It’s been an interesting time to be giving legal advice.  GDPR has led to many detailed discussions about the law and how it will be applied in practice.

However, what fascinates me, probably frustrates you.  You don’t want an in depth discussion.  You want to know what you can and can’t do.

The question I’m asked most often is what you do with your existing database – can you continue to email everyone on it.

As I haven’t seen your specific database, I can’t give you an unequivocal yes or no, but I hope the following points will help.

1.  Firstly, establish whether what on your database is “personal” information.  GDPR only applies to personal data, not business data.  So if you are only marketing to businesses, you may find that actually your database doesn’t contain any personal data, in which case GDPR doesn’t apply.

2.  If it is personal data, there are 6 grounds on which you can continue to process it.  For example, if you have it for contractual reasons, or legitimate interest, then you don’t need consent.

3.  Assuming that you have formed the view that you do need consent, consider how you obtained the information in the first place.  If you obtained consent (freely given, and not a pre ticked box) then that will be sufficient – you don’t need people to consent again.  The only thing you need to check is whether you are using it for the reason you received it.  So if you have people’s consent to email them about updates in your services, you may not be able to argue that you have their consent to email them about networking events.

4.  You can also consider to what extent the information you have is already freely available on line.  I received an email from the Times last week asking me to take part in a survey.  They openly confirmed that they had obtained my information from my website and the Law Society.  They then went on to say that I was welcome to email them and tell them to remove me from their database if I didn’t want to hear from them again.  In those circumstances, I think it would be hard for me to argue that their email amounted to a breach of GDPR.

5.  You can, of course, play absolutely safe and wipe your entire database as I understand Whetherspoons did.   However I expect it would be much quicker for them to rebuild their database than most of us, and the publicity they generated from the act itself probably made it worth while.

6.  Alternatively you can email everyone and ask for consent.  I’ve received many emails from people asking me to consent, and mostly they say that I have to email to say yes or no. Which begs the question, what happens if I say nothing?  Personally I think you should either say “Please say yes or otherwise I’ll assume it’s no and I’ll delete you” or “please say no, or I’ll assume it’s ok to keep emailing you”.  GDPR does say that consent has to be express, and you can’t have pre ticked boxes, so on that basis my second option may be criticised by some.  However, imagine this scenario.  A week after GDPR comes in, an overworked, stressed call centre manager at the ICO receives a call from someone complaining that they have received an unsolicited email.  The ICO officers asks

“Have you been receiving emails from them prior to GDPR”


“Did you have the option to opt out”


“Is your information freely available on the internet”


“Have you tried opting out”


“So why are you calling me?”


In that scenario, what do we think the chances are that the ICO is going to have the time and the resources to take it any further.  At this stage I don’t know, but my assumption is that they are going to be focusing on serious offenders, rather than minor transgressions, and they will simply tell people to opt out, and to only call back if the opt out doesn’t work.

7.  Finally, you can be brave, and do nothing and wait to see what happens.  It’s a bit like driving.  I’m sure everyone reading this has broken the speed limit occasionally, or parked somewhere where they shouldn’t, or taken a chance on an amber light.  Sometimes you get caught, sometimes you don’t.  Obviously I’m not advocating breaching any laws, but we do have to take commercial decisions.  If you have to make a choice between going a little too fast, but getting to work on time, or sticking religiously to the speed limit and risking missing an important meeting, or getting in to trouble with your boss, you’re going to weight up the risks and decide which is the lesser of evils.  The same applies to your database.  Only you can decide how much it’s worth to you, what the likelihood is of anyone on it complaining about you and what you think the chances are of the ICO wanting to investigate you.  You might also take into account how well prepared you are on other aspects of GDPR.  The better organised you are generally, the more likely it is that even if the ICO wanted to investigate a complaint, they would find you largely compliant and so less likely to be concerned about your database.

Kleyman & Co Solicitors. The full service law firm. Common sense is as important as common law.