GDPR Consent

By Ross McKillop

Unless you’ve been hiding under a rock for the last year or so, and especially the last few months, it’s been hard to miss GDPR and I’m sure, like us, you’ve been inundated with messages asking you to “reconsent” to receive eMail.

We’ve not sent one, and we won’t be sending you one – if we were to send you a mail it’d probably look something like this. Jon Baines puts it better than I could.

This is heavily inspired by (ok, cut and pasted with his permission) what he described as The “GDPR consent” eMail I’d like to receive;

Dear Customer,

You know us. We’re Simwood. Either you are a customer of ours, and we provide you with services, or you have previously asked to be kept informed about our services or other fun stuff we are working on.

You may remember at the time you joined us, we explained we were going to send occasional marketing emails to you about similar products and services, but you chose to receive these and could opt out then, and at any subsequent point.

We know that since 2003 (with the Privacy and Electronic Communications Regulations) (PECR) it’s been unlawful to send unsolicited marketing emails except in circumstances like those above.

We’re contacting you now because we’ve noticed a lot of competitors (and other firms) who are either utterly confused or utterly misrepresenting a new law (separate to PECR) called the General Data Protection Regulation (GDPR). They’re claiming it means they have to contact you to reconfirm your consent to receive marketing emails.

GDPR actually says nothing of the sort. It does explain what “consent” means in data protection terms in a slightly more strict way, but for companies like us, who’ve respected our customers and prospective customers all along, it makes no difference.

In fact, the emails you’re getting from those companies, asking you to “reconsent”, are probably actually direct marketing emails themselves. And if the companies don’t already have your consent to send them they may well be breaking the law in sending them. If you think we’re exaggerating, look at the fine the Information Commissioner’s Office (ICO) levied on Honda last year.

In fact, you’d do well to look at the ICO’s website – it’s got some good stuff on this, both for customers like you, and for companies who are confused by this.

It all really boils down to treating customers well, and not assuming you can send direct electronic marketing without actually looking at what the law says.

So yes, this is a marketing email, and yes, it is lawful, and yes, it is more than a little pompous.

We respect our customers, prospective customers, and anyone else that has contacted us. We do not sell (or even give away) your data to third parties, nor do we send unsolicited eMail.

With this in mind, however, I did want to clarify what we send and when.

The Newsletter

Most customers (and quite a few non-customers, and even competitors) subscribe to our Newsletter and, judging by the very small number of unsubscribe requests we receive, most of you enjoy it or find it useful.

We use the newsletter to announce some changes too, like new features, rates etc, but you can also keep up to date with these changes via the blog. Obviously, you can leave the newsletter at any time, there’s a link to unsubscribe in every mail.

Status Notifications

These are managed by our status page. They are sent only to people who have subscribed to them, and contain no marketing material. We strongly recommend customers subscribe to status page notifications but, again, you can unsubscribe from these at any time.

Alerts

These are entirely self-managed via the Portal or API and are automatically generated by certain events (such as calls being blocked due to a fraud prevention measure, or low balance notification)

Critical Notifications

This is one of the few categories of eMail you cannot unsubscribe from. They are not in any way marketing, but are used when we need to notify customers of service affecting changes. We have sent three of these eMails in the last year relating to the introduction of the new stack, and additional IP addresses.

Invoices and Account Information

We have to send you invoices, indeed we have a legal requirement to do so. These are sent by eMail and, again, you can’t unsubscribe from them for obvious reasons.

GDPR and “Consent”

There is a widespread misconception about GDPR that the only basis for processing personal data, and therefore contacting people, is by consent.

As Neil Brown of decoded:Legal was kind enough to explain at SimCon1 there are many circumstances in which data can be processed.

Consent is one of them; However the fact is, for us and most of our customers, most of the data processing we do is not on the basis of consent but that such processing is “necessary for the performance of a contract”, “necessary for compliance with legal obligations”, and other legitimate interests.

Hopefully, this explains why you won’t be receiving an eMail from us asking you to re-consent to receiving eMail from us.

If you have any concerns about how your, or your customers’, data is used by Simwood – please just ask. We’ll be producing formal documentation soon for customers that require it, but in the interim, please don’t hesitate to contact our Operations Desk at any time.

And, in the words of Douglas Adams, which seem equally applicable at this time of chaos and confusion around GDPR;

DONT PANIC