Well finally, it’s here.
GDPR has changed the way we approach the complexities of gathering, storing and using personal data.
So after the first two weeks, how is it all bedding in?
Over the last few weeks I have been amazed by some of the views coming through and bewildered by some of the action taken.
Some people seem to be taking a far too literal approach to their obligations.
Perhaps it would help at this stage, to bust some GDPR myths.
A needs-to-know basis
Myth number one is; you need full recipient consent and opt in to enable you to do anything.
While for pretty much all business marketing activity, consent is required, for many other day to day business communications and transactions, it is not.
An organisation may for example collect personal data to enable it to enquire about the potential to tender for a contract.
In this case they would not need comprehensive data use consent.
Helpfully, the UK ICO gives us clarification about this. It tells us that:
“In this context, a contract does not have to be a formal signed document or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted; you both intend them to be legally binding and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value).
“It may also be that processing is necessary for the purposes of the legitimate interests (and if fundamental rights and freedoms do not override such interests).”
The UK ICO clarifies that a wide range of interests may be legitimate interests and says that:
“They can be in the company’s own interests or the interests of third parties and commercial interests as well as wider societal benefits. They may be compelling or trivial.”
And if consent is required to be obtained, but it has been already provided in the past, please don’t think you need to obtain it again.
Companies should be carefully in applying the consent option as it comes with limitations. So, if consent is not needed, don’t go there.
Everyone has as the right to contact the data processor at any time and ask for their data to be removed. Consent could therefore, be taken away at any point.
Gone but not forgotten
Myth number two is, that the right to be forgotten is all-inclusive.
It is not.
This right can only be enforced if the processing is based on consent as lawful ground (and not necessary for performance of a contract or any of the other lawful grounds) or if processing is no longer necessary in relation to the purpose for which they were processed (or if the individual objects and there are no overriding legitimate interests).
Let’s use an example where I believe this right does not work, namely with blockchain. This is one of the major concerns raised by people.
There are arguments to make, to say that the entire purpose of a blockchain would mean that this right does not rest with the individual as:
- Consent may not be the lawful ground for its processing
- The data will always be necessary for the purpose for which it was processed (accuracy of the entire chain) and
- There are overriding legitimate interests (which are to protect the entire chain, its inalterability and the quality and reliability of its information).
Let’s not get personal
Myth number three is, not all data is personal data.
It is not.
A recent article in a serious Dutch newspaper caught my eye.
The tile was, ‘Flower bulbs are also personal data.’
It argued that business information collected by the agricultural industry about bulb cultivation, the ground that’s used and the harvesting, is usually retained by a company run by one individual.
Therefore, this data relates to a person and is ‘personal.’
Let’s have another look at how GDPR terminology defines ‘personal data.’
It says it is:
“Any information relating to an identified or identifiable natural person (‘data subject’).”
So, if you don’t read any further, you may say that the newspaper article is correct.
The definition however, also tells us that:
“An identifiable natural person is one who can be identified, directly or indirectly; in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So any data you have should include enough information to enable you to identify an individual.
How could a flower bulb identify its grower?
Caution, fear and overreaction
A further newspaper article describes a cheese shop that, when it sells a piece of cheese, now also hands the customer a five page privacy statement.
It seems they are doing this because they may send invoices or emails to companies and/or post customer photos on Facebook, and they want to know that they’re doing everything they should in terms of compliance.
I suggest that this kind of activity is not what the GDPR legislation had in mind.
This is however understandable and I’m sure our cheese shop example comes from the owner’s fear of getting something wrong and being fined.
Indeed, the majority of GDPR news in the run up to May 25th was about data breaches and potential fines.
What we need to do is look at the law from a practical perspective.
We must considering the core intention behind GDPR and not always take a literal approach.
That said, I’d advise anyone to take time to read the GDPR text carefully.
And also take legal advice if you’re unsure.
The deeper your understanding is of the intention, the day to day application and your requirements, the more you will be able to act appropriately.
Clarity is still needed
Well I’ve said it before and I’ll say it again… we need more signposting.
With so many grey areas it is clear that clarity from Governments and data protection authorities is required now, more than ever.
Any more myths?
If you know of any other GDPR myths that you think need busting, then please leave a comment below.