skip to main content

Jim Byrne Accessible Website Design Glasgow for The Third Sector, Voluntary, Charities and Not for Profits

Accessible design for the Third Sector
Creating inclusive websites since 1996
Jim Byrne Web Designer

Do you need to do delete your mailing list? GDPR in six bullet points.

It is clear form the conversations I am having with my own network (mostly within the voluntary sector) that the GDPR is causing a lot of the stress. Each individual I talk to seems to have a slightly different idea of what the requirements are and what they have to do to meet them. 

With that in mind, here is my particular interpretation. I am not a lawyer and I’m not putting myself forward as the GDPR expert, however, I think a short summary of the main points is required – so I am trying to do that in this article. 

The good thing is that if I’m getting it wrong it gives an opportunity for the real experts to put me right – hopefully as a comment that others can then read. So here is my interpretation of GDPR in six bullet points. 

1. You can only data for the purposes agreed to

The GDPR legislation requires that consent must be specific. This means you can’t add people to your general mailing list if they signed up for something else; i.e. if they signed up to get a free download or to register for a webinar your can’t start sending them your newsletter. 

‘Consent’ is the key word here. If you can’t demonstrate that consent was given you must you must stop emailing them (from May 25, 2018). You must also keep a trail showing how they joined and how consent was given.

If you cannot prove ‘consent was given’ not only must you stop emailing them you must remove them from your mailing lists. Consent must have been actively given, i.e. they clicked a checkbox or choose something from a pulldown list or clicked a link during a double opt-in process. You are not allowed to have pre-clicked checkboxes saying that they are agreeing to be on your mailing list.

1.1 If the people on your mailing list gave consent in the past do you need to seek it again?

You do, only if the consent provided was not in accordance with the GDPR guidelines and if the reason for having the data falls within the GDPR consent requirements. 

So if you already had your privacy policy in place; you already made it clear how to opt-out; you only used their data for the reasons you told them in the first place and you have evidence of when they registered – you don’t need to ask again. 

For example, if you used a double opt-in when to as part of your newsletter registration process; their active consent was given. If you don’t do anything other than send you newsletter to them; if you are using  mailing list service that takes a record of when each individual arrived on the list; and you added your contact details, a link to privacy policy and an ‘opt-out’ link – then that seems to me to be compliant with GDPR. 

In such an instance, on my analysis – you do not need to seek consent once again. However, I am happy from GDPR experts who can tell me that I am wrong – so please get in touch to confirm or deny my interpretation. 

2. You must explain how data will be used

You are not allowed to collect data without explaining how you are going to use it. Clearly this is related to point 1; i.e.  if they register for your newsletter you tell them you will be sending them your newsletter; if they register for your webinar you deliver your webinar. 

Unless you have specifically said you are collecting their data to share it to a third party or to market specific services or products – that is not something you can do. Each of these activities requires separate active consent.

In relation registration forms this means you provide a summary on the form itself and a link to your privacy policy where these are explained at more length. 

3. You can only collect the data you need

You are only allowed to collect the minimum amount of data for your purpose.  If your purpose does not require a physical address you can’t collect that data; if your purpose does not require an individuals age you can’t collect their age.

4. You can’t keep data indefinitely

You should not keep data about people forever if here is no reason to keep it. If you have no reason to keep data you must delete it. 

5. You must protect the data you collect

You have to take reasonable steps to protect the data you collect. This means that when you are collecting or storing information on your website you should provide a secure connection and data should be stored behind a secure wall (e.g. password collected).

6. You must clearly set out your privacy policy and make it available to those signing up for your lists.

You should have a page on your website specifically for your privacy policy and add a link to it from all web pages, all opt-in pages and registration pages etc..

Your privacy policy should Include in the following:

  • Your contact information.
  • Details fo the information you collect and why you collect it.
  • What you intend to do with the data including who else will access it.
  • Their rights under the GDPR.

I am not a lawyer or a legal expert on the GDPR; so please do not take the information provided above as the gospel truth.  However, I recognise that this is a topic causing a lot of stress for the people in organisations I work with – so I have attempted to summarise and clarify my understanding in the clearest way I can. Hopefully I have got it correct and that there are people who will find this summary useful. 

Contact me if you have any corrections about what I have written above and I will update this page. 

Jim Byrne

Digital Access consultant 

Tags:

Other posts in this category

Give me a phone if you would like me to test the accessibility of your website:

I provided feedback on the WCAG 2 (as representative of Guild of Accessible Website Designers) have two decades of experience and worked with hundreds of organisations.

07810 098 119