GDPR – Dispelling the myths Pt II

By Mike Richardson, Managing Director EMEA, Maximizer Software

Last time, we kicked off our series of myth-busting blogs on the EU General Data Protection Regulation (GDPR) by emphasising that every SME who holds data on EU citizens must comply with the new legislation.

Today, we’ll address one of the most misunderstood aspects of GDPR – the matter of consent – which we know is currently preying on the minds of many business owners.

Myth #2 – “We’ll have to re-permission our entire database.”

The reason that so many companies are worried about the stricter requirements around consent is because they know that obtaining renewed opt-in – or re-permissioning – is a very time-consuming exercise and one that could easily backfire. It’s undeniable that you run the risk of contacts either withdrawing their consent or simply not replying. In the latter case, contacts would still have to be removed from your database because GDPR-standard consent involves the data subject taking “clear, affirmative action” to give you permission to use their data.

But in their panic many companies are overlooking the fact that consent is just one of six lawful bases allowing organisations to process personal data and/or perform marketing activity.

So once you’ve got a handle on the data that you capture and where it is held – the key starting points of the information audit that you are hopefully conducting as part of your compliance programme – you must analyse which legal basis you can apply in order to continue processing each individual’s data.

Processing can often be justified on an alternative basis to consent, particularly where you have client contracts in place. Also, some direct marketing will still meet the criteria for “legitimate interests”, but you must tread carefully and ensure that you do not infringe the “rights and freedoms” of the individual.

It is crucial that you document your decision-making so that you could explain your rationale to the Information Commissioner’s Office (ICO). Being able to demonstrate compliance and your commitment to embracing the data protection principles is one of the key goals of the regulation.

In reality, a proportion of the typical database will not be GDPR compliant and your only options will be to proactively seek fresh consent or delete the data.

Is that such a bad thing? I would say that focusing on re-permissioning aspect of the regulation rather misses the point. After all, if you aren’t sure that your contacts would agree to hearing from you then can you truly say that they are valuable prospects or engaged customers?

GDPR will require a wholesale overhaul of your database and one of the most positive outcomes of this initiative is that you can be confident your contacts are accurate, up to date and opted in. Your databases will present a truer picture of those who want to do business with you – the ideal platform to create more personalised, stronger customer relationships based on transparency and trust.

Next: Myth #3 – “Our data management solutions are GDPR compliant, so we are too.”