6. Forget other laws
With all the excitement about GDPR, it’s very easy to forget that it’s just another data protection law, and that in the rush to prepare, a dumb way to fail would be to fall foul of the existing laws.
A common theme for many organisations as they prepare for GDPR is updating the legal basis for processing: where they rely on consent as a legal basis, if the existing consent is not recognised under GDPR, then it needs to be brought up to standard.
For example, if an existing consent was captured using a default opt-in (e.g. a pre-ticked box); or a database has data of mixed or unknown provenance; or the decision has been taken to change the legal basis for processing (e.g. from legitimate interest to consent); then a refresh programme is going to be necessary.
However, get that consent refresh wrong and you could have all sorts of problems. Witness what happened to these companies:
- Morrisons Supermarket sent 130,671 emails asking for consent from customers who had opted out of direct marketing resulting in a fine of £10,500
- Honda Europe sent 289,790 emails to customers asking for consent when they could not demonstrate a lawful basis for processing, resulting in a fine of £13,000
- FlyBe sent 3.3 million emails asking for consent from customers who had opted out of direct marketing resulting in a fine of £70,000
- MoneySuperMarket sent 7.1 million emails asking for consent from customers who had opted out of direct marketing resulting in a fine of £80,000
There’s a pattern forming there. If the legal basis for processing is unclear, or the data subjects have opted out of processing, then your consent refresh could land you in hot water, and in each case the applicable legislation isn’t GDPR or even the Data Protection Act, it’s the Privacy and Electronic Communication Regulations (PECR).* Those organisations fell foul of PECR in their efforts to comply with GDPR.
And those fines are just the tip of the iceberg. In all likelihood the organisations’ abilities to use those marketing databases would have been severely impaired thereafter as a result of the Information Commissioner’s enforcement actions. In the worst case, they might have had to delete the databases completely, and that would be the real impact.
So if you’re busy refreshing consent for the use of personal data, don’t be dumb: remember that you’re already subject to data protection laws, and comply with them.
* Pro tip: if you’re worried about PECR when handling a marketing database, remember that it only applies to electronic communications (phone and email**). Using postal channels to reconsent is neither cheap nor necessarily as effective, but it might simplify your legal risks.
** Technically, PECR also covers facsimile machines, but unless you wish to market to someone in the 1980s you’ll probably be fine.
Please suggest your own GDPR Dumb Ways to Fail in the comments below, and we’ll add them to the list to be tackled in the coming days.