17/04/2019
The General Data Protection (GDPR) Act strengthened the rules around data protection, building on the fundamental points in the Data Protection Act 1998.
Yet all the hype around GDPR seems to have resulted in people panicking, tearing up all previous procedures and, in some cases, experiencing a complete absence of common sense.
Recently we encountered a clear misinterpretation of GDPR, which perfectly illustrates this.
A venue was advertising an event and someone with a question about the booking fee called them. So far, so straightforward.
The venue informed the caller that they would need to speak to the company staging the event, but when they asked for the phone number of the event company, they were told that it was not possible to give out the number due to GDPR.
This is simply not true as GDPR relates to personal data – something that identifies a living person.
If you think about it logically, a telephone number for an events company does not identify a living person. The number is probably in the public domain anyway.
The person refusing to provide the phone number clearly thought they were complying with the rules but in reality they were just hindering a potential customer from attending an event at their venue.
The point of GDPR is to ensure your data is used only for lawful purposes and not abused, sold, shared or lost. It is not intended to stop people finding out a company telephone number.
The basic common sense points to remember when it comes to GDPR are:
1. Personal data is any information that could identify a living person.
2. If it is personal data that you are dealing with, check that you either have consent or another lawful basis for processing that data.
3. Only use personal data for the purpose it was supplied for.
4. Only keep personal data for as long as it is required to fulfil the purpose it was supplied for, or to meet legal requirements (HMRC records for example).
5. Make sure all personal data is held securely.
6. Make sure clear processes are in place that are being followed, such as deleting data in accordance with retention policies.