Areas of confusion
One area that consultancies and service providers are pushing is security, which is merely one aspect of GDPR, notes Sloan. "Many IT vendors are repackaging existing products and services to market them as GDPR solutions particularly in relation to IT security and audit tools," he said. "While technology undoubtedly has a part to play in helping organisations prepare for GDPR and manage the risks going forward, technology is not a solution in itself."
Sloan warns: "Be wary of anything that claims to make you 'GDPR compliant' or be 'GDPR certified'. Ask the vendor about their understanding of GDPR, details of existing clients and whether their product has been independently assessed."
There's other misinformation around GDPR, according to Sloan. "For example, new rights such as data portability and the right to be forgotten are not absolute rights," he said. "Contrary to what you might read, they will not apply in every situation; they will not stop businesses being able to provide services to their customers."
Another area that's full of confusion is consent. Turner said some GDPR-themed marketing materials suggest companies must always seek consent to process data, which he stresses isn't true. "I have read quite a few articles that said you have to have consent in all circumstances that isn't true," he explains. "There are other justifications [to use data] like a contract between the individual and the organisations, or legal obligations."
Sloan agreed, saying that "consent (and, in the case of sensitive personal data, explicit consent) is just one condition under which personal data can be processed." He added: "Indeed, GDPR encourages organisations to move away from consent as a basis for processing, as consent-based processing gives data subjects greater rights."
That said, Turner admits that consent will become a "real problem for some organisations", but at the heart of GDPR is a push for transparency. Use collected data for a purpose that isn't made clear, and you'll already fall foul of the ICO the commissioner has already taken action against 13 charities for just that. "And that's before you get this much greater demand for transparency under GDPR," he said. "I think that is a risk some organisations, they're not very good at telling people what they're doing. They use clunky language and long privacy policies, and GDPR is designed to not allow that."
What to do about GDPR
Now your business has stopped panicking about GDPR, what should it do? Turner advises two measures and neither necessitates outside, paid-for help. First, look at the data you collected and hold and be clear about its purpose. "Any of the challenges GDPR actually poses for you needs to start with 'what have we got and why?'" he said. "You may find that the data you hold you don't need anymore and the best thing to do is dispose of it."
Turner's second tip is to actually read the GDPR. "Look at what it actually says," he advised. "Look at what the bill says when it comes out and start by thinking about what you've got and why you've got it."
Sloan agreed that the biggest challenge is simply working out what data you hold, but said the issue isn't helped by a lack of regulatory guidance with the government only just publishing its draft Data Protection Bill.
That gives companies nine months to get ready, Sloan notes. If you've already started preparations and as you're reading this story, it suggests you're thinking about it, at least you needn't panic, but plenty of companies still aren't even aware of GDPR. "The issue is one of awareness," said Sloan. "A survey that we carried out in conjunction with Ipsos Mori found that one in four organisations was not aware of GDPR, and of those that were, nearly 50% had not taken basic steps to prepare."
So while the marketing madness around GDPR isn't necessary for those in the know, it may well have a positive purpose if it sparks a bit of awareness for the quarter of businesses that are still out of the loop.
Image credit: Bigstock
