Well, the big day arrived on Friday 25th May, and the world didn’t end. Almost every seminar I’ve attended and every webinar I’ve delivered and every blog post I’ve written recently have had a GDPR slant. It’s creeping in to every business process at the moment as a discussion, so my writing has been a reflection of the fact this topic has been on everyone’s lips. I thought I’d share some simple views and debunk some myths that are still circulating in the market.
You must renew your email marketing preferences
Utter nonsense. Our inboxes are full of a few different types of GDPR related emails at the moment.
- General Consent requests to allow the company emailing us to continue processing our data (not many sensible organisation are using Consent as a Lawful Basis unless they really need to)
- Under Legitimate Interest, most organisations are updating their Privacy Policies and communicating this change to us in an email.
- Emails that state “because of GDPR we need you to renew your email marketing preferences”.
GDPR is about processing personal data, not about email marketing. PECR (Privacy and Electronic Communications Regulations) sits alongside data privacy regulations, so the two things are linked but distinctly separate. So the third type of email simply demonstrates a complete lack of understanding of GDPR, indicates that the companies in question have not been compliant with PECR since it was introduced (2003 in the UK) or that they are simply using GDPR as an excuse to do a bit of unnecessary housekeeping.
My Business is not big enough, GDPR doesn’t apply
GDPR is applicable to anyone organising and processing data, the size of your business is irrelevant. I am still hearing people repeat the myth that you need to have over 250 members of staff accessing the data before it applies to your business. This opinion is still commonly shared by so called professionals who have been paid for advice on the subject.
I don’t have a database, so I’m not processing data
If you run a business, you’ll have an organised records somewhere. Anything organised record keeping that identifies an individual is classified as personal data. My post of going paperless addresses this. Whether it’s a spreadsheet on your desktop or a notebook on your desk, if it has any identifiable personal data in it, then it counts as organised data and GDPR applies to that data.
I need to seek Consent from everyone who’s data I am processing
Not true and not advisable. This is a matter for your business to decide on, but I would advise caution about Consent being your default position. Early in the discussions about GDPR, one of the first myths to emerge was that Consent would be needed from everyone. The issue with Consent as a Lawful Basis is that it extends very specific rights to the data subject. If you seek Consent, you can’t assume that it’s approved if you don’t hear back and you can not roll back to another Lawful Basis if you don’t get a response. Consent is only a legal requirement if you are processing “Special Categories” of data such at Health, Financial, Union / Political Party memberships etc. So most people are now defaulting to a position where they are seeking to apply Legitimate Interest as a Lawful Basis. You should look in to this as part of your risk analysis and Impact Assessment.
I’m going to be fined €20M (or 4% of global revenue if greater)
The size of the fines have driven the debate, so I am glad that the EU has added some serious jeopardy in the regulations. But the key thing to remember about the fines is they will be proportional to the damage caused by the data breach or the nature of the complaint lodged against you. A number of huge corporations have recently been victims of massive data breaches. This article talks about the £400k fine received by Carphone Warehouse which was one of the largest ever issued by the ICO and just shy of the maximum they could issue. Today, Dixons Carphone revenue is over £10B, so a maximum 4% fine would have been £400M, so you can see where the anxiety is coming from.
My business doesn’t operate in the EU, so GDPR doesn’t apply
The regulations refer to the processing of data on “people in the EU”, so GDPR applies regardless of the location of your business if you are dealing with customers or candidates resident in the EU and might extend to EU citizens who are not resident here at the moment. The wording on the regulations are vague, but do state Data Privacy is a basic human right for EVERYONE. Whilst it may be difficult to pursue you and fine you in countries outside of the EU unless the local Supervisory Authorities develop agreements with the EU on this issue, if you trade with businesses in the EU it’s pretty easy to see how being pursued by the European authorities could be damaging to your business. Processing data on anyone from the EU or resident in the EU regardless of citizenship will likely mean you should be compliant. It’s your call whether you want to take the risk.