GDPR – sorting the fact from the fiction

Listen to our March 2018 podcast answering your questions on GDPR myths.

By Elizabeth Denham, Information Commissioner.

Fake-news-fines-blogThe General Data Protection Regulation comes into force on 25 May 2018.

That’s not new news. But it is a fact.

It’s also fact that not everything you read or hear about the GDPR is true.

For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.

And there’s a lot to take in. The Data Protection Bill announced this week gives more detail of the reforms beyond the GDPR, for example.

But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.

GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.

For the record, these are all wrong.

If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.

So, I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force in 289 days.

This is the first in a series of blogs to separate the fact from the fiction. We’ll be publishing future myth-busting blogs on consent, guidance, the burden on business and breach reporting.

Myth #1:

The biggest threat to organisations from the GDPR is massive fines.


This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.

Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.

And that concerns me.

It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment.

And just look at our record:

Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.

And we have yet to invoke our maximum powers.

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.

Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

But we intend to use those powers proportionately and judiciously.

And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.

Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.

And you can’t insure against that.

elizabeth-denham-blogElizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
This entry was posted in Elizabeth Denham and tagged , , , . Bookmark the permalink.

118 Responses to GDPR – sorting the fact from the fiction

  1. Julie Wells says:

    This is really a really useful resource thank you, I will be checking this blog regularly

  2. Victor Sonde says:

    Thanks for clearing up with the facts Elizabeth that the consumer / citizen is the heart of the GDPR. It’s important to note that consequences of non-compliance is driving lots of businesses at the moment. Nobody wants to be the scapegoat. We will continue to coach and educate our clients along these lines. I look forward to read more from you. Thanks once again.

  3. Simon Ghent says:

    The GDPR is an opportunity to treat personal data with the respect it deserves. It can deliver tangible benefits and competitive advantage to organisations that put data privacy and security at the heart of what they do.

    Sadly, thanks to a number of factors, we’re awash with poor if not totally inaccurate advice along with the usual FUD. I therefore welcome this blog post and hope it dispels some of the current hysteria.

    However, it would also be of benefit if the ICO could accelerate publication and clarification of its policies and understanding around certain key areas. It would also be useful to have clear certification processes so that organisations can make informed choices.

    GDPR is not complicated. It builds on data privacy and security principles that organisations should already be abiding by. If all a data privacy consultant can talk about is the stick rather than the carrot then my advice would be to look elsewhere.

    Don’t believe the FUD.

  4. John Noble says:

    Yes much has been made of the new fines and maybe this is scaremongering from businesses who are profiting from the implementation of the new legislation, but one should not forget the potential fall out from data breaches irrespective of any fines that the ICO may or may not impose.

    As you highlight, reputations could suffer a significant blow.

    I know this is an extreme case, but in 2013 a major US discount retailer was subject to a hack after malware was introduced to 1,800+ stores. A reporter broke the news and the retailer admitted that over 40 million customer records were compromised, including encrypted PINs.

    The fall out from the data breach included:
    – Revenue falling by 5%
    – Profits falling by over 50%
    – The CFO having to apologise to Congress
    – The CIO having to resign
    – The CEO ultimately resigning

    The cost to the retail giant was $162m in 2014 alone and the total damages paid out could exceed US$1 billion before all is said and done.

    So the consequences for serious data breaches can be far higher and far wider reaching than potential regulatory fines or enforcement

  5. Pingback: GDPR – Sorting The Fact From The Fiction: – Global Project Engineering Group

  6. Pingback: GDPR and the Data Protection Bill: Myths and Misunderstandings | Blog Now

  7. Jimmy Elliott says:

    These blogs are an excellent way to help us all understand the intent and approach of the ICO. A good read. Keep them coming!

  8. Chris says:

    Finally, some sanity in words, thank you

  9. Claire Heslop says:

    Could we have some clarification on charges? I understand that there will be no charges for data but can the NHS still charge for providing photocopies of paper medical records?

    • mark b says:

      The ability to charge a fee for health records comes under the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 and presumably this will be swept away along with primary legislation (ie DPA 1998). Therefore the £50 charge will also go.

      • Claire Heslop says:

        That’s unfortunate and will no doubt put an extra strain on an already overstretched NHS

  10. Teo says:

    If you think that the massive fines are not the biggest threat to the business then I’m sorry but you certaintly have no idea about GDPR and its implications to the business world.

    • Hitesh says:

      I’m not really in agreement with your statement. It would be good to hear more about how you feel that the fines are the biggest threat to business.
      To get hit with the maximum fine a business would have to demonstrate clear negligence and a clear lack of intent to protect the personal data of a data subject. There are going to very few cases where this is true.
      Right now the biggest ‘threat’ that GDPR brings is the lack of expertise many organisations have in data protection, making it more of a challenge to comply or even know if they are in compliance.
      There are way too many ‘consultants’ out there banging on the 4%/17m drum. To be clear I am a security consultant working in this space, but scare tactics don’t help anybody progress in this space. Yes there is a substantial fine for non-compliance, but this is not a black and white situation where you get the maximum fine for every breach. There will be a sliding scale of fines that reflect the unique characteristics of each breach.

      Happy to hear your thoughts.

      • Teo says:

        You said it yourself. There is a lack of expertise which can lead to non-compliance. Maybe not the highest fine but still. It could harm a company’s reputation and finances quite hard. I really don’t know how you cannot see that.

      • Anonymous says:

        An unexpected financial penalty of any size could severely effect a micro business / SME’s cashflow and have severe knock on consequences. Even if business got a “small fine” of £10,000 it could be enough to force them to shut up shop. In the case of Boomerang Video the fine was the £60,000 which will have hit them hard.

  11. Pingback: The Information Commissioner takes aim at GDPR myths: "Maximum fines will not become the norm" - NS Tech

  12. Matias says:

    The GDPR is certainly big. I work in Financial Compliance and am struggling to get guidance on how GDPR conflicts with or overrules FCA regulation. Your thoughts on that would be appreciated.

    • Anonymous says:

      There is definitely a gap in regulatory guidance here – both FCA and GDPR use quite loose language for some of their directions – this makes it difficult to know where the line falls

  13. There’s been some extraordinary misinformation about the GDPR from right across the media, and also from the legal sector. This is an excellent update and clarification.

    As a publisher of legal facts about business this is very much appreciated and will be duly shared across our network of business support practitioners.

  14. David Watson says:

    Its great to get some clarity from the ICO on their approach post 25th May 2018.

    Small businesses, in particular, switch off to the entire GDPR message when they hear sensational advice about business crippling fines.

    That stops them working towards fulfilling their obligations, and also understanding the *benefits* that GDPR will bring their business.

    There are lots of solicitors and consultants explaining what it means but nobody confident to suggest what will happen. This is the missing piece of the puzzle.

    It’s also only the start so please keep it coming, Elizabeth.

    • Guy Pyetan says:

      small businesses can largely comply (unless they hold the “special” data or hold large volumes of data) by taking simple steps e.g. by storing their critical data on encrypted drives and USB sticks and locking these away in secure storage (a safe for example). If they have more complex systems e.g. a heavy online presence which captures customer data and stores it in a 3rd party system (cloud) then they need to be more careful. I would suggest looking into processor controller relationships and the possibility of a joint controller relationship with the cloud provider. At the very least they need to ascertain exactly where the data will be held and who with (if storage is further otusourced to third parties). I would be cautious if the provider utilised storage partners who were no in the list of adequate countries or based in the UK or EU. I could provide far more thinking on this but a little text box is not the place and i’m bound to skip something vital as I can’t see the entirety of the message I’m typing. Other areas to cover are HR data, email and phones.

  15. Pingback: ICO - Maximum fines under GDPR will be “last resort”

  16. Craig says:

    At it’s heart the GDPR is pretty simple.

    Say what you’ll do
    Do what you say
    Prove its being done that way

  17. Densie says:

    Very useful blog. Looking forward to reading more

  18. Pingback: GDPR – sorting the fact from the fiction « Data Protection News

  19. Pingback: ICO hits out at misinformation about GDPR - Technology News

  20. DJ says:

    Great summary, some medication and common sense for the headache that is GDPR… but.

    No business wants to be hit with a fine !

    1 – Is GDPR (in part) really just ensuring consent from individuals on ‘how’ organisations may communicate with them, eg, On website sign up forms:

    Please tick that we contact you by [ ] email [ ] telephone [ ] post


    Consent that we are allowed to keep any information on them in a company database?

    or a combination of both?

    2 – Giving end users the tools on websites to update / correct and remove their information would be a welcome to many, but would the big players actually do this?

    Interested to see your updates an this…

  21. Pingback: Sorry, who did you say you were? We’ve forgotten about you – STE WILLIAMS

  22. Pingback: Sorry, who did you say you were? We’ve forgotten about you - InfoSecHotSpot

  23. Pingback: Sorry, who did you say you were? We’ve forgotten about you - Account Security Lockdown

  24. Pingback: HRBDT Weekly News Circular | Human Rights centre blog

  25. Marc VAEL says:

    Great article to demystify some myths around EU GDPR usually stated to scare decision makers in companies. I personally always refer to the authentic sources on EU GDPR from the European Commission website.

  26. Brian Rogers says:

    I would welcome clarification in relation to reporting breaches; it does seem that minor breaches won’t need to be reported if they do not impact on the individual but surely any breach could, for example sending an email containing their details to the wrong recipient. Can you provide examples when you do a blog on this topic please.

  27. Darren Revell says:

    The myths exist because of a failure by the ICO to produce the dummies guide to GDPR by industry sector. For example I work with the recruitment industry. So far there is little in the way of real world example to questions those who are not data experts can fathom.

    For example here is one simple example.

    ACME Recruitment company has been in business 10 years, they started as a one person company and now have 20 staff. They were taught that candidate data is everything and their business lives depend upon it. For ten years they have grown and grown and now have 15 staff. They use recruitment industries marketing leading CRM product and from their advertising on job boards like Monster, Reed, Jobserve, headhunting, netowrkinga nd by recommendation and referral they have amassed 15000 candidate records legitimately. Over 10 years they have placed 3000 people some in perm jobs some in temporary jobs. Of the others they have their data on file as they ask to be found a job and/or were put forward for jobs they did not get or were kept on file as no jobs matched their needs, but one would likely come up.

    They are now being told some or all of the following:


    You have to delete all 15000 candidate records by May 25th or you will be fined as you were already breaking the law by keeping the candidates records for more than 6 months anyway.


    Similar to point 1 you have to write to all 15000 candidates and ask permission to keep their data, no permission and you have to delete the record.


    If you do write to all 15000 you will be breaking the current data laws and electronic marketing laws if you use email.


    You have to regain permission every 6 months to keep the record you have post the 25th of May, no permission each 6 months and you have to delete the data.


    You can only tell the candidate about the job they applied for with client A, you can’t tell them about an identical job at another client (client B) as your advert was for client A.


    You now have to put your client name in the advert as using terms like “our client” in non GDPR compliant.


    You broke the law of data sharing because your website is not provided by your CRM provider and so those who applied for a job on your website, cant be put in your CRM until you gain permission to do so.


    If you call a company and ask who the hiring manager is and they tell you the person name and to call back, you can not record that data in your CRM as you dont have the actual person permission. If you do add it and take the other route that you have to write to them within 30 days and tell them you added their name to your database. or delete it.


    No one wants to hear from a sales person, so all contact data at potential clients is also personal data, which means you have to write to all the business contact name you have found to sell to and ask to keep their data in your CRM.

    These kind of questions have been asked and answered by people with qualifications in law, data, GDRP eGDPR and so far the conclusion to most is pay us a consultancy fee as you will get fined for everything.

    This is why you have panic, scare stories and dare I say scam artists making money from the confusion.

    • Fiona says:

      Is point 2 not correct?

    • Fiona says:

      I understood that Point 2 is the correct process to follow? We have 36,000 (85% active within 5 years) candidate records on our database and understand that we have to request consent from all of them for keeping data to send relevant job and market information. And if consent is not received then we must delete them from our database. Is this not correct?

  28. Jeffrey Coorsh says:

    Whilst it is not right to fine for the sake of making a point it should not escape anyone’s notice that the reason why so much attention is being paid to GDRP as against previous data protection requirements is, just this possibility of massive fines. it concentrates the mind

  29. Steve says:

    The ICO providing some helpful, clear guidance…. I nearly choked on my coffee.

  30. Elizabeth Jackson says:

    As ever, the ICO are making their position clear and reaching out to organizations. The only thing I think is missing is an ability to ask questions. I don’t expect every question to be answered, or it should replace proper legal advice (although of course any “answers” on the ICO website will have an “authority” associated with them).

  31. Very good to see this type of blog from the ICO. However, they don’t need to downplay the fines. Too many businesses are unaware of or ignore the content of the current DPA, so it will take GDPR and the threat of more more significant fines to get them to pay attention to what it is all about, which is respecting other people’s data.

  32. Pingback: EU GDPR May 2018 Planning and Implementing ICO fines legislation

  33. P.J. Westerhof LL.D. MIM says:

    The interests of consumer and/or citizen have never really been the centre of attention from business nor government. And by the looks of it GDPR will not change that. Why should it.

    Years of mediocre IT-management, mediocre data management, poor compliance management and poor business risk management have caused organisations to be ill prepared for GDPR-requirements.
    Many, if not most, organisations have difficulty gaining insight into what data they have stored, let alone where these are stored. Data driven organisations are the obvious exception.

    For most organisations GDPR-compliance is not considered a business opportunity, but a liability.
    Even under the threat of massive fines many organisations are likely to fail meeting the May 2018 deadline.
    Taking away the big stick and offer carrots may not be helpful.

  34. Pingback: 'No business will be left untouched' - are you ready for new data protection regulations? - EventsBase Magazine

  35. Shirish says:

    Thanks for the Blog. Please lets us have more so that GDPR is explained properly to suit individual businesses.

  36. Guy Pyetan says:

    Elizabeth Denhams comments are refreshingly clear. Unless one has an extremist approach to regulation then the regulator in the first instance should be looking to encourage compliance and educate to ensure compliance happens. As to the largest threats to business, I would suggest that there are four. Some are what I would call derived threats. E.g. they arise as a natural consequence of the legislation.

    1) Companies are not ready. Most of them do not understand what UK/EU GDPR is and are assuming it’s just a small extension to the existing GDPR rules. They have fundamentally failed to hoist in the all-encompassing nature of the rules and the key fact that directors are now both responsible and accountable. Directors cannot push this down the food chain and forget about it. That the fines MIGHT go as high as 4% or 20 million euros and not the 17 million as the Beeb reported is of a concern but it shouldn’t be the only one.

    2) The implications of these seemingly relatively small changes are vast. They impact on just about every aspect of data management and handling of customer data and as such require that companies fundamentally review every aspect of their businesses, people, processes and systems. How many systems can actually support real data compartmentalisation (aggregation and disaggregation of data)? In my experience very very few. These companies need to start NOW. Becoming compliant is likely to be months or years of work if the business is of any size or complexity.

    3) The indirect implications of this legislation are that the legal profession will be rubbing its hands with glee. I predict a rise in the ambulance chasers operating (on a no win no fee basis) on behalf of confused citizens who have contacted them as a result of companies violating GDPR rules. The aim being to extract small to medium sized sums from them. Pay us £5K and we’ll go away. If it’s just one person they’re doing it for then it’s not a problem, but class actions could arise and I can see large numbers of people pushing for compensation when things go wrong. A wise organisation of any stature will be making provision for these episodes. I think this is more likely than being hit for large fines.

    4) Repeated violation offences will almost certainly raise the level of fines. It’s rather hard to claim that you’re a thoroughly compliant outfit when you repeatedly fail to look after your customers data. There must come a point where the regulator doesn’t react well to “Can we just have another chance?”

    All of this is of course only my opinion. I feel the whole thing is eminently manageable if organisations utilise appropriate, competent staff to deliver these programmes of work, support them well and pay them sensibly. The right people need to be employed at the right level to ensure compliance within a reasonable time frame. For any reasonably sized company this is a programme of works not a quick project on the side (and the requirement to report directly to the board further reinforces this) unless they’ve already achieved ISO 27001 which will be too onerous for many.

    • Darren Revell says:

      Spot on Guy, just when PPI firms though the end of the world is in site, GDPR kicks in. Ambulance chaser of the worlds unite PPI firms to convert to GDPR firms.

      • Brendan McGrath says:

        Ironically though the Ambulance Chasers wont be able to call you directly unless they have your consent as it will fall under the Direct Marketing rules of GDPR. I envisage an sudden showing of TV and Billboard adverts, much like the good ol’ US of A do now but with the message “Have you had your data breached! Well call us on 0345 GDPRMYDATA”.

  37. Pingback: Prepared for the General Data Protection Regulation GDPR? - Engage & Prosper

  38. Elizabeth Jackson says:

    Hate to demonstrate my ignorance, but does the GDPR *itself* open up the scope for ambulance chasers.
    One thing I should point out if anyone replies, is that there is a well known Group Litigation Order in progress . Be warned that the solicitors involved do not like their name associated with the term “ambulance chasers”. I would advise for the sake of this thread and the ability to leave comments that the solicitors/company etc are not referred to or even hinted at.

    • John Noble says:

      Under Article 82, any data subjects that have suffered material or non-material damage have the right to receive compensation from the controller or processor. Where there is compensation to be had, you can bet your bottom dollar that the chasers will be found.

  39. Brian F says:

    Elizabeth Denham, thank you for the great information here. Very much appreciated and think that this is necessary based on all of the scare tactics that the “Ambulance Chasers” have been using to solicit business.

    I think that where most are going to get hung up is that GDPR has a number of very specific details that require greater attention – which most may not have. I have met with consultants and legal council that have further explained what is needed and relevant for my organization but also sensed a certain degree of potential variances between regulators in supporting countries. Hence, there may be some unknowns on how this will be enforced.

    My suggestion “would” be to have your companies DPO speak to your local regulator to introduce and seek some initial guidance but suspect that that there are likely a lot of companies out there that do not even have this position defined within their organization yet. I have a hunch that there will be a shortage of people qualified for this role as well and may see a rush of green talent go through an initial push of trial-by-fire.

    Further, there are other things for some to consider such as the US Privacy Shield and the disposition of GDPR in the UK post Brexit and acceptance from each of the countries within EEA.

    So while my statements are not meant to challenge the level of complexity of GDPR itself, I do think that there may be some challenges that are potentially common and need to be considered for some companies that are fairly new to all of this. Particularly those that did not have other considerations driving their motivation for data privacy.

    Perhaps these comments will help with your future blogs. I’m subscribed either way. Thanks again!

    • Guy Pyetan says:

      Totally agree. I think implementation PM’s and subsequently DPO’s (in large companies) should, if they have any sense, form very close working relationships with the ICO and ensure that where there are doubts, clarity ensues. In any case, you can hardly be blamed if you have taken positive steps and solicited advice from your regional regulator and then subsequently followed it. My feeling is that to make a success of this, engagement with internal IT and legal departments are key, external engagement with the ICO is also important.

  40. Darren Revell says:

    Still there are however basic problems with GDPR. I have a question running on LinkedIN in respect of B2B contact data. So far from a range of experts in Data/GDPR etc the score is 7 to 5 that holding contact information of the decision makers you are trying to sell to is personal data.

    The is 7 saying it is personal data and 5 saying it is not as B2B has it’s own rules. How a law can be introduced that has this level of ambiguity can come into force in 10 months just beggars belief. Entire sections of the business community are in a tail spin on if they will be able to stay in business if they can not keep contact data to prospect too.

    • John Noble says:

      If you take the GDPR literally, personal information is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly. This includes a name.

      So B2B data is definitely in the scope of the GDPR. There are no seperate B2B rules in the GDPR. It all comes down to the legal basis a business uses for processing data. The big issue in B2B is whether people go down the route of consent or legitimate interest to process and use data….

      • John Noble says:

        Having said this, the GDPR in Recital 47 does state that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.

      • Darren Revell says:

        So no consent, but I may have a legitimate interest to call a hiring manager and say I have a candidate, are an IT manager/business owner and say I have a website offering, accounting service etc…

      • Darren Revell says:

        Thanks John. Should we add to 1 to both sides of the score LOL? May I quote you in my LinkedIn thread?

      • John Noble says:

        Yes, add one to both sides, just to cover myself.

  41. Pingback: ICO busting GDPR Myths – NACFB Compliance Services

  42. Pingback: Nine months and a lot more b*llocks to go before new EU data protection rules kick in | Crawfordwise

  43. Guy Pyetan says:

    My take on it is that nobody is saying you can’t hold personal contact data but that you should get consent for it and that you must have a lawful reason for holding it. Further to that you must only use it for the specific reasons for which consent was provided. For marketing organisations I can see their model for data collection having to change. Targeting specific people may have to stop but if one collects detailed customer data and aggregates it very early in the collection process throwing away name and specific address information early on in the process and seriously classifies the information into the smallest possible pots short of identifying individuals then it would still be possible to target relatively precise customer groups relatively accurately through marketing techniques without contacting individuals. I do foresee a resurgence in the use of experimental design techniques. Ultimately what you hold or choose to hold will be balanced against your appetite for risk/cost of protecting yourself. New questions will have to be asked when considering whether to collect data. What’s the cost going to be on new systems and what’s the risk to the business if we hold this information? Risk management will become increasingly important (on both the positive and negative side).

    Ultimately sales types who have very close relationships with their contacts will be worth their weight in gold. It will pay companies to find good bus dev people and pay them well.

    • Darren Revell says:

      If B2B contacts are personal data, you are effectively asking the salesperson to speak to the contact and say can I have you permission to hold your data so I can sell to you?

      Sales people get told no the majority of the time when they make their first approach, which is why they then schedule a call back. If they are told no first time round that is an end to callback which forms the bulk of why most sales are made. This is why people are getting scared of GDPR.

      Then there who says holding B2B data is about legitimacy not just consent, this we hope is the silver lining.

      • Guy Pyetan says:

        Whether or not they represent personal data depends I would suppose on whether the data you are utilising to contact them on is personal. For example if you hold the business telephone number for a company employee and contact that employee on that number only about legitimate b2b activities and you hold no other data on that employee and that data is contained wholly and entirely in your companies contacts database, then it’s hard to see why that data would be deemed personal or why the usage of the information would not be lawful. (Technically speaking the phone number could be applied to anyone and in fact if put on group pick up is generally picked up by the first available person). It doesn’t specifically identify the person concerned for all time and you can’t glean other more sensitive information from it. It is a legitimate business number for the business you are trying to contact. If you use the data concerned to spam the individual for any purposes at all then you have most probably just changed the status of that person under GDPR. If the organisation you are trying to contact makes the individuals personal (domestic) contact details available then that is surely also of concern? This is why I feel that EU/UK GDPR could drive significant change in the ability of systems to segregate/aggregate and disaggregate data and grant access at very granular levels across various processes, systems and people.

        I think I would also want to be very sure that usage segregation was paramount when using mobile devices (phones). Make sure you keep only business contacts on your business account mobile/business email and personal contacts on your personal mobile/email accounts. If you mix the two you could very rapidly start changing the status of the contacts and thus the exposure of your company to data risk. That said I am conservative in these things and would prefer to be safe than sorry. I hope that nothing I’ve said is correct and that I’m not frightening anybody. Ultimately the final answers rest with the ICO and they don’t yet have all the final answers.

    • Darren Revell says:

      Thanks Guy, clear, reasoned and useful.

      • Guy Pyetan says:

        oops have just noticed a typo on my previous text. The last but one sentence should have read I hope that nothing I’ve said is incorrect and I’m not frightening anybody. (should be obvious as to what I meant but still v. sloppy).

  44. Pingback: Consent is not the ‘silver bullet’ for GDPR compliance | ICO Blog

  45. Darren Revell says:

    Why was Honda fined for emailing it’s customer base in preparation for consent compliance of GDPR. The myths that have been generated on that alone are forcing companies to fear GDPR.

  46. Guy Pyetan says:

    Oops fly be not fly ben

  47. Pingback: GDPR: the big bad monster – Wuestefeld and Doyle blog

  48. mcdavex says:

    One niggle though – you CAN insure against reputation loss 🙂

    • Guy Pyetan says:

      But insurance is a compensation and you have to hope its sufficient. It doesn’t stop the damage. I would not rely on insurance to save my skin in the event of a major breach or negligence.

  49. Pingback: GDPR: Old Habits Die Hard... | Corix Partners

Leave a Reply