We now know the full details of what the DMA and its members think of the ICO's guidelines -- and to be honest, they're asking for a lot of clarification, particularly around third-party permissions.
When all is said and done and you have read through the pdf outlining their concerns, one thought will remain with you. With all these complications and potential uncertainties, it will surely pay to redouble efforts to build up your own email list populated by people who have fully signed up for all the uses you intend to put each person's email address to.
To start, let's take a look at what the DMA has had to say. The main thrust is that consent around third-party use if far too confining. If you have to name everyone you might share someone's details with, it will either be a huge list or risk missing out on a lot of potential users. The list, by definition, will be fixed at the time of consent, and unable to adapt. No marketing company knows whom it may choose to shared data with in the future, but they know in which areas sharing is likely to happen, the argument goes.
This issue potentially extends internally, of course. The DMA is asking the ICO for clarification if an organisation wants to hold data on someone for different divisions -- do these have to be specifically named at the point of consent being given? What does that mean, then, for charities like the RNLI, which repermissioned its lists last year, to be GDPR compliant? Does it need to go back and get specific, separate permissions for departments such as its shop and its charity fund-raising arm?
The DMA is also calling for direct marketing to be specifically named as a "legitimate interest" alternative to formal consent. This is a mechanism by which an organisation can hold data on someone without their consent but for a legitimate reason. This extends beyond the police or local authorities holding your address so you can be sent a parking fine or be informed of a nearby planning application to having a commercial interest in that person.
Getting direct marketing specifically listed as a legitimate interest would, of course, greatly ease the burden of gaining formal consent.
Which brings us back to the initial point. If GDPR and then the upcoming ePrivacy Directive mean one thing, it is that there is a lot of debate about what the impact will be unless, and here's the key -- companies take the hard route on email lists.
The meaning of different terms and how they can be interpreted can be argued about endlessly, but if you want to avoid all this, an email list that relies on freely given, informed consent to all permitted uses of that email address is the way forward.
Cleaning up email lists will be a pain, and some may even give up and start from scratch. The question you have to ask yourself is, if this is a huge issue for your list, what do you think it is for people who supply third-party lists? If you can't be sure of the compliance of your own data, can you trust theirs?
Clearly there will be more reliance on an organisation's own list, and that means putting in the proverbial "hard yards" before next May. Another way of putting this is one of my favourite memes which, to paraphrase, asked people to consider "what if we were wrong on global warming and ended up creating a better world for no reason at all."
The same sentiment can be applied to GDPR. Even if you take a strict reading of the rules, the worst that can happen is that you end up speaking to smaller, more focussed list of people who have actually made a deliberate decision to stay in contact with you.
The work will be hard, and sacrifices will have to be made, but the end result is not a legal necessity -- it's not a bad place to be.