The world woke up on Friday 25th May to a new GDPR dawn – or at least those parts of the world that want to hold data on European citizens.

As I looked out of the window in the morning I wondered what I was going to see – perhaps flesh-eating Shaun of the Dead zombies crowding the streets, forcing their way into my home, lusting for blood.

Or would it be more like Mad Max: a huge expanse of nothing bar a yellow Interceptor and a lot of leather.

The answer is probably something in between. Although things like the Y2K bug, website cookie policies, AWR, IR35, Controlling Persons and the Danny Alexander Review have had minimal impact (yet), GDPR has from the outset bared greater teeth – which has perhaps precipitated fear (you can’t email people any more), scaremongering (you’ll get fined 4% of turnover for a breach), over-reaction (Wetherspoons deleting their database) and in some cases misguided and unintentional law-breaking (Honda and FlyBe being fined for sending GDPR marketing emails to service email-only customers).

We’ve even seen a very prominent company advising all their clients to obtain opt-in consent (as it increased reliability on their product), only to email their own database with a very different strategy of consent unless you opt out. Incredibly depressing behaviour.

In 2017 we at OMA read almost 100 pages of the new GDPR legislation and what really stood out for us that there were so many grey areas – things that were open to interpretation, loopholes and even crazy examples where to comply with GDPR you can end up emailing the same person on an almost daily basis. This is where someone asks to be deleted, you delete them, the next day another consultant finds them on LinkedIn, sees they’re not on the database, adds them and contacts them. They asked to be removed again and the cycle repeats. If you have 50 finance recruiters all in one office you can see how easy that would be.

REC even went back with a huge list of clarification requests and at the last time of checking were yet to receive a response. And that’s the governing body for the UK recruitment industry.

We took the view to be pragmatic – to advise our clients to create an easily obtainable privacy policy (in email signatures, on website) that clearly showed how they interpreted the GDPR, and which allowed people to contact them to raise queries which they would work together to investigate / fix and update the policy accordingly. We did this because one of the six pillars of the legislation is ‘genuine business interest’, which seems to have been overlooked. Conveniently so for some suppliers and GDPR advisers.

It’s the same with the consent emails. The Deputy Commissioner of the ICO recently wrote a myth-busting blog that was covered in two brilliant Guardian articles which said that consent emails are unnecessary and in some cases break the legislation. Newsletters are also still fine. You can read them here:

Here’s the blog also as at the time of writing the web page is down (probably due to traffic):

The problem is, it’s too late for some. They’ve taken bad advice and emailed their entire database requesting opt-in consent. They’ve probably had less than 1% re-sign up so how can they function losing 99% of their candidate / client base? They can’t go back on their word as it’s there in black and white that if you don’t click the button you’ll be deleted.

Why did they take bad advice? Probably because they believed the scaremongering that you could get fined up to €20million for a single breach. If you read the legislation, it says very clearly that level of fine is only if you refuse to work with any investigation. Which is why a clear policy with the ability to query it is all you need.

And to be clear, consent is just one of the six legal grounds under the GDPR which you need to hold data. In full, they are:

  • Consent
  • Contract
  • Legal obligation
  • Legitimate interests
  • Public interest
  • Vital interests

Another thing we said to clients was that if GDPR was really so draconian as some people would have you believe, then your business would go under as you couldn’t market. So you might as well take a pragmatic approach and the worse case scenario was that you’d have a few more months before a fine took you under. It wasn’t literally what we recommended but the worst-case scenario point was valid – it helped people understand why we took the middle line.

And of course myth-busting blogs from ICO Deputy Information Commissioner Steve Wood are great, but they’re too late. The damage has been done and unless there’s some kind of amnesty it’s too late – some businesses have really shot themselves in the foot. And the people whose seminars I’ve sat in recommending their clients delete their database should really have a good long look at themselves in the mirror. But the problem is, I bet they sleep like babies.

by Tom Bridge, Head of Hot Beverage Production