Here's why everyone in the world just emailed you a new privacy policy

Originally published at:


This details one of the many ways Brexit terrifies me. Actions like this, with real consequences for breach, would never be introduced by a Tory Government - and we’re likely to be stuck with one for a while.
Ditto the ditching of TTIP,ACTA, SOPA etc - the EU have had the citizen at the centre of these, our UK governments of the time were all-in on those hideous agreements.


The fascinating and frustrating thing about all this is that there are no clear, unambiguous guidelines for small businesses to understand how they need to apply this legislation.

It is the new Y2K, a blind panic that something terrible might happen but no meaningful examples of what to do. A regulation that says you can be punished for ‘getting it wrong’ with no suggestion on how to get it right without doing ‘data audits’ and appointing ‘data protection officers’.

Try the simple question: “I hold my customers’ names, addresses, email addresses and phone numbers as I visit them several times a year to deliver my services and need to contact them to arrange these visits. Do I need their explicit permission to hold those data?”
You might assume that there is a ‘Lawful Basis’ or ‘Legitimate Interest’ but without paying a self-appointed specialist how can you be sure?

Even emailing a customer to ask if they mind being emailed might be a violation, or so it is implied. is supposed to guide UK businesses but it is just as vague as the legislation itself. This is clearly complex and far-reaching regulation, but surely giving clear examples of right-way and wrong-way would deliver better outcomes rather than just threatening massive penalties.

There is no question that there are bad actors out there that spam everyone or employ teams with spreadsheets to cold-call with no centralised data management and no opt out - there are also small businesses acting in good faith but with minimal IT and legal resources. Given that the regulation is ambiguous, how can one identify a qualified consultant to advise your business?


It’s actually 4% or €20m…

And there’s no guarantees that GDPR will help you if you’re outside of the EU. Facebook is already flouting this.

It is perhaps the new Y2K in that all sorts of people are getting panicked but there is plenty of advice out there, much of it intended to make you panic and to sell consultants’ services.

GDPR is not in fact much different from the previous data protection arrangements. If you were complying with those, then by and large you will be fine under GDPR.

There are some cosmetic changes in that things have been renamed and all lot of stuff that was recommended before is now required.

It is a simple question, which has a simple answer.

To hold their data, you need a ‘lawful basis’ for doing so.

You probably don’t have a ‘legitimate interest’, if only because you could far more easily rely on the ‘contract’ basis in that you apparently require the data to be able to provide the services they asked you to provide.

So no, you don’t need their explicit consent for that. Just make a note of what data you need and why you need it.

If you want to do anything more than just contact them to arrange meetings, for example send them offers, marketing information, etc. you will need their consent.

So why not get consent anyway?

Is it that hard to tell them, “I will need to take your contact details so I can arrange to come and deliver my services. I may also occasionally contact you to let you know about any special offers or important new developments. Do you agree to that”?


Depends what you mean by “clear, unambiguous”, I suppose, but there’s rather a lot of information available.

Businesses really ought to do data audits.

Check online. If that raises more questions, check with the ICO - i.e. proactively contact the ICO, don’t wait to be contacted!

I suspect this instance is, as you say, a simple one, covered adequately online. Maybe hiring a consultant is right for some people in more complex situations, but it’s not absolutely necessary.

Sorry if I’m misreading your comment, but it does come across as complaining that firms haven’t been spoon-fed every detail. If companies are making professional use of personal data, they simply must engage with privacy legislation. In many cases, that could be as simple as reading up on the subject, publishing a privacy statement and taking reasonable care of one’s databases.

Okay, though cold-calling from a small business is no less offensive than from a multinational!


Four or five percent of what? Turnover? Does that mean profits? Cashflow? Delicious pastries? The only time I’ve heard that word in business, it means your employees all quit and new ones got suckered in, but handing over 5% of your former employees to the German government would be an immigration nightmare.

apology accepted

The good news on GDPR at least is that even after Brexit it will continue to have effect; in part through the new Data Protection Act which incorporates GDPR; but also because UK companies wanting to process personal of EU citizens must continue to obey GDPR.

But, the Tories (and plenty in Labour don’t forget) will be salivating over the scope to shaft citizens by stripping away our rights just as soon as we’re out of the EU.


5% sounds like a lot, but it’s modest compared to the total. Like bribery, it’s just another cost of doing business.

So can I get a P.O. box in the eu and I’ll get this?

Keep in mind that it’s 4% of revenue, not profit. Depending on your profit margins that may or may not be a massive difference, but it does at least help.

There are several legal reasons to hold data, explicit consent is one of them, in normal use we find it better to base our data processing on one of the others (like statutory obligation, or necessity to perform a contract). I don’t think it’s any more complex really than the existing regime and the data protection commissioners in each country (okay, I’ve only read the UK and Ireland websites) have very clear guides - including lots of nice videos in the UK.

It’s not onerous, it’s not scary (unless you are doing scary bad stuff or engaged in internet advertising/personal data harvesting without consent), but you do have an obligation to do it. If you can’t do it yourself, just like your tax, you need to get a consultant to do it. If you are in an SME one of the people working in it must be put in charge of this (their relationship to management is mandated in the regulations) or you must hire a consultant.

Everyone should do a data audit in business anyway. Now it’s the law in Europe.

1 Like

Their margins are enormous. 4% or 5% of gross is still way less than net revenues. Have a look at Facebook’s annual reports and then realize that they lowball the profits to keep taxes down.

One way to work these is to offload the marketing to subsidiaries. Being separate corporations they can pass net of (inflated) costs up to the holding company which actually runs the operations, thereby making Corporate’s gross lower.

could you link to them? I’ve spent a fair bit of time and haven’t found them.

Loads here, it’s straightforward. Later sections have videos too, I don’t see the video case studies in the site redesign but I’m sure they are there.

The rules you have to follow are essentially unchanged you still have the same principles
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data shall be accurate and, where necessary, kept up to date.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Personal data shall be processed in accordance with the rights of data subjects under this Act.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Don’t be skeevy and you have nothing to fear. Where there are changes now is that larger organisations need a DPO (with stated relationship to the board) and you must disclose a data breach (of over 100 people) in under 72 hours, and they now have some teeth. They’re not out to get you. Fines are proportionate. Showing that you are attempting to do the right thing and that you have started the process is good.

The Irish one
Case studies (which are often more illuminating)

There are dozens (hundreds) of online courses tailored to specific industries, so for example if you are in marketing in the US the course here for marketing, promotion and sales enquiries is good (I haven’t watched it but my colleagues in marketing liked it whereas my nearer colleagues preferred the one from HEA and Legal Island, but that’s probably of limited interest).

All the ginormous law firms have guides online tailored to industries and business in general. In my opinion the books I have seen are not worth it. This is not legally complicated, it’s not technically complicated, it’s a business process issue. The law is easy, the hard tech stuff is encryption which is way above the pay grade of SMEs. but knowing your own business and how it handles private data is not.

Further to @robertmckenna’s reply, stuff specific to GDPR on the ICO’s site is here:

1 Like

And it isn’t even a quite new position, either. I know something like that has existed in France for decades. It wasn’t necessarily a full-time position, and it was only recommended in most cases.

1 Like

I think there is a definite change in the DPO in the GDPR though, SMEs need them and they must report directly to the MB of the company which implies its a senior role. A consultant can do it for many companies. This wasn’t obligatory under the Irish implementation of the previous directives. As the law is now centrally enacted by the EU this kind of difference no longer exists. To such an extent that Ireland, where lots of the companies harvesting your private life to sell have their European headquarters has had to expand the data protection Office. The old one above a spar in that world renowned global hub, Poetarlington. I am reliably informed the Spar does a good breakfast roll though, so that’s a loss…

1 Like