Panicked into heavy-handed action by impenetrable data regulations
SIR – Peter Mellor (Letters, May 10) is right about the colossal waste of resources expended by small clubs and organisations to comply with the confusing minefield of the General Data Protection Regulations (GDPR).
I am the honorary secretary of a local yacht club and have spent much time on our compliance with the regulations. I believe that virtually all processing of data by membershipbased organisations can be done on the basis of “legitimate interests” or “proper performance of the contract with the data subject”, both expressly permitted by Article 6 of the GDPR.
No extra “consent” is necessary unless a member’s data is used in a manner they would not reasonably have expected from the organisation.
Yet one cannot blame club secretaries for taking the “safe option” of obtaining consent, as the regulations are so impenetrably written that only a lawyer’s mind could begin to understand them.
Online, there is a virtual feeding frenzy of lawyers and consultants trying to frighten the unwary into using their high-priced services. There has been a dire shortage from the Information Commissioner’s Office of advice in plain English to help those small membership organisations currently being left to flounder.
Tim Wood
Wivenhoe, Essex
SIR – If it is true that “individuals must opt in whenever data is collected on them” (report, May 8), must a police officer ask criminals for consent to be investigated? Of course not.
This is an unfortunate myth about the GDPR, which has been debunked on many occasions, not least by the Information Commissioner herself.
There are, in fact, six general bases on which personal data can lawfully be processed, and the data subject’s consent is just one of those (and is often not the most appropriate option). Jon Baines
Data Protection Adviser Mishcon de Reya London WC2 SIR – The GDPR are being used by every crook in the country to get at one’s data. I received an email purporting to be from Paypal asking me to “update” data held on me. The return email address looked genuine enough, though rather long.
Next morning, a call from my bank asked if I had made certain payments. I was then contacted again and advised of means to “correct this situation”. I was asked to go through certain steps, with both the man on the line and I seeing the same screen bank data.
I broke off for an appointment, and on phoning the bank later found it knew nothing of the morning’s happenings. The morning’s online and phone business had been fraudulent.
My bank was of considerable assistance in getting me new cards and freezing my accounts while making moves to restore my funds.
As far as I can see, the only response to any online request to “update” your data is to ignore it.
David E Hockin
Portishead, Somerset