Don't trust everything you read about GDPR

Beware the expert

D-Day – or GDPR-Day – is almost upon us. Various reports suggest that close to two-thirds of organisations are not even ready. Yet, organisations have had two years to get their data policies, systems, and approaches in order.

Over the past twelve months, numerous ‘GDPR experts’ have come out of the woodwork to make a quick buck from organisations who have been scared as to what the legislation means for their organisations – a complete data audit, technology that may be unsuitable for their requirements or systems not talking to one another, policies that need to be written, incident report plans that need to be constructed, contracts that need to be re-drawn, training to be undertaken.

Now, I’m not saying that there are not genuinely knowledgeable, practiced, and proficient data privacy people out there, but ask any professional data protection or data privacy practitioner or lawyer, and they’ll tell you – there’s no such thing as a GDPR expert.

Consent

Everywhere I look, I see companies peddling advice that organisations need to gain people’s consent to process their data.

This is just not true.

Consent is just one of the main six legal bases for processing data. And probably the one you should consider last of all, according to the Information Commissioner’s Office (ICO) – the body responsible for upholding individuals’ data privacy rights in the UK.

Organisations should look at whether one of the other legal bases make more sense: To enter into, or take steps to enter into, a contract; because of a legal obligation; to carry out a task in the public interest that’s set out in law; when it’s in the individual’s vital interest; when you have a legitimate interest to process data which outweighs an individual’s rights.

And let’s not forget special category data, which is a separate legal basis for those organisations collecting sensitive personal data such as race, ethnic origin, politics, religion, trade union membership, biometrics, health, sex life, or sexual orientation.

No single basis is better or more important than the others. Which basis is most appropriate to use will depend on your purpose for processing the data, and your relationship with the individual. But it’s not all about consent!

Get advice from the right place

There is one – and only one – place to go to for advice and recommendations on how your organisation should prepare and set up to be compliant with the GDPR, and that’s the ICO.

For marketers, GDPR will improve the way your organisation builds up databases and how and why you collect data, and it will force you to only market to people who actually want to hear from you – all of which will make your marketing more effective.

GDPR is a good thing, but don’t believe everything you read about it…

Huw Waters is head of marketing at digital agency Codehouse.