Premium 'Recently Registered' email

[SantasBritchesSpelleas]

I had an email advertising Premium saying 'We noticed you recently registered with Mumsnet'. I registered several years ago! Is this an error or is it like moving into a small village where you're still considered an incomer 20 years later?

[quote DumplingsAndStew]@JustineMumsnet Can you confirm why you chose to hang on to these email addresses in a hidden database, rather than delete them as you should?[/quote]
Yes it was an oversight. This system was set up well before GDPR came in and this niche event was just missed - we would never have known about it if we hadn't made the error wrt sending a mail to the wrong list. I do believe the key thing is that there was no intention to hold or misuse data to our benefit. As said it wasn't best practice and our intention is always to employ best practice so we're grateful that it's been raised and we've been able to correct it.

@R0wantrees

Please let us know if you have any further concerns and we’ll be happy to check your permission details to make sure everything is as you want it

@JustineMumsnet
Thank you for responding to some of the issues which have been raised.
I sent an email to contactus@ mumsnet on 27/12/2020 (the day before Michael Mumsnet posted the encouraging words above). It has not been acknowledged.

I'll as the community team to look into this and respond R0wantrees.

Yes it was an oversight.

It was an oversight to intentionally hold old email addresses in a separate database and mark them as 'do not send emails to this address'? Were those email addresses encrypted?
I do not believe that holding on to these addresses was not intentional. As per your own privacy policy

Any personal data you give us, or that we collect when you use a Mumsnet product, will be retained by us for as long as it’s needed to perform its function.

What function are our old email addresses performing for you? Even pre-GDPR, what function did they hold for you, to set them up to be deliberately stored, without the user being aware?

Can you please supply the name of the person responsible for ensuring your company is GDPR compliant?

Thank you.

There was no good reason to hold old email addresses in our email platform database - as said it was an oversight and it was unintentional. We certainly had no intention of ever using those emails - that's why they were marked as to 'not to use' and were deleted from the Mumsnet platform database. It was only when We made the human error off sending a newsletter to the to you the whole email database That we realised that these old email addresses were not being deleted from our email platform database at the same time as they were being Deleted from our own database. It's a system that would've been set up well before GDPR came in. Ideally we should have clocked it earlier but as a niche case I can understand why it was overlooked. And I'm pretty sure I'm the person, as CEO, who's overall responsible for Mumsnet's GDPR compliance.

@JustineMumsnet

There was no good reason to hold old email addresses in our email platform database - as said it was an oversight and it was unintentional. We certainly had no intention of ever using those emails - that's why they were marked as to 'not to use' and were deleted from the Mumsnet platform database. It was only when We made the human error off sending a newsletter to the to you the whole email database That we realised that these old email addresses were not being deleted from our email platform database at the same time as they were being Deleted from our own database. It's a system that would've been set up well before GDPR came in. Ideally we should have clocked it earlier but as a niche case I can understand why it was overlooked. And I'm pretty sure I'm the person, as CEO, who's overall responsible for Mumsnet's GDPR compliance.

Can I clarify, those users who have changed their email address previously because the original one contained identifying information, in order to make sure it is definitely removed from your records, will have to contact MNHQ and reiterate that identifying information?

I think it would be more reasonable to send an email to all those on this 'do not use' list that shouldn't have been retained to confirm that this email is still on your database so they're all aware & can respond to confirm the data should be removed. This should not be left to individual members & ex members to contact MN to ensure action is taken.

@TheShadowyFeminist

I think it would be more reasonable to send an email to all those on this 'do not use' list that shouldn't have been retained to confirm that this email is still on your database so they're all aware & can respond to confirm the data should be removed. This should not be left to individual members & ex members to contact MN to ensure action is taken.

Yes I completely agree. We'll mail everyone on our email database who isn't currently opted in to any newsletters to ask them if they'd like to be removed altogether. Thanks

You should have a data controller who is responsible for maintaining your data and systems, and who is answerable for errors.
And I think you should hire a database analyst to review and overhaul your system and staff training.

I do understand that you need to maintain a database of banned email and IP addresses, but they need to be on a separate encrypted database; not tagged in the main database, not in a separate table, and not available to interns or your email platform.

You need a data protection officer. Mumsnet is the data controller.

If you’re responsible, you have a legal obligation to be the expert on all data protection matters and keep that expert knowledge up to date.

I don’t think you are at that level. Sorry.

Also. WP29 (now EDPB) guidance is considered binding and it debars certain people who carry out particular functions in an organisation from holding the role of DPO.

And if you were an expert in data protection of the level to hold the role you’d know that, and know it couldn’t be you.

Sorry. Again.

Oh and just for the avoidance of doubt. If any of those old email address people asked to have their data deleted and/or not be contacted again. You have broken GDPR / DPA 2018 / UKGDPR.

A minor breach the ico are unlikely to be interested in over much. But still a breach.

Again. Sorry.

@JustineMumsnet

Yes I completely agree. We'll mail everyone on our email database who isn't currently opted in to any newsletters to ask them if they'd like to be removed altogether. Thanks

Hi, Did you send out that email yet? I've not received anything.

[quote DumplingsAndStew]@JustineMumsnet

Yes I completely agree. We'll mail everyone on our email database who isn't currently opted in to any newsletters to ask them if they'd like to be removed altogether. Thanks

Hi, Did you send out that email yet? I've not received anything.[/quote]
Hiya this should be going out today or tomorrow. Thanks

Did the emails go out yet? I haven't recieved one, and I haven't opted in to recieve newsletters.

No, I still haven't received it either

Hi @AaronPurr and @LemonRedwood

These have been sent out now, if you've not received one could you send an email to [email protected] and we'll take a look for you. Thanks!

The email doesn't ask if we want the email address removed from the database, it asks if we want to unsubscribe from receiving emails.

Hi @Thelnebriati - unsubscribing removes users from the list of people we're able to send newsletters to.

If anyone wants their email address completely removed from the system please do mail in and we will action asap. Thanks!

"Hi @Thelnebriati - unsubscribing removes users from the list of people we're able to send newsletters to.

If anyone wants their email address completely removed from the system please do mail in and we will action asap. Thanks"

Seriously? After this lengthy thread discussing how MN have retained data on people who are unaware, and how this breaches GDPR, you come back and say you still expect members & ex-members to contact you to have details removed?

Can anyone who has complained to ICO on this update the thread on where this is now? Because there appears to be a wilful attempt to both deny the unnecessary retention of personal data (only known due to an error in emailing marketing info from the 'wrong' list) & to not even inform those who still have their details retained that this is the case.

This isn't good enough @MNHQ

Why haven’t those who’s personal identification you’ve illegally kept been informed?

Justine said;

@JustineMumsnet
Yes I completely agree. We'll mail everyone on our email database who isn't currently opted in to any newsletters to ask them if they'd like to be removed altogether. Thanks

But the email does not ask if we want to be removed from the database, it asks if we want to unsubscribe. There are 2 unsubscribe buttons and they seem to offer different options.

@AmyGMumsnet

Hi *@Thelnebriati* - unsubscribing removes users from the list of people we're able to send newsletters to.

If anyone wants their email address completely removed from the system please do mail in and we will action asap. Thanks!

Hang on, so I've changed my email address in account settings and clicked unsubscribe on that email and you are still storing that email address on a database somewhere? Why? What good reason do you have for retaining it? And using a crappy database system is not a good reason.

Hello

We can see how it might feel that we’re asking people to jump through pointless hoops. We really don’t want to hang on to anyone’s email addresses longer than we need to. The rationale for holding them is this: anyone who has unsubscribed goes onto a master unsubscribe list. This physically prevents any emails being sent to those addresses (so no one can accidentally send a mail to someone who’s said they don’t want one - the system auto-rejects it and it physically can’t go out). This is considered good practice by our email provider and the ICO. If anyone would prefer their email not to be on a master unsubscribe list, though, we are of course very happy to remove it altogether.

As said previously we have been amiss in that we haven’t been automatically deleted the old emails of those who changed email addresses from our email database and unfortunately we can’t identify those old emails (because we don’t store that data anywhere else). Hence why we sent out the mail asking if folks wanted to unsubscribe from our master list.

Hope that makes sense.

Amy, you are conflating 2 very different things, and I can't tell whether it's just confusion or deliberate.

When people de-register, change their email or are banned, they do not expect their details to have been retained. At all. This isn't about subscribing to emails, it's about data that should not still be on your system and talking about subscriptions is not the same thing. You need a reason to retain data & you don't have one for this. Keeping a list of emails so that you don't email them is pretzel logic. You can also not email them by simply deleting the emails from your system. Your reason for retaining people's data (when you've already said it should already have been deleted & people would have expected that) is not justified.

Is everyone affected a user from FWR?