GDPR doesn’t need to be seen as a business prevention tool

Two years since GDPR became enforceable across the EU there are still organisations struggling to understand what it means for them in their sector and geographical region. This webinar will help you correct some misconceptions and enable you to see how it can be turned into a positive advantage.

As part of the Emailage, a LexisNexis Risk Solutions Company virtual event series Carolyn Harrison, Data Protection Adviser, Emailage, Sonja Grzabka, Director of sales DACH, Emailage and Jean-Damien Rubal, Director of Enterprise Sales France, Emailage discuss some common myths surrounding GDPR since it’s two year inception.

What are the key learnings from today’s webinar?

Sonja Grzabka: When we talk about accessing data to make fraud risk decisions, people think that’s great because that helps me make better decisions for my business. However, this then raises questions such as – what about data protection? What about the consumer? What about consent? How much data can I use and what can I do with it? All of this will be discussed in our webinar today.

Myth 1: You must get consent for all types of data processing

Carolyn Harrison: The reality is that is a myth and it was a big mistake that people made two years ago. So we’re doing this webinar at the perfect time. It’s been two years since GDPR became enforceable throughout Europe and lots of people weren’t ready for D-Day, which was 25th of May, and they didn’t know what to do.  

People started panicking because there were all these headlines in the press saying you’re going to get fined two or four percent of your global turnover. People saw that organisations were simply sticking a privacy policy on their  website and then writing to everybody in their CRM system and saying, is it okay if we keep your data?  

Of course, that wasn’t right. In itself they were breaking GDPR invariably by writing to ask for consent. Consent is only one of the six legal basis for processing data.

Myth 2: I can ask for all data including my driving convictions under the GDPR’s “Right To Be Forgotten” rule?

Carolyn Harrison: If the basis of you keeping the data is contractual or legal, then you wouldn’t be able to delete it. You would need to write to the individual and explain that you have a legal obligation to keep that data. However, removing data about something like a driving conviction would be fantastic, wouldn’t it? If we could try and remove all the things that we didn’t want people to know about us, but it’s worth mentioning that GDPR is not above the law. So if there are other laws in place such as tax, anti money laundering reasons, then you have to keep it. That will always apply over and above data protection.

Myth 3: It is not possible to really assess the risk of choosing a new supplier/third party?

Carolyn Harrison: The reality is that most conduct a DPIA (Data Protection Impact Assessment) which is a good standardised method to do a risk assessment on the supplier or a new process in your business.

Is there a high level of risk? If there is, can we reduce it? Are there things we can do to mitigate that risk? Take a reception in an office. In some cases, you can’t actually lock the door. It’s not practical. So if you know that you put a procedure in place that says somebody always watches the door. You can’t remove that risk. You can just mitigate it and it’s exactly the same with data protection. Have you done everything you can to protect the individual, the data subjects and information?

Myth 4: It is not possible to use external data for the prevention of fraud

Carolyn Harrison: The answer actually is GDPR helps you manage your fraud. In some cases, the information captured to prevent fraud may be the personal data itself. GDPR itself recognises the importance of fraud prevention within two of its recitals:

Recital 47: “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned…”

Recital 71: “decision-making based on … profiling should be allowed where expressly authorised by … law … including for fraud or tax evasion monitoring and prevention purposes”.

Register for another upcoming Emailage event.