Tel: +44 (0)115 987 3777
Want to visit us:
dispelling the myths and misconceptions
There is a lot of concern around GDPR and its negative effects on the ability for businesses to communicate with its customers. This article is looking to dispel some of the myths and misconceptions that have sprung up since 25th May 2018.
Myth Number 1 : "I need consent to send Direct Mail to my customers"
This simply is not the case. As with ALL types of processing, the criteria is quite clear. You must have a "legal basis for processing", but consent is only one of them. Direct Mail, sent to a person that you have a relationship with, falls under "Legitimate Interests" and therefore does NOT need consent.
Myth Number 2 : "I can't send my data to third parties"
As with all things that have a high value, you are right to protect it. However, putting a blanket ban on data "leaving the building" so to speak, is fallacious. As long as the supplier in question has a sufficiently rigorous IT infrastructure in place, a secure data transfer platform, all relevant NDAs and contracts are in place, then there is only a small mitigated risk.
Myth Number 3 : "Organisations are threatened with MASSIVE fines"
The law isn't there to generate fines. It is about putting the rights of the consumer first. Whilst the ICO does have the power to issue eye watering fines, any suggestion that they will make examples of some businesses is simply scare-mongering. The ICO are there to guide, advise and educate companies about how to remain compliant under GDPR. They are very much more in favour of the carrot than the stick.
Myth Number 4 : "I have to report ALL data breaches to the ICO and they can fine me immediately"
Reporting of data breaches are only mandatory IF it is "likely to result in a risk to subjects rights and freedoms". So unless that is the case, then there is no obligation to report.
Myth Number 5 : "Because Email and SMS fall under PECR, Direct Mail must be the same?"
Absolutely not. The ICO in the UK have stated that as long as the use of data is "proportionate, has a minimal privacy impact, and people would not be likely to object", then Direct Marketing IS COMPLIANT. As it is not electronic, it does not fall under PECR currently, and therefore different rules apply to the other channels mentioned.
Myth Number 6 : "We have to get fresh consent from all our customers to comply with the GDPR"
This is the one that I see more often than the others. But the ICO themselves state that this is not the case. Where you have an EXISTING relationship (eg. someone who has bought goods or services from you), then is may not be required at all. It all relies on how you collected the data in the first place, and if it would have met the standard of the OLD DPA (Data Protection Act). GDPR is an EVOLUTION, not a REVOLUTION.
If you want advice
about your next