Blog

Six months after implementation, there is still a lot of misinformation and confusion about how GDPR works.

In fact, I have renamed GDPR the “Great Data Protection Racket” as a result of the dodgy advice that I see circulating from supposed experts.

Top of the list is the misplaced obsession which some organisations have about the issue of consent. Article 6 of GDPR provides a number of lawful grounds on which data can be processed. Consent is only one of these, and is probably the least useful.

By way of illustration, I was recently speaking to a business which rents out hospitality boxes at sporting events. The Business Development Manager had been to a trade show, and had gathered business cards from attendees who were interested in renting a hospitality box. Back at the office, he was preparing to follow up these leads by way of email and calls, but was then told by his employer’s legal adviser that to do so would be a breach of GDPR. He was told that the attendees at the trade show had not “opted in” i.e. consented, and that to follow up these leads would therefore be unlawful processing of data.

Total nonsense!

The most useful ground in article 6 of GDPR for processing data is that the processing is in the legitimate interests of the holder of the data, provided this is not outweighed by the interests of the data subject. In the case described above, it clearly is in the legitimate interests of the hospitality box business to follow up on leads. And it could not be argued by the leads that a follow-up in the circumstances described above was in any way damaging to their legitimate interests. It is not necessary for these leads to have opted in, and GDPR does not prevent the Business Development Manager from contacting them.

Similarly, I was at a networking event recently and I asked the organiser for a list of attendees. I was told, based on advice that he had received, that he was no longer allowed to do this because of GDPR. Again, it was stated that attendees would have to consent to their names being circulated on such a list.

And again, complete rubbish!

A further ground for lawful processing of data under GDPR is that it is “necessary for the performance of a contract”. Everyone who was attending the networking event had paid a fee, which creates a contract. For that contract to be performed, it is obvious that attendees had to be aware of the identity of who else was present, so that networking could be effective. Therefore, this data, being the name of the delegate and their organisation, can lawfully be processed (i.e. distributed to other attendees) using the “performance of a contract” ground in article 6 of GDPR. The issue of consent is irrelevant.

When it comes to employees, we do recommend that employers ask all staff to sign a GDPR compliant privacy notice, because employers are likely to process sensitive data about employees, such as health information. And in that situation, it is safer and advisable to have consent.

But in most other commercial situations it is a complete myth that consent, or “opting in”, is required. Based on my anecdotal evidence above, I wonder how many other organisations are needlessly hindering their business development in this way?