Keep Calm - Are they complying with data protection?Ever wonder if you are complying with data protection? Or have you received an emails and wondered, is that company complying with data protection? Well I had a situation this very morning so I decided to investigate and write about my experience.

Where is all started

I received am email from a business that I have never heard of and have had no contact with, they were trying to sell me their graphic design product. They sent the email to my email address.    So the first question I asked myself was: Who are these guys and where did they get my email address?

I was curious and I also wanted to flag their potential data protection breach to them (or what I thought was a potential data protection breach) so I called and  I spoke to a lovely man.   I explained who I was and why I was calling, thankfully they took my concern as genuine and not some know it all trying to make a point.

Their approach to data protection

The man I spoke to said that he had made a point of calling the data protection office about their specific scenario and were advised that sending to (and others like it) was fine as long as it is a business email address.   I though this strange, as I have also spoken to the data protection office on a few occasions about this type of scenario and was told that sending to constitutes a personal email address even though it is on the business domain, therefore it is not ok to send unsolicited emails.  Granted it was about a year ago that I last spoke to the data protection office so I decided to get some clarification on the situation.

The latest advice from the data protection office

Issue 1 Sending to  The advice given this morning by a representative in the DP office is  that this is ok once it is relevant to my business role. The keyword here is RELEVANT. What constitutes relevant?  Their example was that as it is business to business communication and I am the business owner that this may be indeed relevant. They advised that if some burger joint sent me emails trying to sell their latest pizza offering that this would not constitute as business to business therefore it would indeed be breaching data protection.

Issue 2 Where did they get my email address from? : This is their and my main concern. How/where did this company get my email address.  Yes it is my primary business communication email address but I do use it for some personal emails also.  They advised that best practice is to ensure that the person is given the option to opt in (if natural person / non customer) and opt-out if business contact or business customer when the data is collected. This is the advice I always give clients so I was happy to know at least that the advice I was giving was correct and up to date.

[bctt tweet=”The latest advice from the data protection office”]

So what should you do?

You should always err on the side of caution where data protection is concerned. Some key things to consider are:

  • Ensure that when you collect the email address that each and every person (not generic emails like admin@ info@ etc) is given the opportunity to opt in if natural person / non customer and opt-out if business contact or business customer (as would have been the scenario here) 
  • Do not send to gmail, hotmail etc addresses without getting consent as these can constitute personal email accounts
  • Do not randomly pick emails off websites, membership databases etc . unless the database has a caveat built into the T&C when someone signs up that says that being part of this list means that they will receive marketing email newsletters and e-shots from other members.  I have never seen this happen but when you join a organisation or member data base, always read their T&C so you know what is expected of you.
  • Consider how you would like your email address used.  Why send to people that don’t want your marketing emails? Send to people who have explicitly expressed interest in your products and /or services.  The open rate and conversion rate will be much higher.
  • Keep the data safe and secure and ensure traceability.  If asked, can you advise where the person signed up and gave permission to use their email address?
  • For more information visit

[bctt tweet=”You should always err on the side of caution where data protection is concerned.”]