Ghouls and Ghosts May be Scary, but GDPR is not….

So, don’t turn GDPR into your own horror story!

Everyone loves a good story. Now, as the nights draw in in the Northern Hemisphere, the best are horror stories. The worst are those in which you star, falling into a dark whole of GDPR unpreparedness!

The reality, however, is there is still too high a percentage happy to hide their eyes from the reality of GDPR non-compliance.

According to a poll following the findings of the 2017 Global Payroll Complexity Index: 24% of UK payroll professionals remain blissfully unaware of GDPR!

It’s time to act, but not over react

Just months out from the May 2018 go-live, it’s vital that change processes are put in place, and with enough lead-time to do this calmly and efficiently.

66% of payroll professionals say legislative and HR & payroll updates are their primary payroll complexity challenges (source GPCI). GDPR is no more onerous that any other legislative change. There are no secrets to the expectations. No one is waiting in the shadows to trip you up.

It’s time to dispel the rumours

The following statements are NOT true!

  1. “We’ll be fined €20 million for every incident.”
  2. “We can’t process data unless we have explicit, written and approved consent.”
  3. “Every security incident will need to be reported to the data protection authorities.”
  4. “GDPR fines are an under-the-table tax.”

The facts according to ICO (the UK data protection authority) guidance

“We’ll be fined €20 million for every incident.” 

Not true! Potentially, companies could be fined €20,000,000 or 4% global turnover (depending on which is higher). This does not mean that every incident will lead to a fine or to that size of fine. It could happen, and no doubt it will happen, but it doesn’t mean it will happen every time!

“We can’t process data unless we have explicit, written and approved consent.” 

Not true! Consent has become more restricted and more detailed in regard to the criteria that need to be met, but this doesn’t mean that this is the only way to compliantly process data. Consent is just one of six options.

The six criteria for data processing are: 

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Protecting Interests of the Data Subject
  5. Public Interest
  6. Legitimate Interest

You see, there is more than one way to process data …

“Every security incident will need to be reported to the data protection authorities.”

Not true! Only security incidents that are likely to put at risk people’s rights and freedoms will need to be mandatorily reported to the authorities. Risks include significant detrimental effects, like discrimination, damage to reputation, financial loss, or other economic or social disadvantage.

If it’s unlikely this will be the case, no report is required.

“GDPR is all about fining honest, hard.”

Not true! As with any law – business or consumer, if there’s no consequence, most won’t comply.

The objective of the GDPR is not revenue generation, it’s about giving you and I protection; ensuring that our data is respected, secure and not vulnerable. If those holding your data are not prepared to respect this there will be a consequence, whether this is a fine. a resolution will be expected.

It is possible that the focus on fines rather than protection stems from the need to create awareness about GDPR. Scaremongering and making things up as we go is human nature, but it is not helpful.

Is your HR data ready for GDPR?


This 40 minute webinar shows you what you need to know.

Forty minutes now could save hundreds of man hours of pain come May!

Let’s remind ourselves of the principles of GDPR

It’s not a set of trick questions designed to catch you out. No-one is going to knock on your door to ask whether a specific data source has been tagged – unless first you misuse it.

GDPR is a set of rules to remind us to think our customers as humans before they’re considered as a revenue source. Being compliant is an amazing opportunity to allay any fears your customers have about your brand’s integrity when it comes to using their data.

GDPR is a next generation Data Protection Act. How we do business has changed. As data proliferates, channels converge, consumers become more data savvy and demand more transparency. Our own research found that 73% of consumers state data transparency as a primary concern.

In many ways. we’ve lost sight of the fact that data presents absolute insight into a person’s behaviour. If we misuse this information, or let it fall into the wrong hands, we’re as much morally as we are professionally negligent. Personal data needs to be protected and the only way to do this is to regulate; put in place controls that set out to keep out digital footprints safe.

The principles and implications of GDPR

Personal data shall be processed fairly and lawfully

What does that mean in practice? If it’s helpful to a customer’s experience with your brand they’re of course more likely to be happy for you to collect data within reason.

They’re not going to get upset if you want to sell them things on the back of your relationship, but “within reason” is the key – and this is one of the areas where consumers think we’ve gone too far. So, we’re being reined in.

Personal data shall be obtained only for one or more specific and lawful purpose

It’s not rocket science. Tell people how you’re going to use their data, and only use it for that. GDPR means you can’t use any of those broad ‘selected partners’ statements – be specific, in a way that would makes sense to you if you were the consumer.

Personal data shall be adequate, relevant and not excessive

None of this ‘future proofing’, capturing information in case you might need it like we used to. Get what you need now. You can always go back.

Personal data shall be accurate, and where necessary, kept up to date

It needs to be necessary to the consumer’s experience of your brand, not necessary to your ability to sell to them. If they give you a mobile number to confirm a delivery and they confirm that delivery, you don’t need to keep their mobile data up to date. In fact, you don’t need it at all.

Personal data shall not be kept longer than necessary

Again, necessary to the consumer, not you. Unless they’re engaging with your communications, or your product, or your brand, you don’t need to keep their data for longer than a sales cycle. There’s no harm in trying to win a customer back – but there’s a point in time when you’re just stalking a failed relationship.

Personal data shall be processed in accordance with the rights of data subjects under this act

It’s not your data, it’s theirs. Give them access to it, delete it when they ask you to and don’t use it in ways they don’t like, and that includes annoying them with too much communication.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Don’t lose it or let hackers get it and don’t leave it on the train.

Businesses are concerned about the cost of auditing & documenting where their data is, who has access to it, where it flows across the business. But how would you feel if you had a customer in front you asking “Sorry? Are you telling me you don’t know what you’ve done with my data or where it is?”

All GDPR is doing is putting more rigour into some customer facing principles that have always been there. Use it as an opportunity to re-visit your consumers’ experience of you. After all, if they’re going buy from you, they need to like and trust you.

Disclaimer: This article is intended only as a guide and an information piece on general data privacy updates and is not legal advice. You should always seek independent legal advice for more details.