GDPR: what it means for you, your data and your emails

Confused about what the new data and privacy rules will mean for you? Guy Beresiner explains all you need to know about GDPR.

New privacy law: what has changed?

In short, the General Data Protection Regulation (GDPR) is a much-needed overhaul that replaces the Data Protection Act and will give you far greater control over how organisations can collect, store and use your personal data.

How does this affect you?

For companies, it’s hugely significant as many have to face the stark fact that their existing processes are unlawful, unless they adapt them to meet some very stringent rules.

It’s an indication of how needed this regulation that every major organisation has faced considerable challenges to change how they have been processing personal data.

And to ensure they do not shirk their obligations to do so, the GDPR has lifted the cap on the fines for its breach, to an eye-watering €20 million or 4% of global turnover, whichever is higher.

Why is GDPR needed?

A huge proportion of life is now lived online. 

Data protection laws were composed when life was still being lived the old-fashioned way, with the internet providing little further purpose beyond search and email.

Back then, it was accepted that information recorded about people’s browsing behaviour was anonymous and so outside the scope of conventional privacy regulation.

But as we spent more time on internet platforms and portals, companies’ developed the ability to connect denser and denser data about us, always under the defence of its inherent anonymity.

Eventually, some became capable of profiling audiences so intimately that they may as well have been given the keys to our homes!

The failure of existing privacy laws to recognise online data as personal information has allowed some organisations to enjoy unfettered access and control of personal data and flout any concern for people’s fundamental right to privacy in the pursuit of the rich revenue streams from selling their insight into people’s lives.

So the GDPR, which stems from the European Convention of Human Rights, was devised to redress the imbalance and return the rights of privacy to the people.

What does this mean for your data?

Momentously for any digital business, the GDPR defines data collected online, even if it does not contain any directly identifiable information about a person such as an email address, as personal.

And as such, it is prescriptive about the rights people have to know about and control how it’s collected and processed.

This means data such as cookies are no longer accepted as anonymous must be respected as personal, and organisations that collect and process it are obliged to honour a range of powerful rights that have been conferred on people.

How will it work in practice?

The foundation to all these rights is that an organisation must justify a lawful basis before they collect and process any personal data.

Sometimes this is obvious; for example, a retailer will need an address if it’s to send a product that’s been ordered.

The privacy policies we’re all being newly told all about will contain refreshed information about deeper obligations companies now have surrounding how personal information is stored, for how long, and people’s rights in areas such as to know what’s held about them, its accuracy, to stop it being processed, and to have it erased.

However, where the collection and use of personal data is not so obvious, companies must ask for permission to use it first.

And this is what troubles all those digital companies that were profiting off selling personal information.

For example, by allowing advertising against it, without needing to care about whether you wanted to allow that or not. 

Well, now they do. 

When does a company need to ask permission?

The GDPR is very strict indeed about how companies must ask for consent to use personal data.

For consent to be lawful, the user must be clearly informed about the specific purposes for which their personal data will be collected and processed, and so freely give their unambiguous consent.

There is a high burden of duty on companies to get this exactly right. 

To be clearly and specifically informed, consumers must be told at the point at which the data is collected (it's no good just pointing them to a privacy policy) and, in plain and clear language, exactly why the company wants to collect their personal data and what for.

So, for example, companies can't ask you to provide your details to enter a competition to win a prize, and then use those details to send you promotional offers, without having asked for permission first.

Your details were provided for a prize, and that’s all they may be used for (to let you know if you’ve won).

Whether you’ve won or not, those details can’t be used or stored any further after their purpose is done.

So if there are several purposes then each one has to be as clearly explained, and consent derived separately.

Your details used to enter a competition is one purpose, and then used to send marketing content is another.

The purposes cannot be conditional on each other – in this example, it is not allowed to refuse you entry into a competition you let your data be used to send you other content.

If a company needs/wants to send your data on to be processed then you must be told to whom.

And it it’s another company that will make decisions around how to use it, then you must give consent to that each named company to have it first.

Then, the user must have properly free choice about whether to provide consent.

This means incentives for giving it are not allowed, and neither can people’s access to unrelated services be compromised or refused if they don’t provide personal information.

For example, it is no longer lawful for a store to require you to provide your email address as a condition for accessing their free WiFi. 

End of confusing opt ins

Finally, consent must be unambiguous.

No little tricks such as pre-ticked “I agree” boxes, or declaring that closing windows comprises consent, and so on.

It must be an affirmative action by the consumer that can be recorded and cannot be doubted.

The law has made it very, very expensive for companies to risk ignoring, and means your online life should be a little more safe and secure.

What is loveMONEY doing about GDPR?

Now that we’ve covered what’s changing, we wanted to be clear about what we have done about the new rules.

As you may know, we are part of love Inc. which also includes loveFOOD.com, lovePROPERTY.com and loveEXPLORING.com.

Any personal data that is held for any of these sites is centralised in a single Love Inc. database.

The only piece of personal data we retain is your email address, which we need to send out your newsletter subscriptions.

Each time we send a newsletter to a registered recipient technically counts as a data process.

This is the only time we ever process customer data.

However, there is additional data that allows us to track delivery and engagement information about readers.

This includes:

• Whether or not an email was successfully delivered to a specific address;
• Whether the recipient opened the email;
• Whether the recipient clicked on the email.

How to manage your data with loveMONEY

We only send newsletters to people who actively opt in/request to receive them from us.

We do not “pre-check” any opt-in boxes, at any stage.

If you are unhappy with the emails you are receiving from us, these can be easily changed in your email preferences.

We also include a link in every email that we send out that takes you directly to your subscription management page.

No other personal data is retained.

The same is true for users who have simply signed up for any of the love Inc. email newsletters or those who have fully signed up and selected a username in order to leave comments or post within the ‘Q&A’ sections.

Fully registered users are also able to log-in and update settings.

What about companies we work with?

Love Inc. works with third-party advertising partners and allows third party cookie access.

We do not pass information to third parties but they are enabled to use their own cookie data to present users with targeted offers, promotions and messages.

For full transparency, here are all the third parties we currently work with or are in the process of doing so: Doubleclick Ad Exchange, Rubicon Project, Google, Pulsepoint (ContextWeb), Conversant Media (Valueclick), Media.net, Applaud Media, Teads, inSkin, DistrictM and Outbrain.