It’s nearly a year since the General Data Protection Regulation (GDPR) came into force. Despite a large amount of publicity generated in the period leading up to 25th May 2018 (much of which focussed on the eye watering levels of fines which can be imposed) and the new industry of GDPR consultants that came into being at the time, interest in the GDPR from both the media and businesses seems to have waned.
Was this just a repeat of the millennium bug hysteria from nearly 20 years ago, when many businesses spent large amounts of money they didn’t need to on supposed millennium bug fixes, and we all feared our toasters would cease to work on 1st January 2000? Or did the GDPR make substantial changes to data protection law that businesses were right to spend time and money on, and should still take very seriously? Well perhaps a little of both.
GDPR and the Data Protection Act 1998
The fact remains that many of the underlying principles of data protection law enshrined in the GDPR were already present in the Data Protection Act 1998. Businesses should have been taking their data protection responsibilities seriously for the last 20 years; for example, only processing personal data where they had a lawful ground. There were some new specific obligations brought in by the GDPR, particularly around the details of what has to be in privacy notices, and about the accountability obligations imposed on businesses (i.e. it’s not enough to follow data protection law: you’ve got to be able to demonstrate it, by way of policies, training and various documentation) but any business that was already largely complying with the Data Protection Act would have found that the main impact of the GDPR was additional paperwork rather than a fundamental change in their practices. It’s the businesses that seemed oblivious to the old Data Protection Act that had the biggest wake up call, and had the most challenges to comply (largely motivated by the potential fines publicised by the media and indeed some GDPR consultants).
The meaning of “consent” under GDPR
One fairly fundamental change that the GDPR did introduce was the meaning of “consent”. If you’re relying on consent (either for processing personal data or for sending marketing emails) then it must be freely and clearly given, not buried in small print or linked to other consents. But where there was a serious error by some businesses was in thinking that consent was the only option. Even worse, there was (and still is) much confusion over the rules on direct electronic marketing, which are governed by the Privacy and Electronic Communications Regulations (PECR) not by the GDPR. Under PECR, you don’t necessarily need consent at all to market to existing customers, as long as you provide an opt-out when you collect their contact details and provide the customary unsubscribe link.
Further Reading: What Does GDPR Mean For Marketing
Despite this, some businesses lost large parts of their marketing databases needlessly by seeking fresh consent for their entire database, irrespective of whether they already had consent or simply didn’t need it.
The ICO’s fines under GDPR
And what about those fines? Unfortunately, because of the time it takes for the Information Commissioner’s Office (ICO) to issue fines following an incident, all of the ICO’s fines issued since last May for data protection breaches have been under the old Data Protection Act. While the ICO’s attitude in the past has been to impose fines only for serious matters and to make the fine fit the seriousness of the breach, it’s impossible to say whether that will remain the same under GDPR, especially if the Government sees higher fines as a means for the ICO to raise more income to fund its operations. It’s likely we will have to wait another 12-months for an answer on that.
So should you still be keeping the GDPR and data protection obligations to the fore of your business? The simple answer is yes. The media interest may have gone, but the ICO hasn’t. If you suffer a data protection breach, then the ICO is very likely to ask to see your policies, processing records, privacy notices and evidence of staff training. If you have a full set of documents and can demonstrate material compliance with your GDPR obligations, then the ICO is far more likely to look leniently at your case than if you have no evidence of compliance at all.
If you want to discuss any aspect of the GDPR or direct marketing, please contact Matt Worsnop at firstname.lastname@example.org.