GDPR: Compliance emails often unnecessary and based on 'bad advice' in many cases, claims Dr Kuan Hon

The wave of GDPR opt-in emails that stuffed in-boxes throughout much of May were often unnecessary, top data protection lawyer Dr Kuan Hon has told Computing.

Hon blames "bad advice being given by non-data protection experts, not helped by media misinformation about the GDPR, all at levels that seem unprecedented".

She continued: "The proliferation of unnecessary emails asking people to reconfirm their ‘consent' to receive future communications: most of those have only resulted in organisations losing large parts of their marketing databases when they didn't need to."

Even reputable publications - such as the Financial Times and Wired - had perpetuated myths about GDPR, she added.

"The most prevalent one is that ‘Under the GDPR you can't process personal data without explicit consent'. That is wrong. There needs to be a ‘legal basis' to process personal data, but consent is not the only legal basis. And purely personal use, for example, your personal address book, is exempt.

"Another common myth is that ‘Anyone can ask for all their personal data to be deleted', but this ‘right to be forgotten' only applies in certain situations, it is not an absolute right. Similarly with the right to data portability."

Hon has spoken in the past about how GDPR has been used as a cash cow by some vendors. "My biggest concern is that lots of companies, including SMEs, have forked out a lot of money for the wrong advice that may even harm them - as in the re-consenting case."

Increasingly, added Hon, GDPR and data protection issues will become a feature of mergers and acquisitions. "Due diligence on security and data protection, to detect breaches at the target [company], will be hugely important. Because, as is evident from some well-known breaches, the acquisition price can be greatly affected."

Verizon, for example, negotiated a $350 million discount in the price that it paid for Yahoo's online assets when it finally completed its acquisition last year.

"This applies not just to security issues, but also, for example, databases where the personal data may not have been validly collected by the target for the intended use.

"Also, post acquisition work will be vital - making sure that systems and databases are properly integrated and tested to ensure compliance going forward," said Hon.

Kuan Hon is the author of the legal guide, Data Localization Laws and Policy, available from Amazon and other book retailers