News Release: GLS Completes GDRP Aligned Contact Clean Up Exercise

Our short GDPR aligned update

Throughout Q1 2023 the GLS Group undertook a comprehensive update exercise to update the consent validity of all of the contacts in our CRM - which as of 1 January 2023 - amounted to more than 22,000 contacts - almost all of which are in-house lawyers.

We are delighted to announce that we have completed that exercise and wish to say thanks to all of our contacts and the members of the GLS Legal Operations Community for their support during this process.

GLS Group is based in Singapore but is influenced by GDPR principles on the basis that they represent a high-water mark in privacy standards and a North Star that most countries will follow.

As such, our privacy efforts focus around getting positive consent from individuals whose personal information we have collected during the course of our legitimate business activities. As a matter of good practice, we wanted to keep those consents current through a re-affirmation campaign.

Necessarily, this exercise involved us reaching out to our contacts up to 5 times to request their positive consent to continue using their personal information. It was a time consuming task for which we are grateful to our clients / contacts understanding and support. 

In keeping with our "community exchange" principles at GLS Group, we thought we would provide an update on how that initiative went.

GDPR Consent Capture - Email Requests

Unquestionably no one likes to be inundated with consent requests. Apart from being a distraction - these days the nefarious forces of organized cyber criminals increasingly use legitimate looking compliance requests as a means to deliver harmful malware/ransomware. This means that there is increased cynicism in the world at large regarding clicking any kind of email served link.

Using email to obtain consent for continued usage of personal data current still seems to be the most efficient means of going about consent collection exercises but it surely does still involves a steep incline.

We took what we thought to be sensible precautions to minimize interruption of our clients / contacts by including simple voting buttons that allowed our contacts to affirm or withhold their consent for our continued usage of their personal information. The response was really tremendous. 

What did we do?

We prepared a consent request exercise that involved up to to 5 communications with each contact. In each email we outlined, amongst other things, the following:

Identity: who we were

Data: what data we held

Data Processing: how we used it

Connection Origins: the 3 means by which we were likely to have collected that data

Value: provided an example of the value that staying in touch with us represents

Personal Identity: as most contacts are made through LI - a link to the bio of our Global Managing Director so connection status could be clarified if need be

Options: 3 different options that allowed each contact to positively grant or withhold their consent.

Unsubscribe: in addition every email also included a unsubscribe function - which is activated would be taken as a guide to forget that contact

Discuss Invite: an invite to discuss any privacy concerns

We sought to strike the right balance between being as helpful as possible and getting a clear consent. This meant we explained who we are, why we wanted to stay in touch, exercising sensible and proportionate commercial efforts to make good on a voluntarily assumed GDPR compliance standard … and making it as easy as possible for our contacts to control how we used their data.

Our data usage scenarios are actually extremely limited. We don't collect sensitive information / sensitive personal data - we use the information for the purposes of delivering services and explaining the relevance of what we do (e.g legitimate marketing - which in our case is simple telling in-house lawyers about resources/initiatives that are available to make their jobs/careers easier/better).

Did we get it right?

The only real answer to that is what our contact community thought. And, in terms of assessing their behavior's, we received just one response that might constitute a complaint, but actually ended up well.

Unfortunately, that contact did not use our opt-in buttons in the email and emailed us directly via a contact form on our site. Rightly so, and understandably, they thought our email might be a phishing email.

Unfortunately that email went to a Junk folder and was not spotted immediately and one of our follow up emails was sent to that contact - which was not well received. 

We reached out to that contact, who happened to be an outstanding and longstanding privacy industry professional and explained our efforts, our background and connection, and all was well. 

It turned out we had been a previous professional context connection for almost a decade - but, like most of us, we dont always instantly recall everyone we have ever met in a professional context.

We very much appreciated our interaction with this contact as it was an opportunity to test our readiness to respond to data subject access requests. 

Working with such large data sets (well large for us anyway), there is always a chance of a data field being incorrectly marked. However, “difficulty” or the potential for “slip ups” is no reason for a Business to delay engaging in this kind of initiatives.

We are more than confident, after having run this exercise, that overwhelmingly, our contacts appreciate the efforts we are making ... and so will yours if you undertake a similar task.

Privacy compliance going forward

Going forward we will rely heavily on the ability of our contacts to self manage their communications preferences with us and ensure that they have access to all the information they need about their privacy related rights through out privacy notices on our site. 

If new and better ways emerge to help us efficiently maintain active consents from our client/contact community - we look forward to hearing about them and considering using them going forward. 

What does GDPR mean?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was implemented in the European Union (EU) on May 25, 2018.

It is designed to provide individuals with greater control over their personal data and establish a unified framework for data protection across the EU member states.

GLS Data Protection Officer - Further Info

If you want any further information about our privacy efforts, please contact [email protected] and we will direct your request to our privacy office.