Businesses still unsure of what they're supposed to be doing.
With just three days to go until until the deadline, GDPR panic is continuing to ramp up. Organisations large and small are flooding inboxes with requests to continue sending marketing emails to customers and prospects, in a process known as ‘repermissioning’. But now, it seems, that might not even be necessary – and in some cases it’s probably breaking the rules that these firms are trying to comply with.
“Most GDPR emails unnecessary and some illegal, say experts,” said the Guardian in a report widely shared on social media. If companies already have consent to contact people, they don’t need to ask for it again, it claimed. And if they offered an opt-out under the existing rules, that counts as a ‘soft opt-in’, which will continue to be valid even after GDPR comes in, and which may allow businesses to send out marketing material based on legitimate interests.
If they have neither consent or a soft opt-in, then businesses shouldn’t even be emailing to ask for permission to continue sending emails.
Most big organisations will probably already have either explicit consent or a soft opt-in, so they don’t need to ask for new permission. In fact, they’re probably just encouraging contacts to unsubscribe needlessly.
Of course, as with any major story that does the rounds on social media, self-appointed experts soon began popping up to exclaim that they knew all this already and that everyone else is stupid.
Perhaps they did, or perhaps they’re really just as confused as everyone else by the new rules.
The fact remains, though, that GDPR is causing a ton of chaos and problems, particularly for smaller businesses. Before GDPR, the Data Protection Act made similar demands of businesses regarding the handling of personal data, but let’s be honest, how many actually took any notice of that? Very few, we’d wager, and it seems like that many SMEs don’t have the kind of permissions they should have according to the PECR (Privacy and Electronic Communications Regulations), the existing rules that will continue to apply alongside GDPR.
In research by the Federation of Small Business, it was found that most small businesses weren’t prepared for GDPR and many would not be after the deadline had passed. Mike Cherry of the FSB said:
“Given the extent and the breadth of the changes, it is clear that a majority of small businesses will not be fully compliant before May 25th and will most likely not be compliant when the changes hit. With this in mind, it is critical that the ICO manages non-compliance in a light touch manner with the focus being on education and support, not punishment.”
Put plainly, SMEs do not have the kind of resources the big firms do, so some leniency will surely need to be extended to them. Whether or not that turns out to be the case, however, remains to be seen.