GDPR: 3 practical questions facing businesses like yours

In just a few months—on May 25th—compliance with the General Data Protection Regulation (GDPR) becomes mandatory. The biggest change to data protection law for a generation, it imposes vastly stricter data protection requirements on businesses, and a far tougher penalty regime.

By now, there can be few businesses that don’t know this. Reminders are everywhere, and it is hoped that most are well advanced with their compliance plans. The debate has moved on from “What is the General Data Protection Regulation?” to “How exactly do we comply with it?”

But as businesses ask that question, and work through their compliance process, practical problems can arise. And here at The Legal Director, we’re noticing that many of our clients are asking us the same questions about those problems.

So here—right from the front lines of General Data Protection Regulation compliance—are three of the most commonly-asked questions that we hear, along with the guidance that we usually provide.

1) "Direct marketing counts as a ‘legitimate interest’, right?”

Wrong. A lot of marketing departments seem to have latched on to the Regulation’s mention, in section 47, of the fact that direct marketing is a legitimate use of personal information.

And that’s true, as the UK’s Information Commissioner’s Office has affirmed.

But that doesn’t mean that the use of personal information for direct marketing by electronic means can necessarily be regarded as unregulated, as some marketing departments also seem to think. Instead, it means that such use is already governed by existing laws—notably the Privacy and Electronic Communication Regulations 2003—and that compliance with those laws is already a requirement and this will remain the case after the GDPR is in force.

Meaning that businesses can only carry out unsolicited electronic marketing to individuals (which includes sole traders and some partnerships in your datasets) if the person who they are targeting has already provided their permission for this—or, exceptionally, if so-called ‘soft opt-in’ conditions are met. There is also not a continued free for all on marketing to your commercial contacts as you should supply a privacy notice to explain that you are relying on having a legitimate interest as well as the ubiquitous unsubscribe method.

Further, the business needs to think carefully about how it engages with those whose details have come to the business by delegate lists, attending trade fairs, passing business cards and the like. Add to the mix that this is set to change when the new privacy regulations (e-PR) come into force as commercial contacts will then have to be managed under the same regime as individual contacts.

With the burden of proof regarding these ‘soft opt-in’ conditions and capture of GDPR consent being on the business carrying out the marketing campaign, everyone’s expectation to have the power of “opt in” and the new e-PR on the horizon , our view is that each business with a mixed data set (business and individuals) needs to make a business decision now – do you play it safe and only send direct marketing material on the grounds of consent OR ride the legitimate interests wave for business contacts while it’s here? 

2) What exactly does the ‘right to be forgotten’ entail? Just which data must we erase?"

This is a question that has been causing some IT departments to have sleepless nights. Understandably, IT systems don’t take kindly to having invoice records and other transaction-related documents erased, just because a consumer doesn’t want any further marketing messages, or feels that their data has been misused.

The good news: businesses can relax—up to a point.

First, erasure will generally only be an issue if personal data has been used incorrectly or unlawfully. Use it properly and appropriately and data subjects won’t feel the need to ask you to erase any data or if they do you can resist the request as the processing is in line with GDPR and your policies.

So if your business’s data retention policy says you will retain the specific data for 7 years make sure you do just that as after this period you are processing it unlawfully. This gives you some time to make sure you have data ecomaps of where data is in your systems and have worked through anonymization or deletion processes to manage your own retention policy to the letter.

3) "After May 25th we can relax, right?”

Wrong, again. As the Information Commissioner’s Office put it, the General Data Protection Regulation isn’t like the issue of ‘Y2K Millennium Bug’, which focused attention on how computer systems handled the transition from December 31st 1999 to January 1st 2000.

Once January 1st 2000 had happened, businesses could relax. Not so with the General Data Protection Regulation: compliance is an ongoing requirement.

So the need for compliance will have to be built into every marketing campaign, and every project. And businesses will be expected to continue to identify and address any emerging privacy and security risks in the weeks, months and years beyond May 25th.

The General Data Protection Regulation, in short, will have to become another aspect of how business is done, as with any other ongoing regulatory requirement.

GDPR: the bottom line

It’s fair to say that the General Data Protection Regulation has come as something of a shock to quite a number of businesses. Certainly, it’s no simple ‘box ticking’ exercise. It’s a real legal requirement, backed up by real regulatory teeth.

That said, as the Information Commissioner herself has pointed out, it’s also an opportunity to put good data protection practices in place right across the organisation—practices that will make your business more secure, and which will reduce the reputational risks that it faces from a data security breach.

In other words, there’s considerable merit in not just complying with the General Data Protection Regulation, but complying with it properly, and robustly, and with systems and procedures that are truly fit for purpose.

Are yours truly fit for purpose? If you’re not sure, we can help. To find out how, pick up the phone, or email


Posted Thursday, March 1st, 2018 by Warren Ryland



Other Articles In This Category