GDPR: The great data privacy panic

Rory Cellan-Jones
Technology correspondent
@BBCRoryCJon Twitter

  • Published
Media caption,

WATCH: What GDPR will mean for you?

If you are like me, the last week has provided a great chance to have a GDPR spring clean of your email inbox.

Dozens of emails have arrived with increasingly frantic messages asking me to opt in to keep in touch once the General Data Protection Regulation comes into force.

With an evil cackle, I simply delete them - and that means I should be getting far fewer emails from now on. I imagine plenty of big organisations will see their mailing lists decimated. And it is hard to feel sorry for them.

Just on Thursday morning, I received the "please stay" email from the venture capital firm Balderton and from the telecoms consultancy Analysys Mason, who I suppose must have had expensive legal advice that this was the safe route to take.

But the concern is that thousands of small companies will feel obliged to follow their lead - and risk losing contact with customers who could be vital to their future.

The problem is that it is not clear that companies really need to send out a "click here or disappear" email, rather than the less radical approach of outlining their privacy policy and giving recipients the opportunity to unsubscribe from the mailing list.

Lawyer Candace Kendall, who has spent 20 years advising clients on data protection, says too many companies are over-reacting.

"Check your lists - yes. Update your policy - yes. Email your list to tell them you've done that - possibly. Panic and say, 'Unless you respond by midnight on Thursday, we'll delete you,' - get in the sea with that," she tweeted, mocking the idea.

Ms Kendall told me that she was exasperated by what she regarded as misleading advice.

For one thing, consent was only one of the grounds on which companies had the right to process data, she said.

Media caption,

WATCH: What is GDPR?

And even if they did rely on consent, it would rarely be necessary to send out one of those begging emails.

Ms Kendall said: "90% of the emails are unnecessary - it doesn't have to be re-consented unless you didn't get consent in the first place."

She said small organisations should relax and apply a simple test: would a person expect to get a message from you?

She gives as an example a swimming club. You would expect to get a newsletter about opening times at the pool or meetings. You would not expect your details to be passed without your consent to a company selling swimming costumes.

So, if it is so simple why are big organisations sending those panicky emails?

Analysys Mason told me that they had not contacted everyone on their mailing list - just those, including me, who had not clicked on a newsletter or interacted in other ways for the past two years, which seems a reasonable approach.

Balderton Capital told me: "We were advised that this was an opportune time to refine our marketing database and mailing list by seeking affirmative confirmation from people that they're still interested in receiving our newsletter."

Image caption,
Like many people's, Rory's inbox is full of GDPR-related messages

Again this seems reasonable, but although Balderton says it received 150 positive responses in the hour after the email was sent, one suspects its audience will suffer considerable shrinkage.

With the advice from lawyers contradictory, and the guide on the information commissioner's website pretty complex, you can understand why many small organisations are unsure what to do.

But there is comfort in what the information commissioner herself has said. Elizabeth Denham has stressed that any action against those who fall foul of the new regulations will be fair and proportionate - and that she is not planning to go after those who show a willingness to comply.

"Don't panic," is the message - though I suspect that is not what thousands of businesses have been hearing from those selling them GDPR consultancy.