No need to be frightened by GDPR


By Ardi Kolah, Director of the GDPR programme, Henley Business School

Millions of small-medium sized businesses have been scared – unnecessarily so in my view – by the Federation of Small Business (FSB) into sending out emails like this: “We don’t want to lose you, so please take action NOW”.

What the FSB failed to point out when recently interviewed on the BBC Today Programme is that for millions of small-medium size businesses –around 95% of its members – there’s really nothing to worry about as a result of the GDPR.

The main action that needs to be taken by SMEs is where processing of personal data presents a “high” or “very high” risk to customers and in such cases, it will be important to mitigate that risk by putting in place organisational and technical measures to reduce that to a residual risk that doesn’t cause harm or damage.

The good news is that the guidance and tools to help SMEs do this are freely available on the ICO’s excellent website.

And those re-consent emails that you may have sent or thinking of sending more aren’t actually required.

In the UK, it’s been the law since 2003 that you can only send a marketing email to an individual recipient when they’ve consented to receive it OR you’ve an existing customer relationship with them and have offered them the opportunity to opt-out.

That’s still the case today.

The GDPR doesn’t replace the Privacy and Electronic Communications Regulations (PECR) but sits alongside it.

For most of us, we’ve been happily buying stuff from SMEs online for years or we have been buying stuff in a B2B context for business purposes. So re-consent isn’t necessary.

What’s really stupid is that if you’ve never consented to receiving marketing messages in the first place and get one of these ‘zombie messages’ it’s actually a breach of PECR!

This has led to the ICO here in the UK having to go on the record warning that these annoying emails aren’t actually complying with the GDPR.

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily,” advises Steve Wood, deputy information commissioner.

Direct marketing is a legitimate interest of any SME and provided that the recipient has the opportunity to elect not to receive further marketing emails, that should be OK. The whole point of the GDPR is to build deeper digital trust so that companies can do more – not less – with personal data.

Going down the consent route may not always be the most appropriate way forward in every instance. The days of pre-ticked boxes are over and consent needs to be unambiguous, affirmative action and an expression of wishes. It can’t be conditional (win a free signed shirt as one Premier League football club promised in return for consent) and mustn’t discriminate against the interests of the consumer should they not wish to consent to their personal data being processed.

“If consent is the appropriate lawful basis, then that energy and effort must be spent establishing informed, active, unambiguous consent,” adds Steve Woods.

Honda and Flybe got their wrists slapped by the ICO last year when they started sending emails asking people to agree to getting more emails. Sound familiar?

Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it’s against the law. In Flybe’s case, the company deliberately contacted people who’d already opted out of emails from them.

The ICO recognises that companies including SMEs will be reviewing how they obtain customer consent for marketing to comply with the GDPR but warns companies they can’t break one law to get ready for another.

Those struggling to get their heads around the GDPR may find the GDPR Handbook gives them some much needed clarity on how to deepen digital trust.

And there’s no need to become a zombie!

The GDPR Handbook by Ardi Kolah, pictured above, is published by Kogan Page, priced £49.99. For more information go to