GDPR fiasco

Its hard to imagine that the people who drafted the General Data Protection Regulations coming into force on Friday expected it to have the effect they are currently having - crippling businesses - especially small ones - and flooding almost everyone's inbox with desperate pleas for action. 

Only one day to go and still almost every business owner or manager I know seems unsure of what they are supposed to do now and what they will or won't be allowed to do after tomorrow, when the new law comes into effect. And those who seem certain are certain in differing directions.

A key confusion seems to be around consent. Some people think explicit consent to hold and use a person's contact details is essential. They are asking everyone they know to opt in, creating this flood of emails which very few people will have the time to deal with. Others point out that consent is only one of six criteria for holding and using a person's data, the others being contract, legal obligation, vital interests, public interest and legitimate interests. - one of which is likely to apply unless you are randomly spamming. They say that the important thing is to to make very clear how you use people's data, and make it easy for them to understand what data you hold relating to them, and what you do with it; make sure its kept very safe; and make it easy for people to request deletion and then implement that request promptly if asked.

Big companies like BA and the NEC seem to be going with the latter approach, and I think it makes much more sense. Why would the legislators have included those other five criteria if explicit consent was the only that mattered? 

So I'd love to resist adding to the bizarre email deluge, but can we afford to take the risk? What if it turns out our interpretation is wrong, and we find we can never contact our customers again? So we'll probably end up adding to the chaos by the end of the day!