The GDPR: so many myths...so little time

Napthens - February 22nd 2018

The headlines and the mailshots have been coming in thick and fast for about a year now and one message at least is clear; the General Data Protection Regulation, the biggest change to Data Privacy law in a generation, will come into force on the 25th May. Not even Brexit will stop it.

Busy chief executives and compliance officers looking for a practical guide as to what they will have to do to comply with this parting gift from the EU may have their work cut out however. They are certainly unlikely to find clarity in the business press - of the articles appearing many have been misleading at best.

One recent article [1] for example told us “The General Data Protection Regulations …..will require organisations to obtain the consent of consumers to use their data, as well as giving people the right to see what data is being collected on them and the ‘right to be forgotten’ – that is, to ask companies to delete information about them”

Reading this a chief executive might reasonably despair, wondering how on earth they can get “consent” from every one of their customers let alone respond to the other points raised. To which the brief answer (taking each of The Times’ points in turn) is

  • No they won’t need to seek consent from consumers to use their data in most cases
  • Yes, people will have the right to see what data is being collected on them, but they have had this right since the Data Protection Act of 1998 and the sky hasn’t fallen in
  • The “Right to be forgotten” will apply in certain circumstances only

This confusion has almost certainly led many organisations to take an overly restrictive approach, likely to adversely affect their bottom line.

For example, many businesses appear to have decided to mailshot their customers to ask them to consent to receive direct marketing communications. Not only is this likely to be unnecessary but these businesses are likely to lose the right to contact any customer who fails to respond and could also put themselves at risk of being fined for making the approach in the first place.

So what should you do?

None of the above is to minimise the task in hand. The Information Commissioner has been very busy hiring extra enforcement staff and the level of fines for non-compliance has been increased to eye-watering levels.

It’s clear that inaction is not the answer.

Napthens' commercial team has been busy helping many of our clients to get ready for the GDPR. For each client our advice is likely to be different; a retailer handling large amounts of consumer data will need to take a very different approach to an engineering company handling very little.

Please contact us and let us help guide you through the GDPR maze

[1] The Times February 17th 2018