Dr Kuan Hon, one of the top data protection lawyers in the UK, has criticised organisations for the wave of GDPR opt-in emails sent over the past few weeks and claimed that they are, in most cases, unnecessary.
Hon blames "bad advice being given by non-data protection experts, not helped by media misinformation about the GDPR, all at levels that seem unprecedented".
She continued: "The proliferation of unnecessary emails asking people to reconfirm their ‘consent' to receive future communications: most of those have only resulted in organisations losing large parts of their marketing databases when they didn't need to."
Even reputable publications - such as the Financial Times and Wired - had perpetuated myths about GDPR, she added.
"The most prevalent one is that ‘Under the GDPR you can't process personal data without explicit consent'. That is wrong. There needs to be a ‘legal basis' to process personal data, but consent is not the only legal basis. And purely personal use, for example, your personal address book, is exempt.
"Another common myth is that ‘Anyone can ask for all their personal data to be deleted', but this ‘right to be forgotten' only applies in certain situations, it is not an absolute right. Similarly with the right to data portability."
Hon has spoken in the past about how GDPR has been used as a cash cow by some vendors. "My biggest concern is that lots of companies, including SMEs, have forked out a lot of money for the wrong advice that may even harm them - as in the re-consenting case."
Increasingly, added Hon, GDPR and data protection issues will become a feature of mergers and acquisitions. "Due diligence on security and data protection, to detect breaches at the target [company], will be hugely important. Because, as is evident from some well-known breaches, the acquisition price can be greatly affected."
Verizon, for example, negotiated a $350 million discount in the price that it paid for Yahoo's online assets when it finally completed its acquisition last year.
"This applies not just to security issues, but also, for example, databases where the personal data may not have been validly collected by the target for the intended use.
"Also, post acquisition work will be vital - making sure that systems and databases are properly integrated and tested to ensure compliance going forward," said Hon.
Kuan Hon is the author of the legal guide, Data Localization Laws and Policy, available from Amazon and other book retailers
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend