GDPR Compliance Myth #10: Like the Bible, GDPR is not meant to be taken literally

Creation of Adam painting

Was the General Data Protection Regulation handed down on tablets of stone? Were its articles intended to be revered, venerated and feared for all time? Or, as many businesses might prefer, is GDPR more of a set of guidelines, good ideas for living a moral life that don’t really matter if they aren’t actually followed?

One could be forgiven for mistaking some GDPR compliance professionals for wandering clerics; preaching the gospel of data protection and warning of the world to come. Yet, like every prophecy, the date of the apocalypse came and went, and nothing much happened… Or did it?

On-demand webinar – GDPR Mythbusters 2019

A curious data protection case in Poland could yet prove the GDPR zealots right. A digital marketing company called Bisnode participated in the not uncommon practice of data scraping – obtaining a variety of personal data from public registers including the name, national ID number and registered business address of millions of entrepreneurs and executives.

All in all, the details of 5.7 million people were pulled from openly accessible public records and held by Bisnode.

GDPR’s right to be informed

Article 14 of GDPR establishes a right to be informed, meaning data controllers are obliged to tell people whose personal data they intend to process when the information has not been obtained directly from the data subject. Thus, in the case of Bisnode, the Polish data protection regulator (UODO) ruled the company was obligated to contact every single one of the millions of people whose data they scraped together. The rules state a data subject must be informed of what is going to be done with their data, the legal basis for processing, how they can object, and if it has been shared with anyone else; all within one month.

Bisnode claimed they did comply with Article 14, by placing a notice on their website. Contacting all 5.7 million individuals would be prohibitively expensive, they argued, given they held email addresses for fewer than 700,000 of the individuals.

UODO denounced Bisnode’s heretical beliefs about the proper way to respect Article 14 and levied a fine of €220,000. But the punishment for apostasy did not end there. To atone for their data protection sins, Bisnode was ordered to actually follow the Article 14 rules and write, on paper, to the millions of people whose data they had unlawfully processed. The company bitterly objected, saying it would cost in excess of €8 million in postal costs alone, never mind the added burden of handling so much correspondance.

But the guardians of Polish GDPR did not concoct Bisnode’s penitence out of spite. In making their ruling they considered the fact that of the 90,000 people the company did inform by email, over 12,000 of them took the time to object to the processing of their data – not an insignificant percentage.

Yet the dispute on the doctrine of Article 14 is far from over, as Bisnode intents to argue its case before the highest European authorities who will give them an audience. So in the meantime, it might not hurt to give a touch more credence to those GDPR evangelists warning of a fire and brimstone approach to enforcing data protection law. Perhaps those commandments really are intended to be taken literally.

Upcoming GDPR refresher training

Staff should regularly carry out GDPR training to ensure they are continually able to respect and protect individuals’ personal data. Ahead of the one year anniversary of GDPR being in force, we will be releasing new refresher training that will help staff maintain awareness of GDPR requirements year after year. Within the same course, users can take advanced modules related to their role. This training will include topics such as how to be a DPO, GDPR for marketing and HR and responding to subject access requests. You can register for updates on the training here.