While today, the 25 May 2018 is the day when rules on the processing of personal data will finally change, entering the 21st century, it is interesting to look at recent activity in this regard and it’s significance within the context of the changes to this legal regime.
The last couple of weeks has seen an unprecedented invasion by multiple service providers of everyone’s mailbox with the recurrent intimation to press the accept button unless you want to end up losing out and no longer receiving those emails with the ever so important information that has often been spamming your inbox, often without a way of ridding oneself of them. This seems like a headless chicken run in most cases by those who still have no idea what they need to do so the herd instinct prevails and there it goes, they follow the rest. For others this was a final effort to ensure that they are fully in conformity with the Data Protection Regulation (GDPR) imminently lurking.
However, many might not know that direct marketing or in other words the sending of commercial material to an individual person has been regulated already for many years and the proverbial Joe Borg should have never been receiving that email letting him know of a buy 2 get 1 free offer on detergents unless he had not objected to receiving such information beforehand. In other words Mr Borg must have been given the opportunity to object. This, in the sense that, if Mr Borg provided his personal data in 2012 to participate in a competition to win a hamper filled with detergents this did not and continues not to automatically imply that he has accepted to be spammed by related or unrelated marketing material thereafter.
While however this rule may have been a grey area so far, this has now been crystallized in the GDPR. Companies, NGOs etc must now therefore ensure more than ever that they are in line or suffer the consequences which may often be very hefty fines. The Irish Data Protection Commissioner published an informative document advising on the steps to be taken to be prepared. Among the suggestions made a check list is set out to ensure companies are accountable in their holding of personal data. The questions suggested are:
Why are you holding it?
How did you obtain it?
Why was it originally gathered?
How long will you retain it?
How secure is it, both in terms of encryption and accessibility?
Do you ever share it with third parties and on what basis might you do so?
This leads on to the next set of questions, how was consent obtained? Was consent obtained specifically for direct marketing? While indeed many companies in Malta and elsewhere have thus far addressed a specific question targeting direct marketing, often this was one to the effect that unless you specifically refuse you shall be included in a mail shot list or sometimes, a pre ticked box which again implied a priori consent unless action is taken to untick the box and therefore opt out. With the GDPR this shall no longer be allowed and consent has to be unequivocal and unambiguous. In other words, recipients of direct marketing material must be limited exclusively to those that said yes to receive this material and moreover have the knowledge that while consenting today they may withdraw that consent at any time in future.
