It was Robert A Henlein who told us to “always listen to experts. They’ll tell you what can’t be done, and why. Then do it.”
The issue of ‘experts’ has arisen in relation to the General Data Protection Regulation, which comes into force in May 2018 in place of the Data Protection Act, and affects the great majority of businesses in the UK due to the evermore widespread value of customer, target and employee data being processed by savvy businesses.
But a note of caution – just be careful who you listen to.
Proclaiming oneself as a GDPR consultant seems to be the latest fad and, whilst there are undoubtedly GDPR experts amongst them, not all of them are what they seem.
If I told you that I was a heart surgeon, would you allow me to operate on you or your family and friends? So why, if someone tells you they are an expert in a particular area of law, would you trust them without first examining their credentials and qualifications? Simply having some experience of dealing with the Data Protection Act doesn’t make somebody an expert in the GDPR – they are very different animals indeed.
Simply by way of anecdotes, we have heard the following being spouted by ‘GDPR consultants’ over the past couple of months:
- “the GDPR doesn’t have any impact on charities” – whilst there are a couple of provisions within the GDPR that do not apply to certain charities, the overwhelming majority of the GDPR applies to charities in precisely the same way as it applies to big business
- “there are now 9 data protection principles under the GDPR” – no, there are 6. Together with a significant increased number of additional statutory obligations when compared to the Data Protection Act.
- “any existing data in your database is exempt from the GDPR because it was collected when the Data Protection Act was in force” – no, there is an exception for data collected pre-May 2016, but only on condition that, had the GDPR been in force when it was originally collected, the data collection would have complied with the GDPR at that time
- “an email address won’t be classed as personal data, even where it is in the format firstname.lastname@example.org” – personal data is defined as any information relating to an identifiable person, and clearly a person could be identified from such an email format, and hence that will be personal data.
- “once your data is stored in the Cloud, you don’t have to worry because the Cloud provider will comply with GDPR” – definitely not! The GDPR places the obligation on you, as the data controller, to satisfy the GDPR and, whilst the Cloud provider will also have to comply with the GDPR, their compliance will not excuse your non-compliance.
- “you must have a data protection officer if you are sending large quantities of email marketing” – no, there are a number of organisations that will require a data protection officer to be appointed, but the quantity of e-marketing being sent out is irrelevant.
- “consent must be obtained for direct marketing by post” – not necessarily, it is entirely possible that one of the other legal grounds could apply, meaning consent wouldn’t be necessary.
All we ask is that you be careful to whom you turn for advice on the GDPR. Just as you’d want to be comfortable that the heart surgeon has indeed done it before (with some success!), ensure you check that the consultant is an ‘expert’ and, if in doubt, feel free to ask for a second opinion.
Alternatively, make use of our Brilliantly Simple Guide to the GDPR, which will contain answers to many of your questions. And if the answer isn’t there, let us know, and we’ll include it.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.