GDPR and e-Newsletter Subscribers

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Holster, Jan 2, 2018.

  1. Holster

    Holster UKBF Newcomer Free Member

    1 0
    I've had quite a few GDPR conversations, done a decent amount of reading around the subject and even been to a full on 2 hour GDPR training session, but I'm still confused about a few points:

    We have a jobs web site. As part of our service, users can sign up to receive our e-newsletter service, which provides them with the latest jobs to go on the site, and selected sponsored jobs that match their preferences. We never sell our data to 3rd parties; all communications are sent from us. They can opt-out of these updates at any time.

    We have around 100,000 people who have signed up in the last 12 months to receive these e-newsletters. As the sole reason for signing up on this particular form on the web site is to receive updates from us, we don't provide a checkbox (either opt-in or opt-out) to say "I agree you can please contact me" because why else are they filling out the form? It's not like they're buying a pair of shoes and we're asking them if they'd like to hear from our marketing team about other products.

    So... Firstly I'd like to know given the nature of the form whether the historical/legacy data we hold (the last 12 months of signups) is GDPR compliant or whether we need to reconfirm each subscription?

    Secondly, moving forward, in circumstances like ours, do we need to offer double-opt-in (we don't currently), and do we need to have an opt-in checkbox on a form that is only for signing up to receive a newsletter?

    I'd be grateful to anyone who can point me in the right direction! I'm going around in circles!
     
    Posted: Jan 2, 2018 By: Holster Member since: Jan 2, 2018
    #1
  2. deMesquita

    deMesquita UKBF Newcomer Free Member

    4 2
    Since as you explained the only purpose someone would fill up your form is to receive newsletters, I would take the following steps.

    Ensure that it is clear on the website that by signing up you will be receiving newsletters - That is the very service you are offering.
    In addition I would also have a check box 'I agree to these terms and conditions' Where the terms and conditions would list, by whom the data is processed, that there are no 3rd parties involved, the retention period and how they can unsubscribe'

    With regards to the existing client base, I would simply send out an email prior to May 25th informing clients about these T&C's reminding them about their unsubscribe option and stating that you're doing this for GDPR. Send the email using read receipts and store these as your initial consent. It is important that you do this prior to the 25th May as after that silence does not constitute consent and then you would need an actual reply which is unlikely to arrive.

    hope this helps. If you would like to learn more I maintain a blog post about these topics at coffeeandprocess.com
     
    Posted: Jan 5, 2018 By: deMesquita Member since: Jan 5, 2018
    #2
  3. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    Hi Holster, much of the first response is very sound.

    You have asked about double opt-in. This is really a mechanism of checking that the email address you have was really given to you by the data subject, and not a bot, or given by another person, perhaps maliciously. You are not absolutely required to do this, but it is wise to validate the identity of data subjects as part of demonstrating you are trying to keep the risks to the data subjects as low as possible, but also sensible business reasons.

    Looking at consent, GDPR has several requirements for consent to be valid.
    • The data subject must be 'informed', and Article 13 of GDPR tells us what they must be informed of.
    • Consent must be 'freely given', this means there can be no downside to not giving it, and no incentive to provide it.
    • Consent must be 'specific' and 'unambiguous', they must know how their data will be processed, and who by, at the time they grant consent.
    • Consent must be given by a 'positive affirmative act' which indicates the wishes of the data subject (from how you have described your form, it sounds like this is GDPR compliant. Typing in their email address is a positive affirmative act.)
    You should check you are only capturing data on your form that is 'necessary' for the processing, see GDPR Principle of 'data minimisation', if you don't need it, don't process it.

    Before May 25th 2018 you should ensure all the data subjects have the Article 13 information. Part of which is telling them their rights, including the right to withdraw their consent. The ICO have said there should be 'no surprises' in the data processing, so if data subjects know about the processing, and if they do not withdraw their consent, and providing they have the Article 13 information, and providing you can demonstrate the other points above, you should be complying with GDPR.

    BUT, no-one can say for sure, there is no case law. So document all of your thinking, write it all down so you can demonstrate what you have done and why, if you are ever asked to do so.
     
    Posted: Feb 10, 2018 By: DavidJWSmith Member since: Feb 6, 2018
    #3
  4. Paul Murray

    Paul Murray UKBF Regular Free Member

    592 173
    Something I've started doing with clients' forms is only making the submit button enabled if the terms checkbox is ticked. Without it enabled the form won't submit, and it prevents situations where someone has signed-up but not explicitly opted in.
     
    Posted: Feb 10, 2018 By: Paul Murray Member since: Nov 24, 2011
    #4
  5. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    There is no reason why you shouldn't have additional checkboxes, but be careful not to muddy the water about the legal basis you are using. The phrase 'I agree to there terms and conditions' is the sort of terminology used when agreeing to the terms and conditions of a contract.

    Here we are talking about GDPR 6.1.a "the data subject has given consent to the processing of his or her personal data for one or more specific purposes". It is quite plausible to use the legal basis GDPR 6.1.b "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"

    But you should choose the legal basis you are using correctly, because you need to tell the data subject what it is. Using 'contract-y' terms while using the legal basis of consent may confuse data subjects, and may not be held as offering sufficient transparency.
     
    Posted: Feb 11, 2018 By: DavidJWSmith Member since: Feb 6, 2018
    #5
  6. Paul Carmen

    Paul Carmen UKBF Regular Full Member - Verified Business

    226 48
    The advice you've received is sensible, but GDPR is clear on a couple of points that have been talked around but not specifically answered. These are: -
    1. That you have to be clear on what you use the personal data for. This means you should be OK if you only ever send subscribers a newsletter. However, if you then start sending a marketing email, or offer them 3rd party services outside of the newsletter by email, you've not obtained specific consent for this.
    2. As far as a double opt in process is concerned, outside of a basic contact type sign up, we see this as the only way to be GDPR compliant. You have to prove customers gave you consent to use their personal data for marketing. If you use a proper email platform/CRM then you have the method to prove you gained consent, you can also setup a list for each type of consent to ensure you're fully compliant. Without this, can you prove who gave you consent when & for what if you ever get challenged by a customer or the ICO?
     
    Posted: Feb 11, 2018 By: Paul Carmen Member since: Jan 27, 2018
    #6