Emailing to many recipients: Etiquette and the law

[Tim Hall]

What's the skinny with emailing to multiple recipients, from a legal POV, both now and once the GDPR kicks in?

A bit of context. I'm a Scout leader and communicate with the Scout parents by email. They advised me of their email addresses over when their child signed up. I use a address list and tick the box to not disclose addresses. BCC in effect.  This works fine. 

This evening I received two emails from higher up the food chain. One giving details of what steps are being taken to ensure GDPR compliance and one was a $general_stuff letter. Both were sent to multiple recipients, the first using BCC or some other magical way of hiding the other recipients' addresses while the second had umpteen addresses all in plain view.

The BCC method strikes me as polite and common sense, but was the second actually wrong?

[David Martin]

Possibly yes. Definitely not best practice. It may be better to use a mailing list service that does individual mailings and manages the necessary unsubscribe options. It also allows for multiple folk to manage the list.

[Kim]

I don't know if the GDPR objects, but in practice there are an awful lot of clueless people routinely shitting other people's contact details all over the internet (to the point where a whole industry has sprung up to make use of them), and mere legislation seems unlikely to change that.   

[robgul]

If you have access to host stuff on your own server/website type stuff then the free ListMessenger software is pretty good to manage lists and send messages.

There is also MailChimp online mailer which does the same thing .... but does seem to perhaps "leak" names and addresses (when I have used it I've "seeded" addresses and received 3rd party stuff)

... what the data protection police have to say is another issue and complex - reality is if it's a simple Scout group (and you add a "you are receiving this 'cos you asked, tell us if you want to unsubscribe" note on every message I would JFDI

Rob

[Diver300]

An example of cluelessness in email writing and lack of data protection was the following email:-

(Title) Compliance Policies
Company name redacted is in the process of updating all our supplier records, this is to support our ongoing corporate responsibilities and to further continue and support our compliance with current legislation.
 
We are sending you various policy statements and declarations for you to review and acknowledge your companies compliance by signing and returning a statement to the email addresses shown below by 31st August 2017. Failure to do so may result in a withdrawal of your approved supplier status, meaning we will no longer be able to place purchase orders with you. By acknowledging your compliance to our policies and adhering to the terms specified in law, you undertake not to tolerate or engage in any form of bribery, acts of slavery and commit not to source minerals listed in the Conflicts Mineral Declaration from the Democratic Republic of Congo.

which was CC'd, not BCC'd, to over 1000 suppliers.

So much for being ethical......

[ian]

Like most things, it's all ultimately very simple. Don't store someone's personal information unless you need to store their information and store only the information that is required for the tasks you've stated and only do so with their explicit permission. And then do not share any of that information without their permission.

I know this because, and I kid you not, I received a 75 page document which said so.

[Vince]

Tim, Is your group using Online Scout Manager? It is highly recommended for all aspects of managing a unit and covers mailing lists. The guy who started it is very switched on as regards data security and I'm sure would have GDPR covered.

[CarlF]

What Ian said.

But particularly this bit:

And then do not share any of that information without their permission

[Tim Hall]

Tim, Is your group using Online Scout Manager? It is highly recommended for all aspects of managing a unit and covers mailing lists. The guy who started it is very switched on as regards data security and I'm sure would have GDPR covered.

Hi Vince

No. We're co-opting a former exec member to take on a Data protection role for the group, so I'll see what his take on it is. Emails from the GSL have recipients' addresses hidden. The email that had all the addresses displayed was from the DC...

[drossall]

I'd highly recommend OSM as well. It BCCs everyone as a matter of course when you mail from the system, and also gives you a range of email addresses to send from your client to the whole Troop, all the leaders, all the Falcons, everyone going on summer camp or whatever, if you don't want to sign in - again sending BCC.

Again on the security theme, our Cubs no longer do paper camp forms - they just ask parents to sign in and check details, so everything stays secure in the system. There's an HTML5 phone app that works offline, because reception is a bit rubbish in many Scout huts and on many camp sites. It just updates the central system next time it manages to connect.

I've not had a GDPR directive from District yet, although I'm off to some training on Saturday with my church secretary hat on. Again, I'm inclined to think that part of the answer there is to store the data in a system and mail from that, rather than use a spreadsheet, a paper file or whatever. We use ChurchSuite, which is pretty much an OSM for churches.

How you email and where you store the data is far from the whole story in GDPR. In a structured set-up like the Scouts, we can just try to follow what HQ recommend. But a purpose-designed system helps.

The really brilliant thing about OSM is its integrated approach. For example, you set up a programme, and mark each evening with the badge requirements it covers. Then you record attendance, and you can let it update everyone present automatically as having covered that requirement. And so on in many areas. Not GDPR-related, but really helpful.

[David Martin]

The really brilliant thing about OSM is its integrated approach. For example, you set up a programme, and mark each evening with the badge requirements it covers. Then you record attendance, and you can let it update everyone present automatically as having covered that requirement. And so on in many areas. Not GDPR-related, but really helpful.

So the days of actually having to demonstrate you knew stuff and getting it signed off in the paper handbook are no more?

[drossall]

It varies. But the paper handbooks kept getting washed. One time when they produced a new version, they claimed it was washing-machine proof

[woollypigs]

well this GDPR sends you down memory lane - got so many emails from places I didn't know I had given my email too

[Ashaman42]

Not only that but emails from places I'm pretty sure I never gave my address to.

Sent from my SM-G930F using Tapatalk

[Greenbank]

And the knowledge that the emails from certain places which have been impossible to unsubscribe from (i.e. Mountain Warehouse) should stop in a couple of days without me having to do anything (since I'm not opting-in).

And if they (companies, unfortunately not spammers) don't stop then there's the ICO to report them to.

[ian]

I may finally stop getting emails about oil and petroleum industry events.

[Phil W]

These privacy emails have been a good reminder to delete accounts that have long lain dormant