Legal firms and self-styled “GDPR experts” are being warned they could face compensation claims if they are found to have given poor advice to companies aiming to comply with the regulation, amid claims the profession was struck by “GDPR fever”.
Concerns over GDPR training were first aired over a year ago when the House of Commons was accused of wasting nearly £100,000 of taxpayers’ money on training for MPs and staff that did not provide the level of expertise needed for attendees to achieve compliance.
The issue has been raised again by DMA Group chief executive Chris Combemale, who recently told a Westminster Legal Policy Forum conference that many of the 1,000 DMA members had been wrongly told to focus on consent as the basis for processing data.
Many businesses had followed “extremely conservative” advice from their lawyers, he said, and sought to gain opt-in consent – or even double opt-in – to retain customer details.
Combemale claimed that the legal profession had a “considerable misunderstanding” of how GDPR should apply to the marketing sector. He quoted one example of a lower-league football club which had 100,000 supporters on its database before May 2018, but followed its lawyer’s advice to gain double opt-in. The club’s sign-ups dropped over 97%.
Peter Wright, managing director of cyber-law specialist Digital Law, told The Law Society Gazette: “People have got funny ideas that GDPR is all about consent and it’s absolutely not. There were an awful lot of people who started styling themselves GDPR specialists when they had not got the expertise. It’s not a case of putting a policy in place and saying that’s it. It is a rolling obligation and lawyers should be talking to clients in any event about privacy regulations.”
Robert Bond, a partner at London law firm Bristows, said there has been “a lot of misinterpretation of what law requires”, such as the idea that GDPR was all about consent when actually it was only one of six lawful grounds for processing somebody’s data.
He added: “We were surprised by the number of emails flying around asking for consent for newsletters and so on. There’s nothing in GDPR that says you need to seek permission again if you already have a relationship with an individual.
“There was probably an element of GDPR fever where lawyers were giving advice in circumstances where they weren’t best placed to do so. The problem is that you don’t know what you don’t know. This is a niche area of law,” said Bond.
Others point to the rise of self-styled GDPR experts, who saw the then looming legislation as an opportunity to make a quick buck. One source said: “Suddenly everyone was a GDPR consultant, even though there is no such thing as GDPR certification.”
Some experts claim that poor advice could lead to clients claiming compensation on the basis that the guidance cost them significant amounts of lost revenue.
Earlier this week, the Information Commissioner’s Office sent out a warning to companies to ensure the legal advice they were receiving was sound after fining a company £40,000 for following “misleading” guidance about the Privacy & Electronic Communications Regulations.
Pensions firm pays hefty price for dodgy legal advice
Commons ‘wasted £100,000 on faulty GDPR training’
MPs ‘as clear as mud’ about how to comply with GDPR
GDPR zero hour: Now the hard work begins say experts
Parish councils cry foul at cost of GDPR compliance
GDPR consent guidance is published – with a warning
Most EU data enforcers in a shambles as GDPR looms