Close

Stop the GDPR madness! Small poetry presses & arts organisations please read

This isn’t the usual subject for my blog. I try not to mix (marketing) business with (poetry) pleasure. But as the emails about GDPR intensify I’ve decided I have to say something – in the hope that it might prevent even one small, underfunded, hardworking, non-profit poetry press or community writers’ group from the suicidal step of unsubscribing its entire email list.

We’ve all been getting them – the emails telling us that in order to comply with the new GDPR regulations, we MUST re-subscribe to their list, or else they WON’T BE ABLE TO CONTACT US EVER AGAIN after May 25th.

I have no idea where this advice originated, but it has spread like a bad joke, to the point of madness.

My first thought on receiving an email like this is ‘why do they think can’t they contact me after that date, when I already signed up for their emails, or paid my subscription, or regularly attend their events?’ The second is ‘why am I being punished for not going along with their mistaken belief in what the GDPR is all about?’

When it’s an organisation I’m fond of, or feel sorry for, or if I’m just in an altruistic mood, I reply – telling them they are throwing the baby out with the bathwater, offering links to the information they should read, offering my advice – always with the caveat that I’m no lawyer, but I do speak with nearly 20 years’ experience of working in email marketing. Sometimes I am thanked, sometimes I’m told ‘you’re probably right but we’re not sure if we’re compliant and we only do it for love and don’t have 17 million quid to pay the fine’, or words to that effect, I’ve even received the icily defensive “well we’re just a teeny weeny non-profit run by volunteers but you are obviously much more up on it than us!”

It’s very sad that so many completely well-meaning people, who would never dream of knowingly spamming anyone, are panicked by the well-publicised “fines of up to £17.5 million” – to the point of potentially ruining their entire enterprise (please read – or jump – to the end for the last word on this). The deluge of emails has resulted in ‘consent fatigue’ – the current re-subscribe rate is averaging 10%. At this rate, mailing lists (the lifeblood of many arts organisations) will be decimated. Even if you have a high quality list consisting of engaged, loyal supporters, you’re looking at probably losing half of them. This has implications not just for the marketing of books, magazines, courses and events, but for issues such as funding too – size matters when it comes to ‘how many people do you reach on a regular basis’- type questions.

Plus, it’s not advisable to just copy what others are doing. Rebecca Cooney has this sensible advice at The Third Sector:

“If you rush to write to all of your supporters, saying you’re moving to consent and if they don’t respond they’ll never hear from you again, you really can’t go back on that[…]so the phrasing and the wording that you use is really, really important.”

There is only one point of authority on the GDPR, and that is the ICO (the Office of the Information Commissioner.) If you have been compliant with current rules on email communications (Privacy and Electronic Communications Regulations of 2003, anyone?) then the permission you obtained under those regs still holds good under GDPR. The new regulations require higher levels of transparency, lawfulness and fairness when dealing with people’s data. This wider context seems to have been lost on many people.

Here’s Toni Vitale, from law firm Winckworth Sherwood, quoted in The Guardian a few days ago: (my emphases)

“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground.”

Vitale goes on to suggest that the process of emailing people to ask for their permission may even be illegal, since it suggests you don’t actually have permission to send that email. (See the cautionary tale at the end of this post.)

One of the other legal grounds you may rely on to process data is ‘legitimate interest’. Here’s Ben Rapp on the Rappidly blog:

“Most processing of data for the purposes of sending out marketing emails would be justified under Article 6.1f  – it’s in your legitimate interest to do it, and you believe that that interest outweighs the consumer’s right to privacy. Which, if we’re just talking about a name, an email address and their prior browsing and purchasing history from you, is probably true. You need to write that justification down, and show it to the natural person if they ask for it – or to the ICO, if they ask for it.”

And Todd at the Spaghetti marketing agency blog:

“…you can pretty much apply it [legitimate interest] to your marketing and business to suit you as long as you’re transparent about what you send and why and then how you store the data; and you’ve conducted a balancing test to make sure your legitimate interest doesn’t outweigh the individual’s.”

None of this means you don’t need to ask people’s permission to email them – it just demonstrates that if you already have that permission and want to be absolutely compliant with the new regs then stop asking people to re-subscribe to your list and instead look at your data collection and processing systems, at how easy it is for people to leave your list, at whether you tell them what data you store and what you used it for.

Anyone with an email list who’s unsure what to do then a good place to start is the ICO’s Lawful Basis Interactive Guidance Tool.

And the DMA (Direct Marketing Association) have produced this free PDF document on ‘Consent and Legitimate Interests’.

There are also some very good examples of how to do it. Here are two I’ve received. I have highlighted in red the sentences that illustrate what I’m talking about. The first is from Live Canon:

To all our followers,

As you’ll be aware, new mailing list/data protection laws (GDPR) come into effect imminently. We have been reviewing how we use our mailing list, and how we store the data to make sure we are fully compliant.

We wanted to reassure you that we only hold email addresses on our mailing list; these are not cross-referenced to names, addresses or any other data. All of our mailings (including this one) have an unsubscribe button at the bottom; this allows you to unsubscribe from the mailing list immediately at any point.

We hope you will continue to follow our mailing list and receive news of what Live Canon are up to…

And another, in an email from Write & Shine:

A note on GDPR
The General Data Protection Regulation comes into effect on 25 May. We’ve updated all our processes to ensure we adhere to the new law. As you’ve opted in to the Write & Shine mailing list in the past there’s nothing you need to do, but please update your subscription preferences and read our Privacy Policy. You can unsubscribe from the newsletter anytime by clicking the link in the email footer or by contacting us at hello@write-and-shine.com.

And finally here’s something else to think about. What would it take to get that £17.5 million pound fine? First of all, someone on your mailing list has to complain to the ICO. The chances of this happening is in itself pretty low when you think about it. “Dear Information Commissioner, I got an email from the Poetry Goodguys to tell me about a workshop they’re running at Bromley Library costing £20 and I don’t know how they got hold of my email although it might have been at the Poetry Book Fair.” Then if they’re having a quiet day, who knows, the ICO might investigate. They might find that Poetry Goodguys have emailed 137 people whose emails they obtained at various poetry events and they wrote them all down longhand in a notebook and added them to their list of poets who might be interested in courses, without a double-opt-in and most of them without actual names, just email addresses. Are they going to fine them 17.5 million quid? Are they going to fine them at all? Are they even going to investigate the complaint, in these days of under-resourcing and bigger-fish-to-fry?

OK then, how about this cautionary tale, as reported in The Register:

An investigation by the ICO found that Exeter-based airline Flybe had “deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm”.

Those emails ironically were asking customers to update their marketing preferences, including whether they wanted to receive emails like the ones Flybe had just sent, and offered customers the chance to be “entered into a prize draw” for contributing.

Flybe ostensibly sent the email to ensure that its data on customers was held in compliance with the GDPR but landed a a £70,000 monetary penalty notice from the ICO for breaking the Privacy and Electronic Communication Regulations (PECR) while attempting to do so.

Laugh? I nearly cried. And note the amount – £70,000. For a firm the size of FlyBe sending 3.3 million emails. That were asking people to re-subscribe to their mailing list. I rest my case.

 

 

2 Comments on “Stop the GDPR madness! Small poetry presses & arts organisations please read

  • Ben Rapp
    May 22, 2018 at 9:37 pm

    Thanks for the link. You’re not wrong about the FlyBe case, but remember that the fine was pre-GDPR, where the ICO’s maximum power of fine was £0.5m. The real point here is that when you go back to people to ask for consent, you’re essentially admitting that the consent you previously used for them isn’t good enough. In which case, how come you think it’s OK to write to them this time? I know it sounds Kafkaesque (and I wrote a blog about that too) but this is the heart of it. You’ve had to have consent to email people since 2003. So if you think you need to ask for consent now, you’ve been emailing them illegally for 15 years. And that does upset the ICO.

    What you need to do is update your privacy policy to comply with the REAL new GDPR requirement, which is that you tell people exactly what you’re doing with their data, why, how long you’re going to keep it, how you’re going to keep it safe and what their rights are. Then you need to tell them about your new privacy policy. And then you need to stick to that policy and do only, and exactly, what you say you’re going to do. How hard is that?

    Reply
    • Robin Houghton
      May 23, 2018 at 4:14 pm

      Indeed! Thanks for commenting/clarifying. All the best, Robin

      Reply
  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.