I knew there would be confused messages about the GDPR, given the scale and ambition of the legislation. With that in mind, I warned clients the public’s initial understanding of the GDPR might be incorrect. What I didn’t anticipate was how staggeringly incorrect the information they received would be, and the last-minute panic it would create. “Everyone else is sending opt-in emails, so we must too” – some organisations, if they didn’t consider this properly, may well have breached existing rules.
I’ve yet to read a mainstream news article or heard a media report that’s got it right about GDPR, even by journalists who should know better.
1. NO! Organisations do NOT ALWAYS need consent to process personal data. They may do in some circumstances, but there are five other lawful basis that may be appropriate. GDPR Article 6 has been overlooked by most journalists and indeed some organisations.
2. NO! Organisations do NOT ALWAYS have to have consent to send you direct marketing communications. They may well do in some circumstances or may choose to take this approach, but the GDPR clearly states in Recital 47, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. The ICO reiterates this in their Legitimate Interests Guidance, under Can we use Legitimate Interests for our marketing activities?
3. NO! GDPR is not the only data protection law that it is in play. The ePrivacy Directive (which gave us PECR in the UK) provides specific rules for electronic marketing communications and it has either been forgotten or seemingly for some organisations something they never knew existed. I highlighted this back in February in GDPR: Marketers don’t forget PECR.
The message received has often been wrong. For those organisations who understood PECR, choosing to push ahead with a reliance on Legitimate Interests for marketing communications (where rules permit), it may prove tricky trying to handle consumer backlash. A little knowledge can be a dangerous thing, as some complainers are about to find out.
Raking over the ashes of mainstream media coverage, it’s clear the level of misrepresentation around the GDPR has been vast. Some of this is genuine misunderstanding, and some of it caused by linking the GDPR to other issues (be it EU over-regulation, data privacy in general or animus towards social media giants). It was like watching a freshly-painted wall being plastered with graffiti, any data-linked grievance scribbled in letters ten-feet high. From church prayer requests to meals-on-wheels, no aspect of national life was safe from the rampaging GDPR monster. The result? I believe explaining to (possibly aggrieved) consumers that consent is not necessarily required will be a bigger problem for many organisations than previously envisaged. I would advise preparing for this NOW. Make sure public-facing staff know the rules, are able to clearly explain them and can defend your position. Get stock responses ready and be prepared to repeat them.
Some may have formed the impression the UK had no pre-existing data protection laws. Many may be forgiven for thinking the GDPR was purely about marketing. Again, No! The GDPR aims to harmonise data protection law across the EU, expanding the material and territorial scope. It expands the definition of personal data, meaning far more of the activities organisations undertake may fall under its scope. It redefines data protection principles and embeds core themes of transparency, accountability and privacy by design. The GDPR covers when data breaches need to be notified, when organisations need a Data Protection Officer and the list goes on. Also, the fines that could be levied for breaches are now substantially higher. It’s complex, detailed, often vague and in need of careful interpretation (a body of case-law can’t come too soon). It has represented a monumental task for many organisations who are trying to comply. The GDPR is not only about marketing, some of its rules impact on marketing activities, but all departments from HR to procurement are affected. Each of these should be prepared for challenges to their practices (compliant or not) by people who’ve been misled by a barrage of incorrect reporting.
And so, to the ICO. How they choose to respond to the misleading media narrative to the GDPR remains to be seen (although you’d have a heart of stone if you didn’t have a bit of sympathy for any regulator in these circumstances). Will they have to declare an amnesty covering the countdown to 25 May? So many companies have got their messages wrong, it might take an age for the ICO to deal with those breaches alone. And what is the responsibility of law-makers when the rules they hand down are so misunderstood?
For businesses, this is academic. Our advice is consistent – understand the GDPR principles. Implement compliant procedures. Be transparent. And let the regulators pick off those who chose not to be as wise as you.
Philippa Donn, 29 May 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.