The GDPR Spiral of misunderstanding

GDPR – Busting some misconceptions

GDPR  or GENERAL DATA PROTECTION REGULATION – I didn’t want to write about GDPR but there comes a point when you’ve read so much rubbish that there’s no way to avoid doing so!

I’ve had people contacting me asking if they have to re-consent their mailing lists, both digital and good ol’ fashion paper and post one.

I’ve had emails saying I need to re-consent so they can continue to contact me.

I’ve been presented with paper forms saying I need to re-consent so they can continue to contact me.

I’ve had people asking if they need to re-consent because they’ve had other companies asking them to re-consent…

It’s starting to spiral out of control into a black hole of misconceptions and it has to stop.

Stop the misconceptions about GDPR


Now I don’t claim to be an expert on everything (although don’t let my husband hear me say that) but I do know someone who knows an awful lot about GDPR and so I put a lot of questions to to Robyn Banks (yes it’s her real name!) from aDaVista, Specialists in utilising the Data Protection Act 1998 & the Freedom of Information Act 2000.

So let’s address the most frequent “issues” I’m encountering

  • “Consent” is not the big issue a lot of people are making it out to be.  It is ONE of SIX “lawful bases for processing” and most SMEs will process data for one of the other five apart from consent.
  • You don’t need to do anything with existing customers if you are marketing with updated products (for example) and as long as your records are clear that you have had regular contact with them in this way.  Everything needs an “unsubscribe” regardless as the subject can withdraw consent at any time.
  • Double opt in is not a legal requirement, but it does make it easier to show consent was given. Other records that show consent was obtained are fine. And see the previous point about people being able to unsubscribe.
  • INCENTIVES  to sign up, for example “Put your business card here for a chance of winning” – could be construed as obtaining consent in a hidden manner. The best approach with something like a prize draw at events is to send a followup email which seeks consent or otherwise to send marketing material.
  • For websites – requirements are fairly straight forward – Main Privacy Notice which includes a paragraph on cookies; disclaimers on all forms ; most do not need a cookie banner;
  • Registration if ANYTHING is done electronically with personal data is a legal requirement from 25 May and it is a straight fees system  – but the tiers are complicated and it’s a high fine if you don’t!

Well that’s addressed a lot of the issues, but let’s get some more detailed information from Robyn and aDaVista.


GDPR – What do I need to consider for my business?

.. I get asked this question most of the time…..  But before I can answer this (and its general advice as every organisation is slightly different!), perhaps we should dispel some myths:

New Law

Not really!  GDPR is an extension of the Data Protection Act 1998 and brings into law some aspects currently considered “best practice” – such as “Privacy by Design” (more on this later).

The GDPR becomes law in the UK (and the rest of the European Economic Area) on 25th May 2018.  The Information Commissioner’s Office (ICO) hopes that the new Act will be ready at the same time!  Together they will form data protection legislation in the UK and beyond Brexit.


A lot of people are saying you MUST have an individual’s consent to process data every time you want to do something with it – this is simply NOT the case!  You DO need consent to send someone marketing material if you have not had previous contact with them; you DO need consent to process “special category data” such as physical/mental health or condition – but these conditions already exist in the current legislation.

Otherwise you do NOT need consent to process data.

I need to shut down and start again

Why?  If the business processes you have in place work for your business then why not make GDPR/data protection “fit” into those processes!


What do I need to consider to make my business complaint and avoid the even higher fines under GDPR”?

  1.  A data audit – “Privacy by Design” requires you to look into your organisation; asses what personal data /special category data you hold, process, store and how you store it?  Is it paper or electronic?  If its’ structured both formats count.Then document this and you can prove Privacy by Design.
  2. Privacy Notice – this now replaces the Privacy Statement/Privacy Policy/Cookie Policy on the website.  Even if you don’t have a website, you still need this in place.  The ICO guidance on Privacy Notices tells you of the elements that should be included.
  3. Short” privacy notices  – on forms (both manual and electronic); email footers and contact forms on websites are common areas for these to be added…only need to be a couple of sentences (but must convey the correct information).
  4. Data Retention Schedule:  This needs to be done by the organisation.  Look at the data you hold and where you hold it.  Then decide what the need for it is in terms of how long you need to keep it. Some data will have a retention period designated in law which may apply to your business sector…Then record this information.  It will not only comply with GDPR, but make it easier to locate data and whether or not you still hold it in response to a Subject Access Request. (A “subject access request” is a request by the person for data you hold about them)
  5.  Assess whether you/the organisation is a “data controller” for the data – processing you do and control over the data …..or a “data processor” – processing data on behalf of someone else and under their instructions – e.g. putting their data onto a platform you supply.

But it’s still going be costly to get sorted!

WHY? From scratch if you have nothing in place, you are looking at a maximum of £300 if you are a SME. – we write the policies; advise on the registration; sort out a “cookie” audit ; demonstrate compliance in an appropriate manner through Privacy Notices; put in place a process for dealing with a “Subject Access Request” – as required by the ICO.

calm- GDPR doesn't have to hurt

Do you feel calmer now? It is a bit confusing to start with. There’s a lot of misinformation out there, which really isn’t helping matters.

If you need further clarity or a myth-busted or someone to help you through, do contact Robyn and aDaVista. She’s incredibly down to earth and won’t bamboozle you with jargon. And if you ask her nicely, she’ll tell you some very funny stories too.

The IT Fairy
Clare is better known as the IT Fairy because the way she can make complicated things easy is simply magic.
Comments are closed.