Opt in, tune out, time’s up

Companies are getting themselves in a knot over new data protection regulations

The biggest overhaul of data privacy regulation in the history of the internet will come into force on Friday as businesses scramble to comply with the new rules. Photograph: Yui Mok/PA Wire
The biggest overhaul of data privacy regulation in the history of the internet will come into force on Friday as businesses scramble to comply with the new rules. Photograph: Yui Mok/PA Wire

One thing is certain. Unlike much of the legislation that comes to us from Europe, no-one will be able to say after this week that they are unaware of GDPR (the new General Data Protection Regulation). Everyone’s email inbox is brimful of solicitations from companies and organisations that hold our details , asking for permission to continue to do so.

The new rules come into force on Friday. Yet for all the hype, the planning and the millions of euro spent on advice from lawyers and data protection specialists, it would appear that confusion still reigns.

A central element of the new rules is to ensure that people actively opt in to you holding their personal details for future use rather than holding on to them by default, from often unrelated data gathering exercises and putting the onus on people to specifically request their data are no longer used.

Legitimate interest

For many companies and other organisations, a key consideration is whether they actually need to seek specific retention approval from those on their database. In general, certainly they do but there are a number of exceptions – most notably one of “legitimate interest”. For instance, you would presume that PR professionals would have a legitimate interest in holding email and phone contact details in relation to journalists with whom they engage in the course of their work.

READ MORE

So far, so clear. If you have a legitimate interest in contacting, you can continue to do so with confidence. And you do not need to contact anyone to seek their permission if you have a legitimate interest in retaining the data.

So you would expect that only organisations and companies requiring active opt-in would be contacting people on whom they currently hold data. That’d be logical.

But no. Several groups – including small business lobby Isme and the corporate regulator, the ODCE – have sent out mails offering people the opportunity to unsubscribe. That is, opt out. If there was ever a guarantee of confusing even those who are most familiar with the new rules, this is it.