11 July 2018

The General Data Protection Regulation is a hefty 88 page outcome of 4 years of EU deliberation that’s designed to give people more control over their data. Because of GDPR, companies can no longer hold people’s data without their explicit consent and they can no longer contact people with marketing emails unless they’ve explicitly opted in.

Isn’t it ironic, then, that all of our inboxes were bursting at the seams in the lead up to the 25th May? “Don’t say it’s the end”, “Is this really goodbye?”, “Are we splitting up?”: an avalanche of last-minute emails in a desperate attempt to obtain explicit consent. I received so many of these emails throughout May both from companies I do know and from companies that I’ve never even heard of (who sold my data on?!). The first few I opened and read and felt slight pangs of guilt – sorry, this is indeed the end. Before long though, my inbox took great pleasure in the fresh start GDPR was offering it.

Many companies had a ‘you have to opt in’ perspective, rather than ‘you have to unsubscribe or we’ll keep emailing you’. This meant that I could delete most of the GDPR emails that I received without even opening them and simultaneously say goodbye to those companies forever. This also decreased the chance of downloading any viruses by clicking on spurious ‘unsubscribe’ links. Unfortunately, GDPR provided a great opportunity for unsubscribe scams – enter your personal details, username and password to unsubscribe.

For most of us the onslaught of emails has now settled down. However, we all know that there’s always going to be one – that one company that keeps emailing us when we’ve unsubscribed, that one company that we’ve never heard of that’s contacting us.

There’s lots of confusion around what to do if we’re still receiving spam, how we stop the spam, and what the next steps are if it’s really going too far. Here’s our advice on how to handle post-GDPR spam.

1. Unsubscribe from the emails

If you’re receiving emails from a legitimate UK-based organisation that you don’t want to receive emails from, you should use the unsubscribe link at the bottom of their emails to unsubscribe.

2. Contact the organisation

If you have unsubscribed from emails but you’re still receiving them, you should contact the company and ask them to stop, keeping a copy of all correspondence.

3. Report the company to the ICO

If you’ve completed the above steps and you’re still receiving emails, you should go ahead and contact the ICO. Reporting spam email to the ICO is a simple process that takes about 5 minutes. You can report spam using this link:

Exceptions and things to bear in mind

Business to business emails

If you are receiving emails to a corporate business email address ( for example), then that does not fall under GDPR. Business to business emails are allowed without consent, however most companies will have an unsubscribe button as best practice.

If your corporate email address has identifiable information in it ( for example), then you are protected under GDPR and should follow the above advice.

What if there’s no unsubscribe button?

If there’s no unsubscribe button, you should email the organisation asking them to stop sending emails, again keeping a copy of all your correspondence. Alternatively, if you have an online account with the company, you should be able to adjust your email preferences by logging into the website.

What if the sender is not a legitimate UK based organisation?

If you’re receiving emails from what you think might be an illegitimate source, you should not click on any links in the email(s) because they might download a virus for example, or confirm that your email is live making you a target for more spam. Most people are happy to just delete illegitimate emails, but you can report them through Office 365 or your antivirus solution for example. Office 365 Advanced Threat Protection is able to automatically detect and remove spurious emails, so you won’t have to deal with them.

If you’re receiving emails from a legitimate but non UK based organisation, you should contact the ICO. The ICO has agreements with organisations around the world, so issues can be solved quickly and easily.

Mistakes happen

Before you go reporting everyone to ICO, take a step back. Is the email a genuine mistake that can be rectified, or is it spam from a company that you want to shout about and should be reported? Ultimately, GDPR and the ICO are not targeting businesses that make one simple mistake; they’re targeting the organisations that consistently send spam emails, do not respect customer data, and are outright failing to comply with regulations.