rights. I would advise that you consider adding a section to the bottom of each mail out. This will not just be the 'tiny-text un-subscibe link' but a bold statement of their rights. Consider having:

  • The Mailing list archive.
  • The link to your web page detailing how they can contact you and their rights.
  • The link to your privacy documents.
  • The consent they have given and what it refers to.
  • The exact purpose of your mailing list.
  • Details of where their data is stored, who processes the list, who has access to the list and their right to object or lodge a complaint.

Your mailing list may even allow you to have automatic opt-in boxes so that as you extend your functionality and offer more services you can work with your mailing list recipients to engage them and keep their rights protected and at the forefront of your concerns. This is a much better relationship in my opinion and one that may gain you a greater following.

Further Reading

In all cases it is wise to consult the regulations directly when determining your level of responsibility to make yourself compliant. Further reading for this piece can be found in:

Articles: 21

Recitals: 38, 47, 69, 70

ICO

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]

MDK in SteamPunk visage
MDK's blog
Data Protection - Subject Access Requests 04 Data Protection - Subject Access Requests 03 Data Protection - Subject Access Requests 02
Latest Blogs
Data Protection - Subject Access Requests 04Data Protection - Subject Access Requests 03Data Protection - Subject Access Requests 02Data Protection - Subject Access Requests 01
Latest News
CodeUp Lancaster Trivia Day Every Dog Has One