David Jordan, The Mover Deputy Editor, cuts through the rules to add a little common sense to the new GDPR regulations

As we all know only too well, the new General Data Protection Regulation (GDPR) came into force across Europe on 25 May 2018. During the final weeks before GDPR-Day companies were frantically sending e-mail notices to people who in many cases they’d dealt with for years, asking for permission to keep in touch and assuring them that their data would be secure in their care.

Here at The Mover we’ve been through a similar exercise, including the deletion of individuals’ names from the addresses on The Mover’s hard copy mailing list, in the belief that by doing so we are complying with the Regulation (please let us know if you would like your name reinstated by the way).  We’ve also contacted all the thousands of people around the world on our e-mail database asking them to confirm, or otherwise, their wish to continue receiving our free monthly electronic newsletter; even though they have always been able to opt out at any time at the click of a mouse.  I for one don’t believe this is really protecting anyone and I doubt that it’s what the new GDPR was meant to achieve.

That’s not to say that I am saying tightening up the way data is gathered and used is not necessary, it clearly is, especially in the light of recent developments involving Facebook and Cambridge Analytica. The trouble is, GDPR is complex and difficult to understand, despite the emergence of so called experts and legal professionals offering their help, so most of us are adopting a ‘belt and braces’ approach to avoid any possibility of breaking the rules.

The fear of being fined 4% of turnover, or 20 million euros, for breaching the Regulation has put the frighteners on everyone in business, but although the ICO now has the power to impose such penalties the likelihood of it actually happening is small, except in the most extreme cases.

Speaking at the IAPP Europe Data Protection Intensive conference in London last April, information Commissioner Elizabeth Denham said that the ICO wants to encourage businesses to comply rather than imposing massive fines for every GDPR breach.

"When we do need to apply a sanction, fines will not always be the most appropriate or effective choice,” she said. “Compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders, are often more appropriate tools. None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies' bottom line.”  But, she warned, “Hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law."

The commissioner went on to say that the ICO has always taken a fair and pragmatic approach to data protection with the emphasis on education and cooperation rather than prosecution and has never imposed its maximum penalty.  Last year it issued fines in only 16 of the 17,300 cases it investigated.

One possible concern for the moving industry is the use of data provided by lead generation companies.  We asked Colin Bradshaw, Chief Customer Officer at TwentyCi how the new regulation has affected the way they operate and if users can be sure they won’t get into hot water with the ICO if a suspected GDPR breach is reported by a prospective customer.

“All our data is obtained using legitimate sources who have the appropriate permissions to use the data,” said Colin. “We have done everything we can to make sure we are compliant with GDPR in both the spirit and letter of the law. If someone does have a problem with one of their customers they can refer them back to us and our team will deal with any concerns about how we obtained their data.”

It is early days for GDPR and it remains to be seen exactly how the new Regulation will impact ordinary businesses going about their everyday administrative and marketing activities.  Let’s hope that common sense will prevail and that while we all need to make sure we respect and protect the personal data we hold, the ICO will concentrate its efforts on brining to book those who abuse their positions to adversely affect people’s lives.

However, the day after GDPR came into force a friend told me she had received a cold call from a claims management company asking if she had been the subject of a data breach.  Could GDPR be the next PPI I wonder? I do hope not.