IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Don't panic over GDPR: marketing hyperbole adds confusion to new data laws

Experts advise a calmer approach to new data laws than the fear, uncertainty and doubt currently circling the UK IT industry

Areas of confusion

One area that consultancies and service providers are pushing is security, which is merely one aspect of GDPR, notes Sloan. "Many IT vendors are repackaging existing products and services to market them as GDPR solutions particularly in relation to IT security and audit tools," he said. "While technology undoubtedly has a part to play in helping organisations prepare for GDPR and manage the risks going forward, technology is not a solution in itself."

Sloan warns: "Be wary of anything that claims to make you 'GDPR compliant' or be 'GDPR certified'. Ask the vendor about their understanding of GDPR, details of existing clients and whether their product has been independently assessed."

There's other misinformation around GDPR, according to Sloan. "For example, new rights such as data portability and the right to be forgotten are not absolute rights," he said. "Contrary to what you might read, they will not apply in every situation; they will not stop businesses being able to provide services to their customers."

Another area that's full of confusion is consent. Turner said some GDPR-themed marketing materials suggest companies must always seek consent to process data, which he stresses isn't true. "I have read quite a few articles that said you have to have consent in all circumstances that isn't true," he explains. "There are other justifications [to use data] like a contract between the individual and the organisations, or legal obligations."

Sloan agreed, saying that "consent (and, in the case of sensitive personal data, explicit consent) is just one condition under which personal data can be processed." He added: "Indeed, GDPR encourages organisations to move away from consent as a basis for processing, as consent-based processing gives data subjects greater rights."

That said, Turner admits that consent will become a "real problem for some organisations", but at the heart of GDPR is a push for transparency. Use collected data for a purpose that isn't made clear, and you'll already fall foul of the ICO the commissioner has already taken action against 13 charities for just that. "And that's before you get this much greater demand for transparency under GDPR," he said. "I think that is a risk some organisations, they're not very good at telling people what they're doing. They use clunky language and long privacy policies, and GDPR is designed to not allow that."

What to do about GDPR

Now your business has stopped panicking about GDPR, what should it do? Turner advises two measures and neither necessitates outside, paid-for help. First, look at the data you collected and hold and be clear about its purpose. "Any of the challenges GDPR actually poses for you needs to start with 'what have we got and why?'" he said. "You may find that the data you hold you don't need anymore and the best thing to do is dispose of it."

Turner's second tip is to actually read the GDPR. "Look at what it actually says," he advised. "Look at what the bill says when it comes out and start by thinking about what you've got and why you've got it."

Sloan agreed that the biggest challenge is simply working out what data you hold, but said the issue isn't helped by a lack of regulatory guidance with the government only just publishing its draft Data Protection Bill.

That gives companies nine months to get ready, Sloan notes. If you've already started preparations and as you're reading this story, it suggests you're thinking about it, at least you needn't panic, but plenty of companies still aren't even aware of GDPR. "The issue is one of awareness," said Sloan. "A survey that we carried out in conjunction with Ipsos Mori found that one in four organisations was not aware of GDPR, and of those that were, nearly 50% had not taken basic steps to prepare."

So while the marketing madness around GDPR isn't necessary for those in the know, it may well have a positive purpose if it sparks a bit of awareness for the quarter of businesses that are still out of the loop.

Image credit: Bigstock

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022