GDPR: Fact or Fiction?

Through helping a number of firms get up to speed, we’ve noticed there are a few common misconceptions around GDPR and thought we would address them in a brief post.

“I can rely on ‘legitimate interests’ to carry on sending e-mail marketing” = Fiction 

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sets out the rules on electronic marketing.

Under PECR, you must rely on a Data Subject’s consent before sending them e-mail marketing material.

Therefore, organisations can only rely on ‘consent’ as a legal basis for processing a subject’s data for electronic marketing purposes, and not via arguing a ‘legitimate interest’.

However, there are instances where organisations may be able to rely on the ‘soft opt-in’ to continue electronic marketing. This is where:

  • that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient (i.e. the data hasn’t been purchased from a third party);
  • the direct marketing is in respect of similar products and services only; and
  • you gave them a simple way to opt out both when you first collected their details, and in every message you sent subsequently.

“I need to have a controller-processor contract in place, even if I don’t send data outside the EU” = Fact

The GDPR makes written contracts between controllers and processors a general requirement (Article 28(3)). Unlike the Data Protection Act 1998, where written contracts were only required when data was passed to a party outside the EEA (or third country with equivalent standards), GDPR requires organisations within the EEA to also have these agreements in place.

There should also be an agreement in place between two processors, if required.

“GDPR Documentation does not apply to me because I have less than 250 employees” =Fiction 

If you have less than 250 employees, you are not required to document all of your processing activities. However, it is worth noting that this exemption is limited, and you will be required to document activities that:

  •  Are not occasional (i.e. that occur regularly);
  • Could result in a risk to rights and freedoms of individuals; or
  • Involve the processing of special categories of data (e.g. medical information, gender, ethnicity and sexuality), criminal conviction and offence data.

The likelihood of a company not processing some sort of personal data regularly is almost impossible. Therefore, most small and medium-sized organisations will still be required to document data processing, but this will be limited to certain types of processing activities.

“My firm might not need a data protection officer anymore” = Fact

You are required to appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Even if you do not require a DPO, it won’t hurt to have one to ensure that the organisation is complying with GDPR. If you then conclude that you do not require a DPO, the ICO advises that you record this to help demonstrate compliance with the accountability principle.

If you need any help getting over the line before the 25th of May, please get in touch.

T: 020 7843 0470 E: