Did I really sign up for that? How did they get my email address?
I’ve had at least 20 of these things, and it’s barely May – and I’m sure you’re having a similar experience. Because of the government’s new GDPR (general data protection regulation), which comes into force on 25 May, everyone is frantically scurrying about trying to make sure that they don’t lose their valuable databases of contacts, by sending out emails asking you to opt in so that they can carry on sending you their blog, their press releases or whatever else it is they want to send.
I did some frantic scurrying too – add to list ‘must send opt-in email!’; ‘write opt-in email!’, ‘worry about those who don’t opt in but surely would still want to be on the list!’ – until I a) talked to a colleague who’s sorting out GDPR for his company (to whom big thanks) and b) as a result bothered to read the requirements in detail. I know, I know – always read the instructions first, I can hear my father whispering in my ear...
And the good news is that, if we have a ‘legitimate business interest’ in holding onto someone’s email address (because for us, after all, that’s what it’s largely about), and put a statement on our website about how we’ll keep, use, manage etc that data, then we should be fine. As long as we have that legitimate interest, we don’t have to ask people to opt in* – we just have to tell them we have their data and make it easy for them to opt out. (I might have made up the ‘make it easy’ part, but after all, that’s surely the point.)
So it all hinges on that notion of ‘legitimate business interest’. Anyone we’re actually working with at the moment will fall into that category anyway but there are lots of other people (many of you lovely blog readers, for instance), for whom it’s rather more vague. Fortunately the definition given is pretty vague too – and as long as we complete our ‘legitimate interests assessment’ (LIA) and demonstrate how our usage of data is, in our view, legitimate, then all will be well.
This blog is, in fact, part of that LIA – because one of the things you have to do is to explain to people what this process is all about. I won’t bore you with all the details, but the key questions are to do with why we keep the data, and how people will benefit from it. Our answer to the wider public benefit question in the LIA is “Spreading joy and happiness by inviting people to parties and sharing ideas they might be interested in.”
And there you have it. I’d call that a legitimate business interest, wouldn’t you? (And if you don’t, you will of course be offered a very easy and obvious way to opt out!)
Look out for your GDPR email soon.
* Probably – legitimate business interest (LBI) is one of the legal grounds for holding people’s data; consent (opt-in) is another; and there are at least four more. In the interests of simplicity we’re choosing LBI so that we don’t have to bother people with opt-ins which they might forget to do. Because everyone on our list is a colleague, client or friend (sometimes all three) we reckoned none of you will sue us for inviting you to a party that you don’t want to go to or sending you a blog that you don’t want to read…