GDPR (niche thread)


In a bizarre twist of events my antiquarian bookshop has since it started a newsletter only asked those that buy a book in store whether they would like to be added to our mailing list, and the only other sign ups have been from a form you have to fill in on our website.

So weirdly one of the most archaic sectors (we’re all pretty much the same in approach) is going to be fine with marketing :smiley:


Oh I completely agree. GDPR has come about for two reasons a) a need to update existing DP law with regards to advances in online activity and b) a need to stop organisations taking the absolute piss with their marketing. I’m fully behind it.

The ICO has been punitive with the charity sector of late, and it’s probably 50/50 deserved/undeserved. What is clear is that they have been known to make an example of large charities with big fines. It’s also the case that a lot of the least favourable fundraising practices have been curtailed due to legal changes outside of GDPR, especially wrt to list-swapping etc. Charities took the piss with that for too long in my view.


I received an email from the website bandsintown, a site i can’t recall using but if i did it was a decade ago at least. Anyway, they were getting in touch to let me know The Darkness have a new message for me! Now that really is worthy of a hefty fine!


Punish them to the fullest extent of the law


Have you had the wording of this checked out? As in, have all of the disclaimers made clear that the person is added to the mailing list to receive marketing (or words to that effect) from you?


Yeah we literally say:

We also have an email newsletter which we send regularly, around a couple of times a week and more at Christmas. Would you like to be added to that list?


Do you only send that newsletter? Or do you also send ad-hoc Emails advertising sales/promotions etc.?

If the former it’s probably ok.


We should probably gently amend the exact phrase as the newsletters will among various updates feature at the very least blogs which point to items for sale


Should still be fine. The point is if the data is used for any other purpose than the one that was stated when it was collected. Basically it’s to stop some new marketing bod coming in and going “oh we’ve got this mailing list we can send loads of other stuff to!”. Post-GDPR you won’t be able to.


Yeah, agree with all of this to be fair.


Wicked. I thought we were clear but that’s helped keep me cool about it

The govt does NOT want me going full Xylo at them


Had a proper read through it as our new “Data officer” was given the job to get rid of them in their real job. Don’t really see whats bad about it. Essentially starts the whole thing again rather than have 10+ years of companies sending you bullshit forever.

Seems pretty sensible and is mainly on the above, and details going to third parties. If you don’t conform to it or at least have a good justification that will let you wriggle out of anything harsh, you deserve everything you get.


Yeah we’re pretty much all fumbling around with it. This thread’s actually been just as, if not more, helpful as any seminar I’ve been to on it! Still waiting on the ICO’s guidance but they’ve said don’t expect much of substance to change from what they’ve already said so it goes back to what McGarnagle said upthread - the ICO’s position is “You’ve seen what it says and we’re not going to clarify anything for you. Ta da”. This means that it’s all going to be in the case law stress-testing afterwards. Some big organisation’s going to be hauled in front of the ICO sooner or later next autumn and… man alive I hope it’s one that’s got their shit together because, if not, it could fuck all of us.


Quite a few organisations could try just applying simple information governance and addressing some of the many aspects of the DPA they’ve been neglecting for years.


Yup - @1101010, as DB says, it’s not just any data that can identify a person, it’s any data that can be combined to identify them has to be treated as personal data, and anonymisation doesn’t allow you off the hook either because (to use DiS as an example):

  • if all data is anonymised and collected together in the same way the “old anonymous comments” on DiS were, the people who submitted their posts still have the right to have their ones removed
  • if it is pseudo anonymised (i.e. a banned user is renamed as “Anonymous user 28163” and their profile has location, avatar etc wiped) then there’s still a whole load of personal data all linked together by a single key (the username), and they still have the right to contact DiS and have all those posts removed.

The only option as I understand it under GDPR is to provide the option for a single user’s data to be wiped, albeit there’s a caveat to that;

  • A data controller can insist that they need to maintain the data necessary to continue to do business with an individual if that individual wants to continue to have a service provided to them or if they legally have to for regulatory reasons. For example a telco or energy company would require billing details, phone number etc. or a bank needs to maintain call recordings for up to 7 years to remain in line with other laws.

As you say, it means a lot of IT systems, particularly old ones, are difficult to make compliant, but that’s going to be the designers and developers problem unfortunately.


if we think GDPR is complicated let’s just imagine how many time more complicated it would be to do something ridiculous like leave the EU including single market and customs market

oh wait


This point simply cannot be stated enough.


Hey fellow navigators aboard the good ship GDPR!

Here’s something - BrewDog (boo!) are running a promotion giving away a million free pints. A lovely marketing gimmick to be sure, but I noticed that in order to claim your drink, you HAVE to sign up to their mailing list. So this seems like a big effort to build up a huge mailing list of people… but post-GDPR, I’m pretty sure that won’t be a valid way of gaining consent since people were obliged to provide it to participate in the promotion. So the whole list will be bullshit? Nice one.


Aw, I misread that as (G)DDR and thought this would be a thread about great East Germans.


Depends on how they’ve worded it but I would have thought it’d be fine post-GDPR. You’re opting in to their mailing list and getting a free beer for doing so - don’t think there’s any rules on incentivising consent in this way.