Here’s the big problem with all those GDPR emails you’ve been getting

The Federation of Small Businesses said many firms are unprepared for the introduction of new EU regulations.

Everyone with an email account has been under attack by begging emails this week about the new EU privacy law GDPR – which comes into force on May 25.

It’s a little ironic, given that the new General Data Protection Regulation is built to protect privacy – and its first effect is a huge, unstoppable wave of spam.

There’s also serious problems with a lot of the emails that have been sent out, and you should think carefully before consenting, says Mike Hughes, Board Director of IT governance association ISACA.

Many of the emails you got are completely unnecessary – and others are a little dodgy.

MOST POPULAR TODAY ON YAHOO

• There’s a country with a lower opinion of the EU than the UK has

• Parents sue 30-year-old son to force him to move out of their home after he refused to leave

• ‘An act of pure evil’: Student who threw acid on ex-boyfriend who later died jailed for 12 years

• Lotto winner Barbara Wragg who gave away most of her £7 million jackpot dies aged 77

• Couple found guilty of murdering French nanny in trial ‘stranger than fiction’

Hughes says, ‘Many firms are getting it wrong, some are requesting consent where they don’t need to. Some are asking for the data subject to ‘opt out’ and not for positive consent.’

One of the key features of the GDPR is to require consent from users: hence why Facebook and other social media sites have asked users to agree to their terms of service again, and why email subscriber lists are begging users to consent.

Fines for non-compliance with GDPR are eye-wateringly high: up to 20 million Euros or 4% of an enterprise’s global turnover.

Many firms are panicking.

Others appear to be being a little dishonest, says Hughes.

Hughes says that some firms may be deliberately chancing it, ‘Some companies are even sending requests to “our valued customer” asking for consent to continue to sending marketing emails, when there has been no previous business to consumer relationship or a single transaction happened so far in the past that there is clearly no on-going relationship.’

Why are some firms stopping operations in the EU?

Companies such as Instapaper – a ‘read it later’ service owned by Pinterest – have suspended operations in the EU in advance of the new law.

Multiple American newspapers such as USA Today, New York Daily News, LA Times and Chicago Tribune are also ‘temporarily unavailable’.

Other firms such as email unsubscription Unroll.me have suspended operations in the EU, as has mouse company Razer.

But Dan Tozer of law firm Harbottle and Lewis says the current trickle of firms suspending operations is unlikely to become a flood.

Tozer says that most companies who are taking reasonable steps to follow data protection rules should find it easy to comply with GDPR.

Tozer says, ‘Businesses in a good position of compliance with existing data protection laws should be able to make the step up to GDPR compliance.’

Why are some firms getting these emails wrong?

Many firms appear not to have fully understood the law, or are not thinking about how they use emails, says Dan Tozer of law firm Harbottle and Lewis.

Tozer says, ‘It is important that businesses inform people what they’re doing with their personal information; this is the main reason for the barrage of emails which we’re all receiving.

‘We have seen many such emails that indicate that the relevant business has not really thought properly about what it needs to tell people, and whether it needs the recipient of the email to do anything.’

Do firms really need to send these emails?

In many cases, the answer is ‘no’ says Daniel Tozer of Harbottle and Lewis – and a lot of companies are actually covered by existing legislation.

Most brands already know to ask customers if they want to opt in to marketing messages – which means they’re already following the Directive on Privacy and Electronic Communications regulations (PECR).

Tozer says, ‘Many of the emails seem to assume that businesses need the consent of the user for any use of their personal information. “Consent” is certainly an option for most uses, but there are other options available and some businesses are not considering this properly.’

Steve Wood, the deputy information commissioner wrote in a blog post this month, ‘Some of the myths we’ve heard are, “GDPR means I won’t be able to send my newsletter out anymore”,’ or ‘“GDPR says I’ll need to get fresh consent for everything I do.”’

‘I can say categorically that these are wrong … You do not need to automatically refresh all existing consents in preparation for the new law.’

Will GDPR actually stop firms spamming me?

It’s unlikely to do it immediately, with analysts Gartner predicting that more than 50% of companies won’t be fully prepared for GDPR until the end of 2018 – seven months too late.

In the UK, GDPR will be administered by the Information Commissioner’s Office, which says big fines will be reserved for serious cases.

But if you want to get taken off email lists, GDPR should make it easier.

GDPR means that you have a right to be forgotten – so when a company no longer needs your data for the purpose it was collected for, it has to be deleted.

If you withdraw your consent, it has to be deleted also.