Now that the provisions of the EU’s GDPR regulations are fully enforceable, the landscape of public communications has changed unrecognisably.
The first thing to point out is, that while this is an EU provision, it won’t be affected by the UK leaving post-Brexit; the provisions apply to anyone who trades with the EU or has its citizens as customers.
Multi-billion pound lawsuits based on GDPR have already been registered in the US, for instance, against companies that allegedly coerce users to consent to use of their data for targeted advertising.
No one is immune; even enormous organisations like Google and Facebook are facing legal tussles over GDPR compliance issues.
David Klein is a world-leading attorney specialising in intellectual property, internet businesses and compliance; he is the managing partner of Manhattan-based specialist boutique law firm .
Klein points out that in the UK, the Information Commissioner’s Office (ICO) updated its handbook on March 6 2018. In it, the ICO states that the “right to object to direct marketing” does not prevent an organisation from holding what it terms a “suppression list”, that is, details of those who opted out from receiving communications.
That’s because such a list “supports the individual’s right to object and is held for compliance rather than direct marketing purposes.”
Be careful, though, Klein points out: the guidance says that you should retain “just enough information to ensure that their preferences are respected in the future”.
So does such a suppression list infringe upon an individual’s right to be forgotten, a right recognised in the GDPR provisions? Well, yes and no.
The right to be forgotten is enshrined within the GDPR provisions, says Klein, insofar as it gives individuals the right to demand that you delete their data from your database upon request.
He adds that there may be examples where non-compliance is an option, such as where it might conflict with freedom of expression (applying mostly to media and journalism), where removal would defy a court order or where removal might be in breach of the public interest or would conflict with other legal rights.
These scenarios, though, are in the minority. The primary rule is clear: if requested to remove someone from your mailing list, you must comply.
If you do decide to keep a “suppression list”, tread carefully. You must keep the barest of details that will allow you to ensure that you comply with their preferences if they were to opt back in at some point in the future – and if you have any doubts about the data you hold – and a right to be forgotten request is a perfect doubt – you would do well to consult to ensure that you are conforming to the law.
Find out more about Me Learning’s suite of GDPR training courses here.