Commentary

Repermissioning Is The New Norm -- Top Lawyer Tells All On GDPR

There really is no getting away from it -- repermissioning those lists is something any email marketer will have to consider if they want to become, and remain, GDPR compliant. That's the advice from data protection expert Claire Stockill. As a solicitor at British legal firm Irwin Mitchell, she has studied the law and its accompanying draft guidelines, and will tell delegates at the Email Insider Summit Europe next week in Barcelona that the safest route is to repermission.

if that seems a little overly cautious, Stockill is keen to point out that repermissioning is set to become the new norm, so marketers ahould get accustomed to it.

"What a lot of people don't realise is that in the draft guidelines from the UK watchdog, the ICO, they suggest repermissioning every two years under GDPR," she says.

"There's always been an element to data protection that says you should only keep data for as long as you need and so a marketer can't really prove that someone still wants to receive their emails five years down the line, so the ICO is suggesting seeking permission again every two years is reasonable. It's only draft guidance, but it shows an intention to ensure permission isn't assumed to last for a long period."

This, Stockill believes, answers the question often posed about companies that already have good sign-up procedures. Under GDPR, consent has to be demonstrably shown by an affirmative action on behalf of the email address holder, which is also informed and freely given. In other words, you can't provide a form with a tick already in place and you can't expect people to opt out. The consumer has to choose to sign up and be informed of exactly what their data will be used for and you can't withhold anything, such as a special offer, from those who do not elect to join a list.

Although some companies may already avoid pre-selected tick boxes and may already be open and specific about the use of an email address, the truth is that whatever list they are using will have to be repermissioned every couple of years anyway -- the exact time frame will rely on what guidelines the ICO gives once its draft advice has been commented on by the industry.

Irwin Mitchell conducted research with YouGov to find out how prepared the UK's retailers were for GDPR, and the law firm was surprised at the results. Only just over one in four were aware of GDPR, while 70% were not aware of the huge fines it will bring in. A quarter of companies, when told that maximum fines would rise to 4% of global revenue or 20 million Euros -- whichever is the larger -- admitted that they would go out of business for a breach.

"The good news it that companies have still got nearly a year to prepare, but that does mean they need to get going because the clock is ticking," she says. "Companies have got to think very carefully about what data they store and how they store it as well as how they use it. It's best they talk to their lawyer because the fines are going to be so huge, it's going to be a very different regime to now where the ICO can only fine up to half a million pounds and has a reputation for working with companies to sort problems out, rather than resorting to fines."

A final word of warning backs up what many experts are saying. Although the UK government announced this week that it will be working on a new Data Protection Bill, of which we know very little, GDPR will be law no matter what happens next May in the UK and across the EU. The new bill will almost certainly embody the GDPR's rules, and so there is no point sticking one's head in the sand and hoping GDPR doesn't happen. It will -- and although it may eventually be given a different name, the regime of stronger opt-in and more regular list cleansing is here to stay.

More details and ticket availability news about the Email Insider Summit Europe in Barelona, Spain, June 25th to 28th is available here.

Next story loading loading..