Stuart Gentle Publisher at Onrec

New rules mark the end of spam with everything, not the end of the world

By Ashley Marron

The first unsolicited marketing pitch probably dates back to the middle Palaeolithic period when an enterprising early hominid, clutching swatch pads of rock samples, stuck his foot in a cave door in an attempt to close a sale. 

Things have moved on and in today’s digital world, such pitches are more likely to come in the form of spam – those infuriating junk emails that keep flooding into our inbox, plugging things we’ll never want or need, preventing us from finding that crucial memo from the boss we planned to quote from in a meeting that’s just about to start.

Everyone agrees spam should be banned, in the same way that everyone agrees there should be fewer cars on the road so that we can drive to work in the morning without being caught-up in traffic jams.

The problem is where to draw the line? We don’t want to be bombarded with unsolicited junk mail but, at the same time, we don’t want Draconian curbs that restrict our own, legitimate e-marketing campaigns.

Well, those helpful chaps at the EU believe they have come up with the answer. In May, a new regulatory system governing spam and other data abuses will come into force with the General Data Protection Regulation (GDPR) which will, for the first time, seek to harmonise rules across all 28, member states.

It means anyone who uses business productivity tools or multiple delivery systems such as Wix Shout Out, Mailchimp and Survey Monkey as part of their marketing mix will have to be aware of rules governing spam and much else.

Predictably, there’s been a lot of fear – and fearmongering – generated by the rules with predictions that they threaten to tie-up small businesses in mountains of red tape, restricting their marketing activities to the point where they’ll be unable to send a simple email.

Well, the good news is that there’s nothing greatly to worry about. We’ve reviewed the regulation and it’s our view that, by taking a few simple measures, you can meet your obligations without much time and expense.

As a seller of online business productivity tools, we’ve had to take a proactive approach to ensure we comply.

Some might argue it’s not before time. Ok, so I might have made-up the bit about the caveman, but the first recorded incident of an electronic message being sent, uninvited, to multiple users was in 1987 when an east coast tech developer contacted potential clients on an early iteration of the internet to plug a new protocol.

The term spam was coined in the 1980s by users of early, closed-chat systems to refer to the mass junking of computer data to force systems to crash. It wasn’t until the mid-1990s when two US lawyers acquired a script, allowing them to promote their services to multiple news groups, that it came to be associated with mass marketing.

The term is believed to have been borrowed from a Monty Python sketch in which a group of hungry Vikings to go a restaurant where everything on the menu contains spam. As none of them likes spam, it became synonymous with something unwanted and repetitive.

The first thing is to understand is that the GDPR is a regulation, not a directive, which means it applies across all EU member states and, as the UK will continue to be an EU member until mid-2019, businesses and organisation are covered.

In the UK it will complement the existing Privacy and Electronics Communications Regulations (PECR).

The main difference between the two is that PECR regulates communications sent to people at their work email while GDPR is also concerned with personal data.

As a provider of project management software for businesses and organisations, we’ve long been regulated by PECR whose main requirement is that each direct marketing email should include an "unsubscribe" option, which is the documented procedure we have in place.

Rules governing use of personal data were introduced when many of today’s online services and the challenges they bring for data protection didn’t exist, for example social networking sites, cloud computing, location-based services and smart cards, all of which have seen the processing of personal data grow exponentially.

We need a robust set of rules to make ensure people’s right to personal data protection remains effective in the digital age.

Definition of Personal Data - Article 4 (1) of the Regulation includes elements such as name, address, gender, date of birth but also includes less obvious identifiers such as IP address.

While accountability is not a new requirement, GDPR requires all organisations to record and document compliance with all aspects of the regulation. It doesn’t give individuals more rights in respect of their data, including more control and visibility of how their personal data is being used, and the right to have that information removed or moved as requested.

There will be heavy sanction for breaches - including fines up to 4% of annual turnover or €20million, whichever is the higher, for the most serious breaches.

To ensure you comply there’s a need to identify the key processes, documenting as needed, and ensure you have an audit trail to prove compliance.

We’ve included a downloadable template in our Barvas software to help demystify the key steps and navigate users through the process.

For more information visit

Ashley Marron is CEO of East Kilbride-based Barvas, a management software tool for small and medium sized businesses