Back to Fred Mac Donald's Blog

Is the GDPR just a new form of spam and phishing?

Is the GDPR just a new form of spam and phishing?

My thoughts on my recent experience with GDPR. Is it really going to achieve what it set out to do or is it going to be Europe's"great wall of China"?

By now everyone should know about the GDPR that came into force across the EU so I will not discuss the “proposed” benefits of the regulations.

What I am going to discuss is what my experience is so far.

“Re-permissioning” or “List Building”

It seems that no-one is quite sure what to do to ensure they are GDPR compliant. Yes, the rights and things are fairly clear and the need for a privacy policy is clear.

My understanding of the original Data Protection Directive was that you need new members “double -opt-in” to “ensure” they know what is coming. This also includes an easy way to unsubscribe to emails and newsletters.

Question is: Do I need to let my site members know about this and ask them to resubscribe again?

As far as I can see, GDPR does not require double opt-in and it does not require “re-premissioning” of emails

Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.
Privacy Advocate Max Schrems

In my opinion, the number of emails sent by companies to “re-permission” is borderline spam. In some cases, I am 100% sure some websites and companies are using this opportunity for “list building”. I received emails asking me to confirm and re-subscribe to lists that I do not have the slightest interest in. That is clearly “List Building”

So, that begs the question, do I ignore all incoming GDPR emails or do I take action?

Phishing opportunities.

This morning I received the first email from the fallout. Being the good “Data Protection Officer” I am I immediately took action. After all looking at the email he sent me, I could expect trouble from him…

The email...

Dear Sir/Madam,
I am hereby formally giving notice of a request to have any personal details concerning myself immediately, or as soon as reasonably possible, deleted. This includes any sensitive personal data or contact details that could result in your organisation being able to contact me in the future.
This is more commonly referred to as my ‘right to be forgotten’ or ‘right to erasure’ covered in Articles 12, 17 and 23 and Recitals (65) and (66) of the GDPR as well as in Article 29 Working Party Guidelines on the implementation of the Court of Justice of the European Union judgment on ‘Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ c-131/121 (WP 225).
Under such regulations, I have the right to be informed of how this request if being processed without undue delay and within one month of receipt of the request. I look forward to hearing from you within such a time period and may investigate any reasons given with a legal representative as to why this process would either be delayed or not be made possible.
As you will be aware, failure to comply with this request is a breach of my statutory rights and could result in legal action being taken against your organisation.
You should be aware of recent GDPR legislation having been introduced as of the 25th May 2018 and have procedures in place to deal with such a query swiftly
Kindly acknowledge receipt of this e-mail along with any preliminary action being undertaken to comply with my request.
Email Address:

Name: Gary Platt

Just to be on the safe side, I checked my database for his info and not surprisingly, he is not in my database. No Gary’s, no Platt’s or remotely similar email address.

What next?

The question now is, what was his motivation for sending me this email? Is it someone trying to phish for something?

From a data management point, this whole thing has the potential become a nightmare very quickly and I think we can expect to see some major test cases coming up soon.
Just this morning Google and Facebook were accused of breaking GDPR laws.

I have received marketing emails from a website called GDPR Databases who claims to hold contact details for “548,732 GDPR Compliant UK businesses”

GDPR Compliant Marketing Data
The UK business data we supply is fully GDPR Compliant and therefore you don't have to worry about obtaining direct consent from the individuals and companies contained within our data prior to contacting them.  Under the 'Legitimate Interest' clause you are able to contact restricted types of businesses without direct consent if you have a product or service which may be of interest to them.

Our data only contains the type of businesses that you are able to contact without prior direct consent.  Therefore, you can freely use our data for cold contact marketing and be rest assured that you aren't breaking any laws.

Using data that does not only contain these restricted types of businesses is very dangerous and could result in a hefty fine.

We have a database of 548,732 GDPR Compliant UK businesses which you are able to purchase through our website. 

As far as we are aware, we are the only database supplier offering this type of database.  We are not in a position to saturate our data.  Orders are restricted and monitored.

Better still, the decision makers within our database have 'opted in' to our contact file.  Therefore, the decision makers are expecting to receive emails from other businesses which may be able to offer a service or product that is of interest to them.

Our data is newly developed, up-to-date, accurate, PAF checked and all emails addresses are live and valid.  The data is supplied in excel format and information fields are Company Name, Full Address, Contact Name, Contact Job Title, Contact Email Address, Telephone Number, Type of Business, Sic Code, Number of Employees, Turnover and Company URL.

There is a 95% accuracy promise covering all data fields.

Look at the top of our home page to find a limited offer reduction code which you can use today.

Visit us at:
GDPR Databases
3 Sheldon Lane
S6 6BQ
Tel: 01144 055 999

This could be true, but I how do you validate 548,732 businesses and how do you determine that they are compliant?

I tried on two occasions to make contact with this company, asking for the contact details of their “Data Protection Officer” with absolutely no response from them. Well, that is not really the truth, They did send me 3 more emails advertising their services for sale at £500.

The question that then needs answering is, how sure are they that their database is compliant if they themselves are not complying to the GDPR?

Going to be interesting to see where this is going to go...

Written by:  - 28 May, 2018  
comments powered by Disqus