Partners Toni Vitale and Jon Baldwin in our Regulation, Data and Information team tackle the top nine myths about GDPR.
1. Under GDPR you are not allowed to send marketing emails or call your customers
WRONG: consent is just one way to comply with the GDPR. You can rely on other lawful bases in addition to (or apart from) consent – for example, where processing is necessary for your organisation’s or a third party’s legitimate interests.
What does GDPR actually say?
- Pre-ticked, opt-in check boxes do not count as valid consent;
- You must make it easy for people to withdraw their consent; and
- You must explain consent using clear and plain language (if you rely on it)
2. You have to write to all of your contacts and ask them to opt in or ‘refresh’ their consent
WRONG: The GDPR does not require you to automatically refresh, ‘repaper’ or re-collect existing consent from your customers.
If you’re relying on consent as your primary lawful basis for processing data, you need to make sure that the consent you’ve collected meets the GDPR standard and is specific, detailed, properly documented and easily withdrawn.
If you don’t think you meet the standard, you’ll need to change your consent mechanisms and seek new GDPR-compliant consent – or establish another lawful basis for processing data.
3. When relying on consent to process personal data, consent must be explicit
WRONG: consent must be “unambiguous”, not “explicit”. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice but for non-sensitive data, “unambiguous” consent is sufficient.
4. All organisations must appoint a Data Protection Officer
WRONG: DPOs must only be appointed in the case of: (a) public authorities; (b) organizations that engage in large scale systematic monitoring; or (c) organizations that engage in large scale processing of sensitive personal data. If you don’t fall into one of these categories, then you don’t have to appoint a DPO – though appointing one is, encouraged in the interests of good practice.
5. Small businesses are exempt
WRONG: There is no exclusion under the GDPR for businesses with only a few employees. However small companies will now pay a much lower registration fee of £40 – 60 and large companies will pay substantially more.
6. Brexit means we don’t have to bother with GDPR after March
WRONG: The GDPR was incorporated Into English law in the Data Protection Act 2018 so the law will still apply after Brexit. The Government are also planning to sign a data treaty with the EU to cement the relationship between regulators and make the free movement of data across borders easier.
7. Individuals have an absolute right to be forgotten
WRONG: Unlike the right to opt-out of direct marketing, the right of erasure is not an absolute right. Organizations may continue to process data if the data remains necessary for the purposes for which it was originally collected, and the organization still has a legal ground for processing the data under.
8. Every business must make data ‘portable’
WRONG: Data portability requirements are mandated only when processing is based on consent or contractual necessity. It does not apply when, for example, processing is based on legitimate interests.
9. There are no rules or laws about how long to retain data
WRONG: In fact there are many laws which dictate how long to retain data. Tax records must be retained for 8 Years (and VAT records for 6 years). Details of accidents which happen to employees have to be kept for 10 years. The important point is that companies will need to have a data retention policy and should stick to it. Companies can have different retention periods for different types of data. It may be easier to have a minimum rather than maximum period. E.g. “your data will be kept for at least 8 years and then only if we have a good business reason and a legal basis to retain it”.
If you have any queries regarding GDPR then contact our team.