Skip to main content

Lies, damn lies and GDPR

By Simon Clayton, chief ideas officers and GDPR practitioner, RefTech 

Are you fed up of reading conflicting information about GDPR? Are you receiving a deluge of emails from companies proclaiming that unless you sign up and give consent then you will never hear from them again and then you will miss out on their offers / newsletter etc.? At last count I’ve received 40 of these emails, many from companies who have never even contacted me before, perhaps thinking that this is their last opportunity to contact me, even though they haven’t felt the need to previously. On one hand it’s very annoying, but on the other, it’s very interesting to see the number of companies who actually have my data.

The majority of these companies probably don’t have to contact their entire database. But they are doing it under the guidance of some self proclaimed ‘expert’ who is telling them that they have to have explicit consent to be able to store a person’s data (you don’t – ‘consent’ is only one of the six lawful reasons to store data).  

Even the BBC got it wrong; an incorrect news item sat on their website for three days until they corrected it. They only corrected it because I (and presumably others) complained to them and pointed out their error; they said that having consent was the only way a company could store and process a person’s data.

A myth has to be strong for the BBC to fall for it and this myth seems to have perpetuated itself into fact, which means I am getting totally fed up pointing this fallacy out to other people. I’ve even had to step away from a GDPR Facebook group I belonged to after several heated discussions with people who simply didn’t believe me because they had heard ‘facts’ to the contrary. The final straw was a heated discussion with a woman who runs a club who told me in no uncertain terms that under GDPR she has to contact all her members and ask them for permission to continue to store their data.

Think about it; this is a club that people sign up to voluntarily and pay to join, whose member benefits include a newsletter and other contact from the club. The very nature of joining a club is that you want them to have your details, and you expect to hear from them so that you can get involved. The club’s secretary actually thinks that they have to get explicit permission from each member to be able to just fulfil the benefits of the membership. I asked her what they would do if someone joins but withholds consent (as they must be able to do if you’re using consent as your legal basis for processing data) but she couldn’t answer that one!

Think how ludicrous that sounds? It’s utter madness to think this and it’s not what GDPR states at all. You don’t need consent if you have a ‘legitimate interest’ to store a person’s data – which means that it is quite reasonable for you to continue to store your members’ data because it’s a legitimate part of their membership.

GDPR is actually a reasonable piece of legislation, designed to protect the individual. It’s not out to confuse or over complicate business, but to make us all think about what data we collect and to use it responsibly. It is a little rough around the edges and some parts need further clarification and examples, but its heart is in the right place.

Stop listening to the experts, read the ICO’s guidelines yourself and if something seems silly, then it’s probably is and not actually part of GDPR at all.