The build-up to the General Data Protection Regulations (GDPR) was huge, with business inboxes from Land’s End to John O’Groats flooded with re-consent forms. Conferences and information sessions were attended, but even today businesses are unsure of their responsibilities.
Despite it being early days, there are clearly some elements of the GDPR which have been over-hyped …….
In the months leading up to May 2018, inboxes were inundated with emails asking customers and clients to provide their consent for ongoing marketing communications. It turns out that none of this was strictly necessary.
Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, comments that many of those requests were “needless paperwork”.
“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.
“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”
So for the telecommunication service provider industry contract , vital interests , legal obligation and legitimate interests all come into play when dealing with existing and prospective clients.
Being cynical, the only thing sending out re-consent forms achieved was to give an opportunity for clients who had previously been happy to receive marketing information the opportunity to decline consent.
The fear of external hackers causing data breaches
Although according to data from the Information Commissioner’s Office (ICO), four out of five data breaches are caused by internal negligence or a lack of adequate safeguarding policies and procedures ; the instances of external hacks ( e.g. British Airways September 2018 or the 2017 Malware attack on the NHS ) are he ones that grab headlines . Take the case of Morrison’s Supermarket, which last year was ordered to pay compensation to thousands of employees after the payroll details of 100,000 employees were leaked online. The cause of the leak? A disgruntled employee.
The statistics given by the ICO confirm that businesses need to focus their attention on securing internal systems, as well as ensuring GDPR compliance and directing their IT teams accordingly.
So what ?
GDPR absolutely SHOULD be taken seriously. However, as long as you completed your IT mapping so you know where all the personal data you hold is kept, have updated third-party data processing contracts, and send marketing materials ONLY to those who have a ‘legitimate interest’ in what you are providing, your organisation can carry on as normal.