Under GDPR, organizations are either data controllers, data processors or - in some situations - both. The situation under consideration here is where you are a data controller.
In these circumstances, you can't shirk your responsibilities under GDPR but you should examine carefully the manner in which your provider - who is a data processor - handles GDPR.
In the past, email list service providers often implemented what's called a 'double opt-in' system to ensure that you're not spamming. The list entrant has to confirm their wish to join your list, usually by clicking a button. GDPR might require you to change that practice - or it might not.
But let's step back a moment.
I'm sure that many readers, like ourselves, have found companies asking you to confirm your desire to continue receiving messages via email. Is this a requirement under GDPR? Maybe not. According to Steve Wood, Deputy Information Commissioner, ICO UK: (my emphasis added)
Some of the myths we’ve heard are, “GDPR means I won’t be able to send my newsletter out anymore” or“GDPR says I’ll need to get fresh consent for everything I do.”
I can say categorically that these are wrong, but if misinformation is still being packaged as the truth, I need to bust another myth.
Myth #9 We have to get fresh consent from all our customers to comply with the GDPR.
You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.
Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.
If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.
As we pored over our list we discovered a few things that gave us pause for thought.
On safe ground?
Some of the people on our list were imported via a CSV file. Ergo, there was no obvious way they have confirmed their desire to be on an email list. However, we know the circumstances under which those 'consents' were obtained and they would otherwise be considered lawful.
Our service provider provided that facility on the proviso that we assured them of our right to add people to the list. But that doesn't necessarily help under GDPR. We can certainly rely upon the 'where you have an existing relationship' argument because we can trace which emails were sent, when they were opened and on what was clicked.
Where that information is relatively current - and hear there is a value judgment to be made - we're confident that we're on safe ground.
When a record delete isn't deleted
But what happens when your service provider allows your list recipients to change preferences and unsubscribe? As I understand it, once that happens, the person can no longer be sent content unless they resubscribe.
In our case, the list service provider does not delete the person from the list. This can be for good reason. There might be a case where the person has signed up for different purposes e.g. to receive advertising, receive marketing content or just content and decided they only want to change one service.
But what if they want out of all services? In this case, the email service provider should scrub the database of all personal data. Right now, the onus is upon us to make that determination. In the past that didn't matter because who looks at those who have left? Almost no-one. But the fact that I CAN look at that data puts us at risk of falling out of compliance because apart from anything else, I have no way to prove that none of the people authorized to work with the list have NOT accessed or used those people's data in some way.
As was pointed out to me last week, the fact someone unsubscribes from your email list is not the same as them saying they want to be deleted from your database. Except when it is.
Needless to say, we're in an ongoing back and forth with the support people - who, of course, are on a separate workflow path to those in development.
What should you do?
There is a clear lesson here. Don't just take the soothing words of your email list service provider as representative of protecting YOUR interests.
GDPR is a hard deadline. No exceptions. I'm not prepared to take the gamble that our list service provider will bring delete tools to the service in time for GDPR and especially not given the vagueness of support responses and lack of communication in public spaces.
In short, if the email list provider isn't going to eat the required dog food that doesn't mean we have to ignore the situation, claiming we're in the hands of a third party. That just won't cut it.
That means whiling away hours sifting through the unsubscribed list and then manually deleting. Given that all email lists are in a near constant state of flux, that's a lot of work. But it is necessary.
I suspect that as a data processor, our email service list provider is not currently in compliance by virtue of their unwillingness to delete records. However, we can take (un-necessarily painful) steps to protect our position to ensure our database is clean. As you should too.
Most importantly, while the onboarding process covering new email subscribers is about to be regulated in a relatively straightforward manner, you must check what happens when a subscriber decides it is time to walk away and establish whether YOU will remain in compliance following those events.
There's always the nuclear option of dumping the existing provider and transferring to a new provider. But that opens up yet another can of worms.