It turns out most of those annoying GDPR emails are totally pointless - here's why
And privacy experts say some of them could even be illegal
Dealing with endless, mind-numbing emails is always one of the worst parts of my day. And the latest scourge plaguing my already-grim inbox – and everyone else’s – are the dreaded GDPR notifications.
For weeks now, we’ve been inundated with emails telling us about changes to privacy laws and informing us what to do next. For some people the onslaught has just been too much…
Essentially, GDPR (the General Data Protection Regulation) is a new EU data protection law that’s coming into force on 25 May. It’s all about boosting data protection and it serves as an update to the Data Protection Act of 1998. If an organisation processes any of your personal data, it must comply with GDPR. Hence all the emails.
The UK is still bound to comply with the new EU rule as it’s coming into force before our exit from the UK, so regardless of Brexit negotiations, there will be a period of time where GDPR will apply here.
But, according to some experts, almost all those emails you’ve been receiving could be totally pointless.
Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, told The Guardian: “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR.”
In other words, if the business had permission to communicate with you before GDPR came in, that consent more than likely carries over. And if the business didn’t have the proper permission before GDPR, then it probably shouldn’t be emailing you anyway.
“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email,” Vitale added.
Steve Wood, the UK’s Deputy Information Commissioner has also weighed in to confirm that many of the emails might not actually be necessary.
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” he said in a blog post for businesses and organisations.
“So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
He also added that emails might not be the best way to speak to people about GDPR.
“Before sending emails consider what the most effective way is to reach your customer – it may not be email. Consider a data protection by design approach – where can this information be embedded to have the best impact.”
If there’s that can be done to cut back on the tidal wave of emails I get every day then I am fully on board.