I saw two iterations of the same erroneous statement about the General Data Protection Regulation (GDPR) this morning, and it’s instructive to compare them.
One was in a Times article by journalist Danny Fortson. This said:
[Under GDPR] organisations large and small will have to ask for new permission to keep personal details on file
The other was contained in a brief twitter exchange which I barged into, in which a personal trainer revealed that a “GDPR consultant” had told her that she
had to regain all [client] details and destroy all the previously held info
I haven’t got anything profound to say here – just three observations: 1) GDPR absolutely does not expressly require businesses to do anything about client or customer data already held, let alone contact those people to get their consent 2) there is some shockingly bad advice about GDPR apparently being promulgated by people purporting to be competent to give it 3) there is a rather toxic feedback loop by which this shockingly bad advice is repeated in the media, and then picked up by others.
I hope it will all calm down after 25 May. And I also hope that decent people running decent businesses don’t get permanently harmed by this situation.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.