Will the GDPR force you, too, to delete emails?
Andreja Gregorka / / GDPR
Andreja Gregorka / / GDPR
During this year’s vacation, I almost fell out with my friends over—funnily enough—the magnificence of the internet and personal data collection. Long story short, we couldn’t see eye to eye regarding its usefulness and advantages and could only agree on one thing: that accumulating a large quantity of data in one place can be unfavorable in terms of security and privacy. When I hinted at the potential “solution”—the GDPR—everyone gave me a strange look. They hadn’t even heard of it before, which also seems to be the case with many people who should have been working on this intensively for at least the past six months. As always, they wait until the last minute.
On May 25th, 2018, the EU General Data Protection Regulation (GDPR) enters into force, introducing stricter methods for collecting, storing, and processing personal data within the EU. The changes that will have practical implications include a broader definition of personal data, which now also includes IP addresses, and considerably stricter conditions for obtaining permission to process personal data. Clicking and accepting the terms no longer suffices. And neither does collecting personal data that are not required for providing a specific service. Even more importantly, this will apply to all personal data you’ve already obtained and those that you will obtain after May 25th. Worried yet?
Just over a month ago, the chief executive of the British pub chain Wetherspoons, John Hutson, ordered their entire customer email database be deleted. It is not known exactly how many emails have been deleted, but when the firm was last fined for breaching the British Privacy and Electronic Communication Regulation (PECR), it was reported that they had over 650,000. Since then, they have reportedly only promoted their deals on social media.The owner of 700 pubs may indeed be able to afford to delete half a million emails, but what about you? Click To Tweet
Hutson made this decision after the British Information Commissioner’s Office (ICO) imposed a series of fines on several companies for sending marketing messages to people who hadn’t explicitly consented to receive emails. The airline Flybe was fined ₤70,000 after sending out more than three million emails under the title “Are your details correct?” Something similar happened to Honda and Morrisons. According to Hutson, on a risk basis it just wasn’t worth holding large amounts of customer data anymore, especially if they themselves weren’t clear on which customers had given consent to having their personal data processed and which hadn’t. He’s partly right.
The risk that Hutson mentions will be even greater after May 25th and the fines will be significantly higher, but that doesn’t mean that personal data collection and customer profiling will no longer be permitted. In reality, this is inevitable and brings many benefits to you and your customers. When a man comes into a shoe store he doesn’t want the salesperson to offer him stilettos, and so why should it be any different online? If you’ve read mostly scholarly books in the past, you’d probably be surprised if Amazon was trying to sell you Fifty Shades of Gray. In the end, the goal of collecting data and profiling customers is to provide a personalized buying experience.Your customer mailing list will be better segmented and you’ll be able to target your offers more precisely. Click To Tweet
Moreover, it is only by collecting and analyzing customer data that you can:
The regulation is clear on this subject. When data processing is multi-purpose, an individual must agree with all the purposes in question. In addition, Article 171 of the GDPR Preamble stipulates that only if the initial consent was given in accordance with the GDPR are you not required to obtain a new one. If you’ve already been very consistent in obtaining data processing consent, you don’t have to worry. But if you haven’t been consistent (and probably most of you haven’t been), you still have time to undo the “damage” and appropriately prepare for the EU regulation.