A law consultant has warned growing “mythology” around new data protection laws could “endanger the lives of children” and has urged authorities to issue urgent advice to get key messages out.
Media law consultant David Banks said “panic over GDPR has become a full-blown stampede”.
He told HuffPost that he had been told of schools who believed they could no longer alert staff to student’s “potentially life-threatening allergies” because of the General Data Protection Regulation which came into force today.
“I think the information commissioner is going to have to start doing some myth busting about GDPR given the mythology that is growing around it and I think they need to do it quite quickly,” he said.
“Especially with some of this information going around at schools which is particularly worrying and potentially dangerous... I think they need to perhaps put out a few notices saying, ‘you can tell members of staff that a student has a potentially fatal allergy’.”
GDPR applies to all organisations that handle European Union citizens’ data and has caused widespread panic as it gives the Information Commissioner’s Office (ICO) powers to fine firms up to €20m (£17.5m) or 4% of global annual turnover for serious breaches.
It gives consumers new rights to request what data is held on them and to ask for it to be deleted and requires companies to get explicit consent to use personal information. According to the ICO it’s “intended to strengthen and unify data protection for all individuals within the European Union”.
Firms also have to meet higher standards for keeping data safe but they have been given two years to prepare for the change.
The law had led to torrents of emails being sent out asking people to renew their consent to receive marketing materials and today a number of high-profile US news websites became temporarily un-available in Europe.
On Thursday Banks highlighted the confusion around GDPR by directing his followers to a thread on Twitter.
The Department of Education today declined to comment on any feeback they had received from schools around GDPR, but highlighted a number of educational materials - including blogs and videos - it had provided.
The National Education Union told HuffPost it was unaware of concerns amongst schools. The National Union of Teachers and the NASUWT are yet to reply to a request for comment.
A spokesperson from the Information Commissioner’s Office told HuffPost that it had already published a “whole series of myth busting blogs” about GDPR and reassured small organisations that there is “no need to panic”.
“It’s important that we all understand 25 May is the beginning of the journey and we want to reassure small organisations that there is no need to panic. Anyone who is unclear about what they should be doing should check our website or contact us directly.”
The statement continued: “The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change. The large fines will be reserved for those organisations that persistently, deliberately or negligently flout the regulations.”
Banks said a lot of the confusion around GDPR centred around the issue of consent, “which is why we’re all getting these emails” from companies asking for permission to keep sending correspondence.
Consent, he said, is only “one of the reasons that you can hold data, but it is only one”.
“There’s lot of other reasons. Vital interests. Life-saving interests. Contractual interests,” Banks said.
He explained if individuals, for instance, had previously agreed to recieve a newsletter, even if it was “years ago”, companies did not need to ask them for consent to keep sending it because “I can unsubscribe at any time”.
“One of the exemptions to holding data is that you’ve got a legitimate interest in holding, just what data they need, to get me the newsletter.
“Organisations that might be in a little bit of a sticky situation... if you’d signed up to a newsletter and you’ve told them everything about yourself... your name, your hair colour, your gender.... now they might find themselves in a sticky situation because they’ve got a lot of data and it might be quite hard for them to justify holding quite so much.”
The Twitter thread was critical of the way the ICO’s had rolled out the law change, which Banks agreed with, saying there were too many “grey areas”.
However, he told HuffPost that “this often happens when you get complex new legislation coming in, people overreact and interpret it at the most extreme level, they always go to the worst case scenario”.
“Perhaps some simpler information should have been out out by the Information Commissioner’s Office,” Banks said.
“The guidance we got was quite lengthily and it would be good to see some digests coming out that kind of back that up and get some key messages out to give a bit of clarity to people. ”