I've been posting quite a lot of 'big picture' stuff about data protection recently, but sometimes it's important to focus on the day-to-day quick wins that can really help people.

This quote below, from a local politics piece in the Warrington Guardian really resonated with me because the frustration that Councillor Dirir describes is something that I have heard from a number of people. It's a frustration which comes from a misunderstanding of what your rights are as a data subject, and what the changes to data protection law last year actually meant.

As the councillor acknowledges, she opted out of a lot of marketing communications in the run up to GDPR-day last year. She was asked for her consent to receive the communications (consent being one of the lawful bases for processing personal data) and when she declined to give that consent her data will have been removed from mailing lists, reducing the number of e-mails she received.

Some consent is not sought explicitly though - instead it is assumed. There are fairly intricate rules that govern this in the Privacy and Electronic Communications Regulations (as now interpreted through the prism of GDPR). In summary, though, what this means is that if your work e-mail address is in the public domain, you might be deemed to consent to certain types of marketing communication.

To take advantage of this deemed consent (which is also sometimes called a 'soft opt-in') the sender needs to be satisfied that they are writing to you in a professional capacity, and that the subject matter is something which might realistically be expected to be of interest to you in that professional capacity. So I still get emails from tailors and accountants, but fewer mails about holidays and mattresses!

It is important to note that although you can do nothing about receiving the first email from a sender relying on this soft opt-in, the fact that they are relying on assumed consent means that you can still withdraw that consent at any time. Every e-mail you receive should have a link allowing you to opt out. It is a nuisance, but clicking the link and unsubscribing should take no longer than deleting one or two e-mails, and if it stops you receiving any more mails from that source, it will be time well spent.

Without wanting to add to the confusion, please also note that some senders do not rely on consent (whether deemed or explicit) at all. If your contact is a prior customer, or has already been receiving messages from you, businesses can determine that there is a legitimate interest in you continuing to receive such messages. They will have to have undertaken a "legitimate interest assessment" in deciding this, which weighs your interests against those of their business.

In practical terms, though, for that balancing exercise to work there will still need to be a facility to opt out of future communications. As a consequence, the process to stop receiving such messages should be identical to the process of opting out described above.

GDPR is not going to solve these sorts of issues overnight, but it has put the control of what e-mails you receive much more clearly and firmly in the hands of data subjects. Now it is up to you to exercise your rights and take back control of your inbox.