Thursday 17 January 2019

Goodbye, infernal GDPR emails

Stock image
Stock image
Adrian Weckler

Adrian Weckler

I bring good tidings - there is light at the end of the tunnel. I'm talking about those incessant emails asking you to "keep in touch" or warning you that "action is required" if you want to "keep hearing" from them.

With the GDPR hammer having fallen last Friday, your inbox should see such emails all but disappear this week.

The bad news is that GDPR may turn out to be quite messy for a lot of us yet.

Some of the services we use every day are already struggling with it.

This includes even the biggest companies. Facebook, for example, is being sued across Europe for telling users to agree to its new terms or be kicked off the platform. Many data protection experts in Ireland and abroad agree that Facebook can't do this.

(It will ultimately wend its way to Ireland, where Facebook's "primary" regulator, the Irish Data Protection Commissioner (Helen Dixon) is based.)

Facebook isn't alone. Twitter held a metaphorical gun to its users' heads on Friday, telling them to tap the "agree and continue" button or be kicked out.

The strategy of these big companies may be to launch its strategy aggressively from the off, calculating that they an arrangement with regulators can always be arrived at later on. The main thing, for their business model, is to keep those users.

But it's not just the big guns which have GDPR issues. Small Irish firms are still a bit at sea on it, too.

Ordinary IT providers that typically deal with small businesses here say that there is still a massive gulf in basic comprehension as to what the GDPR is and what it means for them.

"Many companies I talk to still have little clue about what's going on," said Jason Dowling, chief executive of the compliance firm Redflare, a company that works with a lot of small, traditional companies, at INM's recent Datasec conference. "They have a dozen other things on their plate."

I've experienced some of this confusion first hand. Preparing for a podcast we put out on Friday, I put a call out on social media and among some small business organisations for questions around the GDPR.

The calibre of the questions that came back suggested that confusion still reigns.

Here's a sample of some of the questions we got.

- "Someone gave me their business card last year at a networking event. Am I still allowed to email them?"

- "Am I allowed contact people I've researched on LinkedIn?"

- "Do I have to email all my customers to ask them for permission to keep their addresses on file?"

One of the issues here appears to be extreme nervousness around strict liability. This may be because of the way GDPR has been covered by us in the media. Much of the coverage - and I hold my own hand up here - has hinted that there has to be a complete turnaround in everyone's data practices; that whatever you've been doing up to now is old hat and undoubtedly falls foul of the new order.

An ordinary punter or small business owner who only occasionally dips into the news would be forgiven for thinking that we've entered into a new era of strict liability with drastic consequences for those who dot an 'i' or cross a 't' wrong.

As many data protection experts, from Castlebridge founder Daragh O'Brien to Data Protection Commissioner Helen Dixon have pointed out in recent weeks, the regulation isn't quite as anal as that.

When you sit to down to read it, a huge amount of the GDPR is actually based around being decent and showing some common sense.

So if someone gave you a business card before Christmas, it was probably on the understanding that you might call or email that person in a broad business context. Common sense, right?

Similarly, if someone's LinkedIn page says they're "open to exploring opportunities", it's completely fair to assume you can drop them a line about something, even if you haven't contacted or met them before.

Also, consent is only one basis for legitimately holding someone's personal data. You may have a contractual relationship with them, for example.

And there are swathes of communication activities where the GDPR has very limited effect. So if you are involved in a sports club and want to contact members about a club raffle, that's generally fine. Because it's part of what a club member might normally expect the club to do.

In truth, the GDPR only really gets heavy for organisations that rely a lot on using (or 'processing') your personal data as a basic part of their business model.

Ironically, this applies to a sector that usually takes a very high handed approach to tech companies misusing personal data - newspaper groups.

For example, some of the biggest US media publishers have cut off European reader access entirely because they haven't figured out how (or aren't willing) to be compliant with the GDPR.

Take the Los Angeles Times and the Chicago Tribune, which are simply displaying a banner for European visitors that says they are "looking at options" to "support our full range of digital offerings to the EU market" and that they are trying "to identify technical compliance solutions" that will bring them into line with GDPR. Er, you've had at least 18 months to do this folks.

The overall message here is that GDPR isn't necessarily easy. Lots of organisations either don't know what to do with it or are being overly-cautious, hounding every contact they have via email to opt in to a database they're putting together. (There's an amusing current compilation of corporate offenders at

But it's not rocket science either. There really is a lot of decent guidance available on it online, much of it free. There's also the basic text of the GDPR itself, which is largely understandable (if a little dense in parts).

So keep the chin up. If you've been a little nonplussed by it all, there's still time to get to grips with GDPR.

And you should definitely see fewer emails.

Sunday Indo Business

Business Newsletter

Read the leading stories from the world of Business.

Also in Business