10 things I hate about the GDPR - From a Lawyer who advises on it
by Startacus Admin
A good moan about some of the, more painful, aspects of the GDPR (or the way it has been interpreted) now that the dust has settled on the mad rush to “GDPR deadline day”.
10 things I hate about the GDPR…. a view on why some ambiguities in GDPR could present issues
for business - from Lawyer, Andrew Kirke, Director of Contracts and Technology Dept, at leading commercial law firm Tughans.
"Implementation of the GDPR was a landmark moment for lawyers working within the data protection sphere. Never before, in my time of practising law anyway, had I come across a new piece of legislation that clients had not only heard about, but were proactively contacting me about.
There are many merits to the GDPR. Some of the well-publicised abuses of personal data that have been reported on recently show that an overhaul to data protection legislation was overdue. For example, changes like requiring individuals to expressly opt in to marketing communications seem sensible and proportionate, and give us back some control over our personal data and how and when we are contacted.
That said, in true Northern Irish style, the aim of this article is to have a good moan about some of the, more painful, aspects of the GDPR (or the way it has been interpreted) now that the dust has settled on the mad rush to “GDPR deadline day”.
Y2K Cliff Edge: Unlike anything else before it in my lifetime, except perhaps Y2K, GDPR has struck terror into the hearts of CEOs and business owners across the country. Coming up to the 25 May it was incredible how many people were scrambling to issue their hastily cobbled together privacy policies before midnight on the deadline day in fear of the looming threat of fines of up to €20 million or 4% of annual global turnover. Whilst the reality is fines of anything like that magnitude are likely to be reserved for the worst offenders, a little more nuance in the drafting of the legislationwouldn’t have hurt – 4% of annual turnover is more than many businesses earn in profit.
Bad Advice: The GDPR seems to have had a unique ability to attract a swarming cottage industry of overnight experts (sometimes with little to no background advising on the law), who have expanded their burgeoning service offering to cover GDPR compliance advice when they saw that there was money to be made. That’s obviously the nature of business, but has meant many clients have received questionable advice from consultants lacking in a detailed understanding of the legislation. One example is a client that held clearly signed consent forms with opt-ins to marketing communications, who had been told that they had to send out a “double opt in” email to everyone on their marketing database. What better way to decimate your mailing lists overnight?
Proportionality: As drafted, GDPR applies equally to all processing of personal data, at any level. This seems to have some fairly bizarre implications when you play it out, such as, on a literal reading, a strict requirement for you to recite a short form privacy notice every time someone hands you a business card at a networking event.
Business Value: As a predominantly Contracts and IP focussed lawyer who also works in data protection, my main aim has always been to try and use the law in ways that help clients to make money or properly protect themselves, whether that’s assisting with trade mark registrations to develop an IP portfolio, drafting sub-licensing terms to help a client monetise their software or reviewing contracts to prepare for investment.
With the GDPR, I’ve found myself having to help organisations wade through detailed questionnaires or assist them in producing vast spreadsheets listing and 
mapping the processing of every item of personal data within the organisation. Is this really the best use of time or money for EU based companies who are struggling to compete in a truly global economy?
Poor Drafting: The GDPR is, speaking personally, probably one of the most complex and inaccessible pieces of legislation I’ve looked at since starting out as a lawyer. The language doesn't help, especially when the GDPR encourages clients to use clear and precise language in their own privacy policies. Non-specific requirements, such as the obligation to take “reasonable steps” to protect the security of personal data (whilst partly understandable given the rapidly changing security landscape), have caused massive headaches for those working in the information security sector trying to decide just how secure their systems need to be to comply, particularly in the absence of clear guidance from regulatory bodies. The costs of dealing with these issues have fallen on businesses, who are required to spend significant amounts of time and money on compliance measures with little to no tangible impact on privacy.
Notification: The GDPR mandates organisations to inform regulators about a data breach within 72 hours. Yet a survey undertaken just prior to implementation showed that less than two-thirds (63%) of 
global organisations claimed they have notification process in place for their customers, while a fifth (21%) said they are able to inform their data protection authority but not customers contravening a key requirement of the regulation.
Unintended Consequences: One of GDPR’s requirements is that a data processor is not allowed to engage another sub-processor without authorisation from the data controller. Absent any provisos around the reasonableness of withholding authorisation, this could give rise to issues like a controller vetoing any of their processors changing providers in the event of a dispute, or a situation where the controller has a vested interest in their processor using a specific provider.
Impact on EU Processors with non-EU Clients: Because the GDPR can regulate the processing of personal data originating outside the EU by processors within the EU, the use of EU-based processors can cause problems for non-EU clients. So, a non-EU processor may be preferred over an EU processor even where the EU based processor offers a better and more competitive service. This was probably an unintended consequence of the legislation.
Information Overload: In my view, the GDPR also focuses too much on information overload when it comes to notification. Whilst I (sadly) draft them for a living, I think most people aren’t concerned with the fine print of privacy policies, hearing lengthy data protection notices recited at the start of routine business calls or receiving the vast tidal wave of increasingly desperate sounded opt in emails that hit our inboxes throughout May. Whilst privacy notices are important, and keep a business accountable, the requirements of the GDPR in this regard impose perhaps too much of a burden.
Data as a Liability rather than an Asset: As almost any business owner will know, customer data is one of the most valuable assets that a business can hold, helping to reduce operational costs, drive demand and improve innovation. The GDPR seems to shift the paradigm towards a view of data as a potential liability, with strict requirements not to hold it for any longer than necessary. This in turn may chill data-driven innovation, as companies hold back on accessing or storing data for fear of prosecution.
Like it or not, the GDPR looks like it’s here to stay, even in a post-Brexit world. Businesses will have to tread a fine line to ensure that they balance commercial 
pragmatism with staying compliant with this piece of vague, and as yet entirely untested, legislation."
Andrew Kirke is the Director of Contracts and Technology Dept, at leading commercial law firm, Tughans. You can contact him via 028 9055 3306 or Andrew.Kirke@tughans.com.
This article was orginally published here.
If you liked this GDPR focused article, you might want to read :
- The impact of GDPR on HR departments
- The Impact of GDPR on Marketing, PR and Outreach for Startups
Subscribe to our newsletter
If you would like to receive our startup themed newsletter, full of the latest startup opportunities, events, news, stories, tips and advice, then sign up here.
Tech Nation calls for tangible support to secure capital, talent, growth and exits needed to accelerate the growth of UK tech in decade ahead.
Glasgow-based This is Milk seeks investment for Neve Learning, its cloud-based Ed-Tech platform that has inclusivity and accessibility at its core.
.jpg)
With the UK facing a clear digital skills gap, Amy Caton, Digital Talent and Impact Senior Manager at BT Group shares some insights on what businesses should do to close that divide.
The lowdown on Berlin-based Beazy and its innovative solution that helps teams to plan, produce and deliver creative content and helps businesses to connect with talented content creators.
The lowdown on Fluffy, the app offering dog training, 24/7 vet messaging and insurance to give pet owners peace of mind and support them with their pet care responsibilities.
Huckletree's new Web3 HQ aims to put London’s West End at the forefront of Britain’s tech superpower ambitions.
Leading sports marketing platform, OpenSponsorship announces move into music sector, the first new vertical industry for the trans-Atlantic martech business.
.jpg)
Kingussie High School scoops first place for Junior and Senior categories at this year’s Growing Future Assets Competition.
The lowdown on Manchester-based Arctic Shores and its innovative recruitment solution to help candidate potential count as much as skills and experience.
With the demand for tattoo removal now greater than ever, specialist NAAMA Studios makes a bid for a further £11m in funding.
Published on: 23rd July 2018
If you would like to enable commenting via your Startacus account, please enable Disqus functionality in your Account Settings.
- Tech Nation report reveals UK Tech could quadruple in value by 2032 with right conditions 23rd Mar 2023 Tech Nation calls for tangible support to secure capital, talent, growth and exits needed to accelerate the growth of UK tech in decade ahead.
- Neurodiverse learning and training platform Neve shares major six-figure investment opportunity 22nd Mar 2023 Glasgow-based This is Milk seeks investment for Neve Learning, its cloud-based Ed-Tech platform that has inclusivity and accessibility at its core.
- Huckletree opens new London hub for tech companies pioneering Web3 solutions 16th Mar 2023 Huckletree's new Web3 HQ aims to put London’s West End at the forefront of Britain’s tech superpower ambitions.
- OpenSponsorship making its move into the music sector 16th Mar 2023 Leading sports marketing platform, OpenSponsorship announces move into music sector, the first new vertical industry for the trans-Atlantic martech business.
