GDPR Compliance - Opt-in or Opt-out

yellow hen

Looking for some advice here. I help run a small voluntary organisation which has a substantial mailing list. We planned on sending out an 'opt-out' email but I notice most circulars that I have received lately have leaned towards an opt-in approach. I can't find a definitive answer as to which is required. Does anyone know?
thanks.

MOH

I'd go with opt-in.

GDPR wrote:

“Consent should be given by a clear affirmative act… such as
by a written statement, including by electronic means, or an
oral statement. This could include ticking a box when visiting
an internet website, choosing technical settings for information
society services or another statement or conduct which clearly
indicates in this context the data subject’s acceptance of the
proposed processing of his or her personal data. Silence, preticked
boxes or inactivity should not therefore constitute
consent.”

The UK information commissioner's office considers that (page 23)
"The key point is that all consent must be opt-in consent – there is no such
thing as ‘opt-out consent’. Failure to opt out is not consent. You may not
rely on silence, inactivity, default settings, pre-ticked boxes or your
general terms and conditions, or seek to take advantage of inertia,
inattention or default bias in any other way."

listermint

Without being funny what does the UK office have to do with GDPR ? They are brexiting. Any advise should be taken from EU sources solely.

jacksn

listermint wrote: »

Without being funny what does the UK office have to do with GDPR ? They are brexiting. Any advise should be taken from EU sources solely.

Actually you will find that the UK ICO are the most active and informative English speaking resource you will find.

GDPR apples to the UK the same way it applies to Ireland and the EU. Brexit means nothing.

Tabnabs

The UK still have to comply with GDPR as they are still a member of the EU. What they choose to do subsequent to the (expected?) final Brexit date is up to them, so that advice is solid. I know of a number of companies using the UK guidelines as they are more clearly written and a better template than the Irish effort.

listermint

I am sure they do, but as stated i would be taking my information from an EU source or Irish source. Not the UK, they have an active government policy around personal data that conflicts with the EUs direction.

Why you would rely on it in this current moment of flux is beyond me.

Bob24

Tabnabs wrote: »

The UK still have to comply with GDPR as they are still a member of the EU. What they choose to do subsequent to the (expected?) final Brexit date is up to them, so that advice is solid. I know of a number of companies using the UK guidelines as they are more clearly written and a better template than the Irish effort.

It’s even more that that. Even if the UK leaves the EU and decides not to apply GDPR to its citizens, all its companies will still need to be fully GDPR compliant as long as they store databrelated to EU citizen. Given the UK’s economic ties to others European countries, the UK will have many more companies than Ireland requiring advice on GDPR.

jacksn

listermint wrote: »

I am sure they do, but as stated i would be taking my information from an EU source or Irish source. Not the UK, they have an active government policy around personal data that conflicts with the EUs direction.

Why you would rely on it in this current moment of flux is beyond me.

GDPR is absorbed into UK law on the 25th May. They would have to repeal any GDPR legislation post-brexit which they are not going to do.

The UK are the most pro-active English speaking country, i.e better than us with GDPR awareness and they have a vast array of online resources for GDPR.

Germany are also very pro-active but all their resources will be in German.

listermint

jacksn wrote: »

GDPR is absorbed into UK law on the 25th May. They would have to repeal any GDPR legislation post-brexit which they are not going to do.

The UK are the most pro-active English speaking country, i.e better than us with GDPR awareness and they have a vast array of online resources for GDPR.

Germany are also very pro-active but all their resources will be in German.

That is abudently hilarious. If you follow anything brexit related you would see the running theme of taking back control.

Im glad you have an insight into the future intentions of the British Government.

yellow hen

Umm so no real consensus here?

jacksn

listermint wrote: »

Im glad you have an insight into the future intentions of the British Government.

no i don't, but i have been following UK implementation of GDPR which is what this topic is related to.

If the UK were to repeal GDPR as an act of defiance against the EU postBrexit, that it would means their business industry would have considerable difficulties carrying out businesses with their closest neighbours and trading partners.

listermint

Id go with Opt in because its the most logical approach for compliance. Not using the UK as a guideline.

Bob24

yellow hen wrote: »

Umm so no real consensus here?

Seems like the thread is sidetracking to what the best source of information is and this is where the lack of consensus is.

As per your question, GDPR is clear in that consent cannot be assumed and has to be clearly expressed. So in situations where you need consent (which isn’t all situations), you need people to opt-in to be compliant. Opt-out won’t work.

listermint

jacksn wrote: »

no i don't, but i have been following UK implementation of GDPR which is what this topic is related to.

If the UK were to repeal GDPR as an act of defiance against the EU postBrexit, that it would means their business industry would have considerable difficulties carrying out businesses with their closest neighbours and trading partners.

Evidently you have not been following the negotiations then (at all)


but thats for the other thread brexit related. I have replied to the OP.

I suggest you polish up on Brexit related activities if you are dealing with the UK in terms of trade.

jacksn

listermint wrote: »

Evidently you have not been following the negotiations then (at all)


but thats for the other thread brexit related. I have replied to the OP.

I suggest you polish up on Brexit related activities if you are dealing with the UK in terms of trade.

Thanks for the tip. Might I suggest that you also consider researching GDPR and The UK and the EU which is the actual law at this moment in time come 25th May instead of theories that might not (and won't) happen.

listermint

jacksn wrote: »

Thanks for the tip. Might I suggest that you also consider researching GDPR and The UK and the EU which is the actual law at this moment in time come 25th May instead of theories that might not (and won't) happen.

Fully versed in GDPR compliance, Never said the UK dont have to comply. I have said and continue to say do not rely on the UK for information as they are in flux and anything can happen.

Im see you dont have a clue about negotiations. Its frightfully common in Irish business. Zero contingency. Those that are planning will come out ahead. Rather than those that seem to think its business as usual and will continue that way.....

jacksn

OP is asking a question about GDPR.

Ireland and UK are 2 English speaking countries in EU, both are enacting GDPR into their laws. I'm sure OP would rather resources in English than German.

OP was suggested an ICO resource, I seconded that the UK ICO is miles ahead of the Irish DPO in terms of resources for GDPR. At this moment in time and up to 25th May, the ICO is the best resource for GDPR, which is an opinion.

You continue to post about Brexit negotiations.

Balmed Out

Definitely opt in, you need explicit consent - if someone disregards an email you cant presume them to be opting in.

What does anyone know is the situation with a sign in sheet? For example a guest arriving at a business or signing the kids in at creche, signing an attendance sheet at a class or a condolence book at a funeral? Is it a GDPR breach by being able to see who has previously signed it?

Bob24

Balmed Out wrote: »

What does anyone know is the situation with a sign in sheet? For example a guest arriving at a business or signing the kids in at creche, signing an attendance sheet at a class or a condolence book at a funeral? Is it a GDPR breach by being able to see who has previously signed it?

I’d say crèche and class attendance sheet don’t require consent. Condolences book is probably different.

A key thing to remember is that while when required consent needs to be clearly expressed (opt-in) and can’t be assumed (op-out), it is not always required to process personal data. There are many legitimate grounds to process data without consent under GDPR (I won’t go into details and grey areas here but a clear and obvious exemple would be that if you close an account with a bank they don’t need your consent to retain you identification details and transaction history for many years, as it is a legal requirement as part of the service you contracted with them to retain that information).

Balmed Out

Bob24 wrote: »

I’d say crèche and class attendance sheet don’t require consent. Condolences book is probably different.

A key thing to remember is that while when required consent needs to be clearly expressed (opt-in) and can’t be assumed (op-out), it is not always required to process personal data. There are many legitimate grounds to process data without consent under GDPR (I won’t go into details and grey areas here but a clear and obvious exemple would be that if you close an account with a bank they don’t need your consent to retain you identification details and transaction history for many years, as it is a legal requirement as part of the service you contracted with them to retain that information).

Does the data need to be protected regardless of whether its going to be processed in any way. For example I sign in when I go to a local play area with my kids. There is an annual fee and I think the sign in is just to dissuade people who aren't joined and I presume these sign in sheets are kept for a while and discarded without anything being processed. I can however see on the sheet all others who have signed in over the last few days. Would this now be considered a data protection breach?

MOH

listermint wrote: »

I am sure they do, but as stated i would be taking my information from an EU source or Irish source. Not the UK, they have an active government policy around personal data that conflicts with the EUs direction.

Why you would rely on it in this current moment of flux is beyond me.

I used that because I was in a hurry and it was the first authoritative link I came across explaining why opt-in should be used. If you'd care to go off and find a more "appropriate" link work away

Bob24

Balmed Out wrote: »

Does the data need to be protected regardless of whether its going to be processed in any way. For example I sign in when I go to a local play area with my kids. There is an annual fee and I think the sign in is just to dissuade people who aren't joined and I presume these sign in sheets are kept for a while and discarded without anything being processed. I can however see on the sheet all others who have signed in over the last few days. Would this now be considered a data protection breach?

Yes protecting the data (“privacy by design”) and also informing people on which you hold data in case of a breach are required under all circumpstances.

So my understanding is that while the play area probably have the right to collect attendance data without consent as long as you are bringing your kid there and using their services, in theory they should never make that list visible to anyone who doesn’t need to see it, have measures in place to make sure it never happens, and inform all parents in case those mesures fail and someone who is unauthorised is able to see the list.

A practical exemple if my understanding is correct: they should never let you see the full list of names for children who are attending (unless you volunteer with them as a supervisor and need the list as part of the tasks you need to carry-out), and if that happens they should notify all other parents that their child’s name was exposed to an unauthorised party.

Now it will be fairly hard to implement properly for small entities and I don’t know how it will be enforced in practice.

Fighting Tao

Opt-in makes the most sense for an organisation. Do you really want to annoy people by having an opt-out and them not having replied? Annoying people can result in less good faith and loss of clients.

bungaro79

hi all
kind of related but myself and another guy are collecting money from people affected by the tracker scandal to get legal counsel. we are in contact by email and will be collecting money (through bank transfer soon). as we're not a business, will the gdpr affect this??

Buttercake

Question (not asking for legal guidance): IF that list was visible and someone took a photo with their phone and were to give the names to another creche - is that a data breach or data theft? is the creche liable?

Glass fused light

yellow hen wrote: »

Looking for some advice here. I help run a small voluntary organisation which has a substantial mailing list. We planned on sending out an 'opt-out' email but I notice most circulars that I have received lately have leaned towards an opt-in approach. I can't find a definitive answer as to which is required. Does anyone know?
thanks.

Your organisation needed to contact everyone that you hold personal data on. this will included those on the mailing list
plus anyone who works (paid / unpaid)
plus thoes who participates in any activity.
Plus if you have suppliers which are not companies, they come under this too.


The mailing list
Your email header should make it clear that their data will be deleted if they do not opt in. Make to clear that what types of information the organisation will hold, how their information will held and used.
If the mailing list has economic value look at getting a pre-addressed Freepost envelope sent out in the post or a print and post licence, I would suggest to send out a blank form which will enable the data subject to update their information.
You could agree internally that after 2 reminders if you don't get consent for the mailing list you deleted the data, but it would be best to start with a new blank file and build from the returned opt-ins.

Non company supplier
Individuals who are suppliers are covered too so their email should explain how they will be removed from the supplier list. You don't have to delete historical data invoices etc as these mostly covered being business records (< revenue and charity guidelines apply) you but should delete data you don't need eg bank details etc once they are no longer suppliers.

Workers/participant
This needs to be issued in new term of the workers/service agreement with special care to explain sensitive data handling. If they don't sign they can't be associated with your organisation and you should seek legal advice as to what you should keep and for how long.

Glass fused light

Bob24 wrote: »

Yes protecting the data (“privacy by design”) and also informing people on which you hold data in case of a breach are required under all circumpstances.

So my understanding is that while the play area probably have the right to collect attendance data without consent as long as you are bringing your kid there and using their services, in theory they should never make that list visible to anyone who doesn’t need to see it, have measures in place to make sure it never happens, and inform all parents in case those mesures fail and someone who is unauthorised is able to see the list.

A practical exemple if my understanding is correct: they should never let you see the full list of names for children who are attending (unless you volunteer with them as a supervisor and need the list as part of the tasks you need to carry-out), and if that happens they should notify all other parents that their child’s name was exposed to an unauthorised party.

Now it will be fairly hard to implement properly for small entities and I don’t know how it will be enforced in practice.

The member consents on sign up by signing in.
An easy way for small organisation is to inform the members that their data on sign in sheets will be available to the other participants for the duration of the sign up as most will know each other by sight, and it's part of the social element for the club.
The best way to design in the privacy is to give everyone (adult and child) a numbered membership card and the number is used for sign in With the name and number being linked by the authorised parties only

Glass fused light

Buttercake wrote: »

Question (not asking for legal guidance): IF that list was visible and someone took a photo with their phone and were to give the names to another creche - is that a data breach or data theft? is the creche liable?

IMO
Crèche 1 yes to the breach as it's a list of personal data, and by right the crèche employee should be checking the children in off a list they hold and turn face down or cover if on a table.
For the photo taker yes to the breach, and theft as it's a list of personal data that they have no right to hold.
Crèche 2 yes to the breach as it's a list of personal data that they have no right to hold

Bob24

Buttercake wrote: »

Question (not asking for legal guidance): IF that list was visible and someone took a photo with their phone and were to give the names to another creche - is that a data breach or data theft? is the creche liable?

If there is an intend to “steal” clients from the crèche and the person who takes the picture is not authorised, it’s both a data breach and data theft.

Under GDPR the crèche will be liable for the data breach as they have a duty to protect private data of their clients.

Rulmeq

The following from the eu website, would strongly suggest that explicit acceptance should be obtained, rather than depending on implicit acceptance (my 2 cents are that I would not be happy if I was on your list and you sent me something where I had to work to have my details removed)

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/dealing-citizens/are-there-restrictions-use-automated-decision-making_en

Bob24

yellow hen wrote: »

Looking for some advice here. I help run a small voluntary organisation which has a substantial mailing list. We planned on sending out an 'opt-out' email but I notice most circulars that I have received lately have leaned towards an opt-in approach. I can't find a definitive answer as to which is required. Does anyone know?
thanks.

Btw maybe a stupid question but didn’t you gather consent from the people in your mailing list in the past for the purpose of sending them these emails? If you had them provide explicit consent in the past you don’t need to do it again just because GDPR is comming into enforcement. GDPR doesn’t void previous consent as long as it was given explicitly and it’s only if you didn’t ask for explicit consent before that you need to do it now.

yellow hen

Bob24 wrote: »

Btw maybe a stupid question but didn’t you gather consent from the people in your mailing list in the past for the purpose of sending them these emails? If you had them provide explicit consent in the past you don’t need to do it again just because GDPR is comming into enforcement. GDPR doesn’t void previous consent as long as it was given explicitly and it’s only if you didn’t ask for explicit consent before that you need to do it now.

Not a stupid question at all. Anyone who ever attended an event with us would de facto be added to the mailing list. Not explicit consent therefore.

I appreciate the advice and we're going to pursue an opt-in approach even though it is likely to hugely effect our reach across the country.

Bob24

yellow hen wrote: »

Not a stupid question at all. Anyone who ever attended an event with us would de facto be added to the mailing list. Not explicit consent therefore.

I appreciate the advice and we're going to pursue an opt-in approach even though it is likely to hugely effect our reach across the country.

My advice would be to word it as a yes/no question like “Would you like to keep receiving our email updates?” with a yes button and a no button.

In practice regardless of people ignoring your email or clicking on the no button the outcome is the same and you have to remove them from your list, but psychologically having one button for each choice might get people to feel they have to act on the email and click on one of those buttons.

(If you ask them “Please let us know if you would like to keep receiving our updates” and only have one button for them to resubscribe, you might get less replies as people might be more inclined to feel they can leave it for later and worst case the default choice will apply)

Just my too cents although I am an IT person and not a psychologist!

Glass fused light

Bob24 wrote: »

My advice would be to word it as a yes/no question like “Would you like to keep receiving our email updates?” with a yes button and a no button.

In practice regardless of people ignoring your email or clicking on the no button the outcome is the same and you have to remove them from your list, but psychologically having one button for each choice might get people to feel they have to act on the email and click on one of those buttons.

(If you ask them “Please let us know if you would like to keep receiving our updates” and only have one button for them to resubscribe, you might get less replies as people might be more inclined to feel they can leave it for later and worst case the default choice will apply)

Just my too cents although I am an IT person and not a psychologist!

Good ideas on the buttons but can I be very pedantic and recomend the use of the term database and remove the word email, otherwise you may end up with excess data or using it without full consent.

Would you like to remain in our database and keep receiving our email updates?”

ED E

Emails coming in like the below suggest opt in is the way to go:

Let us know if you ever want to hear from us again

ablelocks

Glass fused light wrote: »

Good ideas on the buttons but can I be very pedantic and recomend the use of the term database and remove the word email, otherwise you may end up with excess data or using it without full consent.

Would you like to remain in our database and keep receiving our email updates?”

But you also have to explicitly state what you are going to use the data for - so if it's for email contact you have to state that. Or text or social media etc etc etc.

getting existing customers explicit opt-in is going to be difficult. I've probably responded to about 1 in 5 of the emails I'm getting.

Glass fused light

ablelocks wrote: »

But you also have to explicitly state what you are going to use the data for - so if it's for email contact you have to state that. Or text or social media etc etc etc.

getting existing customers explicit opt-in is going to be difficult. I've probably responded to about 1 in 5 of the emails I'm getting.

Yes, read my post ( #26 ) on what i suggested the email should contain re collection and use/processing. The danger is if you have data eg donation record, a phone number, physical address, contact records from prior events etc your not getting explicit to hold this only their email address.

Its hard to get customer to act, (my bank wrote to me maybe 4 times threatening to impound my money unless I supplied AML and could still be writing to me except that I was asked in person at the counter.) that's why I suggested the physical mail shot if it's economically viable.


I think the biggest problem any small organisation will have at this stage is the tight turnaround time needed to comply. Most organisations which have been proactive in the data protection space would have adopted an opt-in under the current regime

boege

Data protection has been around for a while now. GDPR is essentially increasingly the rights afforded to the the public on controlling how organisations can legally mange any of their personal information.

The 'right to opt-out' was a feature of previous data protection legislation. Often seen as an 'unsubscribe' link at the bottom of a lot of marketing emails.

'Opt-in' or 'explicit consent' is one of the big changes being introduced under GDPR. My understanding is that Opt-out will remain as a 'right to withdraw consent'.

Opt-in by way of email consent also needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.

If you are in the email marketing business you really need to be on top of GDPR as it has direct impact on marketing practices.