Dr Kuan Hon, one of the top data protection lawyers in the UK, has criticised organisations for the wave of GDPR opt-in emails sent over the past few weeks and claimed that they are, in most cases, unnecessary.
Hon blames "bad advice being given by non-data protection experts, not helped by media misinformation about the GDPR, all at levels that seem unprecedented".
She continued: "The proliferation of unnecessary emails asking people to reconfirm their ‘consent' to receive future communications: most of those have only resulted in organisations losing large parts of their marketing databases when they didn't need to."
Even reputable publications - such as the Financial Times and Wired - had perpetuated myths about GDPR, she added.
"The most prevalent one is that ‘Under the GDPR you can't process personal data without explicit consent'. That is wrong. There needs to be a ‘legal basis' to process personal data, but consent is not the only legal basis. And purely personal use, for example, your personal address book, is exempt.
"Another common myth is that ‘Anyone can ask for all their personal data to be deleted', but this ‘right to be forgotten' only applies in certain situations, it is not an absolute right. Similarly with the right to data portability."
Hon has spoken in the past about how GDPR has been used as a cash cow by some vendors. "My biggest concern is that lots of companies, including SMEs, have forked out a lot of money for the wrong advice that may even harm them - as in the re-consenting case."
Increasingly, added Hon, GDPR and data protection issues will become a feature of mergers and acquisitions. "Due diligence on security and data protection, to detect breaches at the target [company], will be hugely important. Because, as is evident from some well-known breaches, the acquisition price can be greatly affected."
Verizon, for example, negotiated a $350 million discount in the price that it paid for Yahoo's online assets when it finally completed its acquisition last year.
"This applies not just to security issues, but also, for example, databases where the personal data may not have been validly collected by the target for the intended use.
"Also, post acquisition work will be vital - making sure that systems and databases are properly integrated and tested to ensure compliance going forward," said Hon.
Kuan Hon is the author of the legal guide, Data Localization Laws and Policy, available from Amazon and other book retailers
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all