GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

On our forms, "Country (of residence)" is also a required field as it helps us to understand who, within our database, is covered by GDPR law.  Obviously not 100% foolproof, but still a key data point.

I'm really surprised this is the guidance provided by SiriusDecisions (who I look to often for best-practice marketing guidance).  On the form above, you cannot make specific consent fields mandatory (the last two on the form).  This is illegal.  GDPR specifically states that "consent must be freely given" and "organizations cannot prevent the performance of a contract (in this case, downloading the toolkit) conditional upon consent".  Here's more detail around this:

Source: Chapter 8: Consent – Unlocking the EU General Data Protection Regulation | White & Case LLP Internat...

Other fields can be made mandatory as well.  As long as they fall within the "legitimate interest" definition of GDPR.  The "country" example I provided above is an example of this.

I took a look at the report referenced here.  I don't believe SD is saying this is a compliant form shown here.  This may have been taken out of context from the objective of the report.  Instead, the form showed here was simply used as an example during one of the steps outlined in the report - specifically the "Implementation Framework: Audit" step.  In this case, it would be noted - as part of this audit - that making the consent fields on this form would be a violation of GDPR principles.

Great points and good discussion.

Here is something I was thinking about in relation to this.

Let's say we restrict all marketing/comms to corporate email addresses only (for sake of this argument).

If we don't have proper consent to send emails to john.smith@ibm.co.uk or something, then we are out of compliance/exposed.

Which means that IBM UK can sue us for spam. Is that right? And would they sue us for spam?

And to take this a step further, if you were located in the EU and received an unsolicited email to your corporate address, would you try to sue the sender?

Would love some additional insight on this, thanks!

Which means that IBM UK can sue us for spam. Is that right? And would they sue us for spam?

Under GDPR, a user in the EU who has not provided their consent can file a complaint with the GDPR.  And if the GDPR finds that the sender of the email in violation of GDPR compliance, they will be held liable.  From what I understand, there will be a tiered structure when it comes to the fines:

• Issue warnings
• Issue reprimands
• Issue tier 1 fine (up to 10 million euros or 2% of global company revenue - whichever is greater)
• Issue tier 2 fine (up to 20 million euros or 4% of global company revenue - whichever is greater)

The amount of the fines is based on the following:

• The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
• Whether the infringement was intentional or negligent
• Whether the controller or processor took any steps to mitigate the damage
• Technical and organizational measures that had been implemented by the controller or processor
• Prior infringements by the controller or processor
• The degree of cooperation with the regulator
• The types of personal data involved
• The way the regulator found out about the infringement

I think it's clear that those companies that will be most impacted and in violation are ones that practice old-school marketing: purchase third-party lists, guess/formulate company email addresses based on current format/structure of the email, don't capture and/or disregard opt-in consent, "batch and blast" mentality, etc.

Oh and BTW, these fines are made payable to the GDPR, not the party making the complaint.