Most studies of the General Data Protection Regulation (GDPR) examine its impact on email and data collection. But there are some hidden risks in other areas.
You can stumble into a whopping fine or harm your business and career in other ways. Here are three traps to avoid:
1. Thinking the UK is a safe zone for spam — Thanks to Brexit, the UK is leaving the EU. That means you can ignore the GDPR when marketing there. Right?
Wrong. The UK plans to comply with GDPR, and Parliament is considering a bill that would bring the UK into line with the new EU law, among other things. The UK is already pretty tough — as we report today, the Information Commissioner's Office has fined a bank and a web agency for sending “spam” emails.
One problem is that the draft bill is confusing. Baroness Lane-Fox of Soho said in the House of Lords that she finds it “incredibly hard to read and even harder to understand,” according to the Register.
Lane-Fox commented: “I fear that we will not do enough to stop the notion, referred to by the noble Lord, Lord McNally, that we are sleepwalking into a dystopian future if we do not work hard to simplify the Bill and make it accessible to more people, the people to whom I feel sure the government must want to give power in this updated legislation.”
Good point. How can you obey the law when you can’t even figure out what it is?
2. Having contracts full of holes — Controllers must insist that processors are compliant with the GDPR, and that this is spelled out in contracts.
Contracts must specify the data processing that will be conducted, and give guarantees that the law is being observed, according to a draft guidance from the Information Commissioner. Controllers are liable for compliance.
What if one of the parties refuses to renegotiate an existing contract?
“Initially, you may conclude that the party refusing would be the responsible or liable one,” writes Rocio de la Cruz in Computing. “However, the obligation of having suitable provisions in place is the controller's responsibility under the GDPR.
Many firms already are in de facto compliance and insist on ironclad contracts — that’s the positive side of this.
But de la Cruz notes that “the fact of this becoming mandatory is opening new points of discussion between parties that require special attention; for example regarding additional fees, the extent to which both parties will collaborate with each other and identifying what data fits into the category of "being processed on behalf of the controller,” among other things.
Letting GDPR stall your career — This isn’t about having to resign in disgrace over data breaches (don’t worry — it will never happen). The problem is that, under GDPR, headhunters could forget that you exist
How so? Just like email marketers, recruiters have to be careful about how they use and store data — in their case, on potential C-suite candidates. And if you’re a potential hire, they will need your express permission to keep you on file.
Executives could lose out to an 11% to 30% uplift in their pay if they slip through the GDPR cracks.
Of 350 search firms surveyed across the globe, 75% work on 25 searches per year. The average “talented executive” can expect to hear from a search firm at last once a year, and almost a third can anticipate three to five invitations to chat.
So what’s the danger?
“Giving consent to a search firm to hold your data in the past will not necessarily allow the firm to use it in the future,” GatedTalent writes. Unless you take action to give consent you may disappear off search firms’ radar with almost certain negative consequences for your career
It adds: “Giving consent is also an opportunity to update the firms you trust with your latest information. There’s no point simply allowing search firms to store information about you from 3 years ago – firms are better able to consider you if they know your current role and your current aspirations.”
Talk about intensive regulation: GDPR seems to be getting into everything.