GDPR: you are allowed to maintain a blacklist, suppression list or stoplist. You are also allowed to freak out and panic.

In May the EU General Data Protection Regulation (GDPR) comes into force (and no, brexit won’t get us out of it – still no benefit to brexit. Sorry.)

In my view this is shaping up be a complicated piece of law for small businesses to follow, both intellectually and technically.

Worryingly, I’ve not heard much from Open Source software projects (Mautic, Prestashop etc) on staying legal.

Most of the information from even quite specialist marketing blogs is confusing and generic.

This is all against the backdrop of potentially huge fines for businesses, even small ones like mine.

So I’m going to keep publishing any information that I find really useful!

Deleting data

One thing that immediately leapt out at me is that, under GDPR, people can ask that ALL their data be deleted from your systems.

If your business has email marketing software, especially if this is separate to your webshop/blog/crm, you are probably relying on a blacklist/suppression list to make sure that when someone unsubscribes they are not accidently re-subscribed again (by re-synchronising your databases, for example).

Nearly all email marketing platforms will consult this Blacklist either before adding new subscribers through csv import or before sending emails: if the email address is already on the Blacklist no messages will be sent to them. If someone on the Blacklist voluntarily goes through an opt in process again, they will be removed from the Blacklist.

You can still keep data for suppression purposes

It took me way longer than it should have to find this out, but apparently we are ok to keep using this system.

A clarification was issued on this point:

ICO Direct Marketing Guidance
Version: 2.2 19th May 2016
“Organisations should maintain a ‘suppression list’ of people who have opted out or otherwise told that
organisation directly that they do not want to receive marketing. Note that individuals may ask an organisation to remove or delete their details from a database or marketing list.
However, in most cases organisations should instead follow the marketing industry practice of suppressing their
details. Rather than deleting an individual’s details entirely, suppression involves retaining just enough information to
ensure that their preferences are respected in the future” (Para 190-192).

Thanks to the fundraising regulator for the info.

A note about perverts, stalkers and HMRC

I still have a lot of questions about the security side of this part of the new law.

People are able to ask to see what information you hold on them, and also request it be deleted. I’m concerned that this will lead to small businesses inadvertently revealing private information about their customers to… well… stalkers and sex offenders …. etc.

It’s unclear to me what safeguards are suggested if someone requests to see information about “themselves”: certainly you should not just email everything to someone who asks, even if they email from the correct email address (emails can be hacked or spoofed). Revealing even innocuous information like an IP address may allow someone to find a person’s physical address.

Webshops usually hold quite a lot of private information, several phone numbers, more than one address….

Another example is that while your customer has a right for their data to be deleted, some data is legally required to be kept for HMRC, to provide proof of sales and to meet anti-moneylaundering laws etc.

It is also not clear to me if evidence of paper or digital accounting information needs to be provided on demand, if digitally stored invoices are covered by the new laws on data breaches and cyber security… If they are then small businesses storing invoices for accounting purposes on services like Dropbox, maybe at considerable risk.

My point is that GDPR isn’t just going to be about email Marketing, there’s a lot to think about and small businesses are probably going to need rigorous processes in place to make sure that their customers are provided with what they are legally entitled to, but that this doesn’t also result in breaking other laws by mistake.

2 thoughts on “GDPR: you are allowed to maintain a blacklist, suppression list or stoplist. You are also allowed to freak out and panic.

  1. Thanks, really helpful to know about suppression lists. Re keeping records for HMRC purposes is correct so long as you only store for as long as needed (min of 6 years). Consent is only one of the legitimate reasons to store data, contractual purposes is another.

    1. Hi, thanks for the feedback! Yes, I concour about hmrc records, we are about to start deleting the records from our first year.

      With our webshop however, it’s not possible to delete customer data without deleting their order info (for tracking growth of sales) so I am not sure what we can do about that atm.

      It’s certainly interesting to see all the methods companies are using to attempt compliance, I think we will see a lot of change to come still. Do you agree?

Leave a Reply

Your email address will not be published. Required fields are marked *