We keep audiences/mailing lists contact detail data
Mailing lists and opt-ins
If an individual has given permission for you to keep and store their data for the purposes of promoting your activities then it is fine to do so. But that permission has to be a positive opt-in and specific to the use. So it is no longer acceptable to take the ‘unless you tell us otherwise’ approach.
- Website: you can no longer have pre-ticked boxes for sign up for emails – a user must actively tick a box to say they want to receive emails. The form should also be clear about what sort of email they will get and there should be an easy access clear and simple privacy statement.
- On a paper email sign-up form – they should have a tick box to say they want to receive an email. Or it should be very clearly stated that by adding their email they are agreeing to receive emails. There should also be a clear and simple privacy statement available at the point of sign-up (perhaps on the back of the form.)
We know a lot of groups have a sign-up sheet along the lines of – ‘sign up to enter a prize draw for free tickets – by signing up you also agree to go on our mailing list’. This is not compliant with GDPR as it is forcing opt-in as a condition of something else. There should be the chance to opt in or out of the options (such as a sign-up sheet with two tick boxes). This is an area of GDPR that might seem overly regulatory and something that will hamper your group. This is an understandable point of view and it could be one of those situations where you balance the letter of the law against the spirit of GDPR and needs of your group:
- You might make the argument to carry on as you are – the sign-up sheet is very clear (they could just not enter at all) and you will use the data in a fair and reasonable and always provide an opt-out option.
- That said having two tick boxes is not too difficult. If they are supporters of your group who want free tickets they are probably unlikely to object to emails anyway. An additional factor is the quality of you mailing list – it is not always good to force someone to opt-in if they don’t want emails - it is better to not have someone at all rather to send one email that is then marked as spam.
Reason: Finally think about what data you are collecting and if you have a reason for it. If you don’t send anything in the post there is no reason to ask for an address. For mailing lists it is probably best to keep it as simple as possible and just ask for names and emails.
Action to take
How you collect and use data for a mailing list is probably the areas that will have the biggest impact on your group.
- Yes - can it be anonymised? If not then make sure it is stored safely and securely and include the data in your next data review to see if you still need to have it.
Review the information you ask when collecting data for your mailing list.
- Make sure you have good reason for asking for it – if you won’t use it don't ask for it.
- Ensure you provide a positive opt-in
- Provide a clear and simple privacy statement at the point of collecting the data explaining what the data will be used for.
Historical opt-ins - one of the questions around GDPR is; do you need to get positive opt-ins for people who have signed up under previous (non-positive) opt-ins? To be honest it is a bit of a grey area – and we think there is some common sense to be applied.
One option is to email everyone who you usually email/have evidence a historical opt in for and ask them to provide a positive opt in.
Please note: if you do not currently email them or have evidence of any historical opt in then you should not email them asking for a new opt in.
If you take this approach and they do not opt-in or not reply then you should not email them anymore.
You could consider splitting your contacts into two groups:
- Engaged: If you have been emailing an individual about your activities for some time and you have good evidence that they engage with these emails then you could reasonably argue that you have good reason to carry on with asking for a new positive opt-in. What might this engagement look like?
- If you use an email service like MailChimp you may be able to get open rate stats – if someone is opening most your emails then they are probably happy to keep getting them.
- Regular correspondence with someone following marketing emails.
- Regular attendance at events.
- Not engaged: If you have been emailing them but don’t have evidence of engagement – then you should probably contact them and ask for the positive opt in. If they don’t provide it you can’t email them anymore.
Opt-outs: whenever you use data provided there must be a clear and simple way for people to opt-out of future communication