Since May 25th, many more people are taking an active interest in how GDPR affects their personal data. This is great for achieving some of the GDPR objectives, but we are not alone in experiencing an incredible amount of confusion from companies about marketing, recruitment and consent.
There have been a few small changes as to how we do things at Flat Fee Recruiter, in light of the new regulation, most of our processes were already in line with GDPR. To help you understand more about GDPR and emailing / marketing, we hope these common myths and the explanations will help you.
MYTH 1: Companies must get your consent to send you emails
There are 6 legal bases for processing your data, consent is just one of them. The others are contract, legal obligation, public interest, vital interests and legitimate interests. No single basis is a better way to work than the other. The choice of which basis a company chooses will depend on the purpose and the relationship with the individual.
Flat Fee Recruiter processes data under contract, consent and legitimate interest (depending on who’s data we are processing or controlling). Please see our candidate privacy statement and our company privacy statement for more information on which legal basis we use for what data.
MYTH 2: GDPR is all about email marketing
GDPR is all about how you process and manage data. Email marketing has its own piece of legislation to adhere to – PECR. It was intended that the new ePrivacy Regulation (ePR) would come into force at the same time as GDPR, but we are still waiting for this.
MYTH 3: The law about email marketing is the same regardless of whether I have a business email address or a personal email address.
As we highlighted above, PECR is the legislation relating to email marketing. There are different rules that apply to B2B marketing and marketing to individuals (including sole traders and some partnerships). In general, the rules on marketing to companies is not as strict. Take a look at this checklist from the ICO for more info
MYTH 4: I should not get emails from companies that I gave consent before 25th May 2018
If a company is relying on consent for processing data, it does not mean a company has to ask for it again, even if it was given before May 25th 2018. Recital 171 explains that a business can continue to rely on consent that was given inline with GDPR.
MYTH 5: A generic email address (i.e sales@companyname) constitutes as personal data
Processing and controlling a generic email address, does not necessarily mean a company is processing personal data. An email might land in your personal email, but this does not mean it was sent to this address. You could have any number of aliases set up & we recommend that you know which ones are pointing to your inbox.
MYTH 6: It’s OK for companies to email me to ask for my consent to send marketing messages
Asking for someone to consent to marketing emails who has previously not given consent, could be illegal.
MYTH 7: All the rules about email marketing have now changed and I should not get any emails I never signed up for
As we have said in Myth 1, consent is only one of the options a business can rely on to process your personal data for email marketing. GDPR allows a business to rely on legitimate interests for direct marketing so long as the rights and freedoms of the individual are not outweighed by the processing.
Furthermore, to undertake email marketing a company must comply with PECR which also allows a business to rely on soft opt-in, to send email marketing to an individual or other business, so long as there is an existing relationship in place. When you receive emails, you should ensure that your rights and freedoms are not at risk. Things to watch out for are:
- The right to unsubscribe
- The right to see the data a company has on you
- The right to erasure or rectification
- Transparency in how a company is processing your personal details.
- The company is using your personal data in a way that is fair
We hope these myth busters about emailing will help you put some clarity on what emails you want to send, may get and what you should be checking when you do receive emails. If you want to find out more about how Flat Fee Recruiter processes and manages data in line with GDPR, then please check out our Privacy Statement for Companies or our Privacy Statement for Candidates.
Other articles from Recruitment Legilsation that may also be of interest include:
- GDPR: What it Means For Your Candidate Data & Processes
- GDPR & Recruitment - Do you need to change?
- GDPR - Recruitment Essentials Webinar
- Keep Calm and Get Ready For GDPR