The National Health Service is texting patients to warn they could lose alerts about hospital and doctor appointments, joining the deluge of more than 1bn “GDPR” messages currently hitting personal inboxes to meet an EU deadline this week.
GDPR, which stands for General Data Protection Regulation, has been described as the biggest overhaul of online privacy since the birth of the internet, and comes into force on Friday May 25. It gives all EU citizens the right to know what data is stored on them and to have it deleted, plus protect them from privacy and data breaches. If companies fail to comply, they can be hit with fines of up to €20m (£17.5m) or 4% of global turnover.
Companies and organisations around the world – from giant corporations to charities and church groups – are now anxiously contacting users to check they are happy to carry on receiving their emails and texts.
Each person in the UK is understood to have about 100 “data relationships” and with many companies sending out multiple reminders, the total number of GDPR emails is expected to soar above one billion by this Friday.
But with GDPR fatigue setting in, and with many messages heading straight into spam boxes, the figures suggest that few people are responding.
Polling by consultancy Accenture has found that more than half of consumers are not responding to emails from brands, with about a third of people deleting the emails almost as soon as they arrive in their inbox.
Some small businesses are reporting that “reconfirmation” rates are averaging just 10%, meaning they are losing 90% of their marketing email lists.
“Up to the deadline you are going to continue to see some panic and mass communications. Then there will be a lull before it begins again, as this is an ongoing requirement,” said Russell Marsh of Accenture. He is forecasting that some companies will return to direct mail to target customers, as it does not fall under the same GDPR legislation.
Many people are enjoying a once in a lifetime opportunity to clear out their inboxes. But while many can be safely ignored, others – such as from the NHS – will need action.
The NHS message reads: “The law is changing and we must get explicit permissions from patients when using their data. To continue to receive SMS text messages, reply START.”
The messages are being sent from the NHS automated appointment reminder system, used by millions of people across the UK. Data rules mean that the messages are sent by each individual NHS trust rather than centrally from the NHS.
Companies are handling the new rules in different ways, as there is no prescribed format for GDPR approval. If a company has a “legitimate interest” in contacting a customer – such as their principal bank account – then it only needs to let the customer know that privacy details have been updated.
But if the email address had been obtained in other ways – such as a pre-ticked box – then that is not regarded as legitimate, and the company has to contact the consumer and obtain approval for further communications. Some companies are insisting users go through the rigmarole of logging in, which might entail trying to remember a password or setting up a new account.
“It will be their interpretation of what they need to do to be compliant,” said Robert Parker at the UK’s Information Commissioner’s Office.
Companies are resorting to ever more desperate ways to catch the eye of users in inboxes deluged with GDPR emails. Many are in the plaintive “Do you still want to hear from us?” style, others warn that “Time is running out”, while some demand “Urgent action required”. Or as one flower delivery company GDPR email says: “Take it or leaf it”.