Don't panic over GDPR: marketing hyperbole adds confusion to new data laws

Experts advise a calmer approach to new data laws than the fear, uncertainty and doubt currently circling the UK IT industry

Areas of confusion

One area that consultancies and service providers are pushing is security, which is merely one aspect of GDPR, notes Sloan. "Many IT vendors are repackaging existing products and services to market them as GDPR solutions particularly in relation to IT security and audit tools," he said. "While technology undoubtedly has a part to play in helping organisations prepare for GDPR and manage the risks going forward, technology is not a solution in itself."

Sloan warns: "Be wary of anything that claims to make you 'GDPR compliant' or be 'GDPR certified'. Ask the vendor about their understanding of GDPR, details of existing clients and whether their product has been independently assessed."

There's other misinformation around GDPR, according to Sloan. "For example, new rights such as data portability and the right to be forgotten are not absolute rights," he said. "Contrary to what you might read, they will not apply in every situation; they will not stop businesses being able to provide services to their customers."

Another area that's full of confusion is consent. Turner said some GDPR-themed marketing materials suggest companies must always seek consent to process data, which he stresses isn't true. "I have read quite a few articles that said you have to have consent in all circumstances that isn't true," he explains. "There are other justifications [to use data] like a contract between the individual and the organisations, or legal obligations."

Advertisement - Article continues below
Advertisement - Article continues below

Sloan agreed, saying that "consent (and, in the case of sensitive personal data, explicit consent) is just one condition under which personal data can be processed." He added: "Indeed, GDPR encourages organisations to move away from consent as a basis for processing, as consent-based processing gives data subjects greater rights."

That said, Turner admits that consent will become a "real problem for some organisations", but at the heart of GDPR is a push for transparency. Use collected data for a purpose that isn't made clear, and you'll already fall foul of the ICO the commissioner has already taken action against 13 charities for just that. "And that's before you get this much greater demand for transparency under GDPR," he said. "I think that is a risk some organisations, they're not very good at telling people what they're doing. They use clunky language and long privacy policies, and GDPR is designed to not allow that."

What to do about GDPR

Now your business has stopped panicking about GDPR, what should it do? Turner advises two measures and neither necessitates outside, paid-for help. First, look at the data you collected and hold and be clear about its purpose. "Any of the challenges GDPR actually poses for you needs to start with 'what have we got and why?'" he said. "You may find that the data you hold you don't need anymore and the best thing to do is dispose of it."

Turner's second tip is to actually read the GDPR. "Look at what it actually says," he advised. "Look at what the bill says when it comes out and start by thinking about what you've got and why you've got it."

Sloan agreed that the biggest challenge is simply working out what data you hold, but said the issue isn't helped by a lack of regulatory guidance with the government only just publishing its draft Data Protection Bill.

That gives companies nine months to get ready, Sloan notes. If you've already started preparations and as you're reading this story, it suggests you're thinking about it, at least you needn't panic, but plenty of companies still aren't even aware of GDPR. "The issue is one of awareness," said Sloan. "A survey that we carried out in conjunction with Ipsos Mori found that one in four organisations was not aware of GDPR, and of those that were, nearly 50% had not taken basic steps to prepare."

Advertisement - Article continues below

So while the marketing madness around GDPR isn't necessary for those in the know, it may well have a positive purpose if it sparks a bit of awareness for the quarter of businesses that are still out of the loop.

Image credit: Bigstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020