GDPR—Weapon or Shield?
GDPR has been in force less than a month and already the cracks are showing. With less than 35% of UK organisations thought to be ready, and despite the ICO stating “small businesses will not be punished for failing to be ready on time”, legal scaremongers seem to suggest otherwise.
The panic ranges from some US news websites blocking EU residents access, to confusion (and some malfeasance) around email consent, to disgruntled employees seeking revenge and even religious ministers declining to offer public prayers for parishioners without completed consent requests. Needless to say, the uncertainty and panic around GDPR continues unabated.
While many organisations are taking a possibly over-cautious approach, still other unscrupulous groups are creating “the biggest torrent of spam in the history of the internet” and tricking unsuspecting recipients into their fraudulent email schemes.
The confusion has been so great as to force the ICO to intervene. Deputy information commissioner Steve Wood wrote on the ICO website “Some of the myths we’ve heard are, ‘GDPR means I won’t be able to send my newsletter out anymore’ or ‘GDPR says I’ll need to get fresh consent for everything I do’. I can say categorically that these are wrong. You do not need to automatically refresh all existing consents in preparation for the new law.”
Any organisation that seeks—but does not receive—permission to continue previously requested email communication makes it technically illegal to keep in contact with those not replying.
DLP’s advice is that anyone contemplating requesting consent for continued email communication should seek specific independent legal advice beforehand.
Sadly, email consent is not the biggest issue facing employers.
DLP have previously warned about disgruntled employees using GDPR to seek ‘revenge’ and our concerns have been borne out.
DLP are aware of 4 employees who recently adopted the following strategy.
- Employee was sacked for gross misconduct following a full and lawful disciplinary process.
- Employee needs a reference but knows it will state they were sacked.
- Employee submits a Subject Access Request (SAR) with—or before—a termination appeal.
- Employee sends a Without Prejudice email offering an alternative to complying with the SAR providing the employer accepts their resignation and provides a suitable reference.
Considering the 2-3 week process required to read, print, redact and supply the (potentially thousands of ) documents requested by the SAR this practice can best be described as blackmail. In every instance of which DLP is aware the employer caved in to the former employee’s extortion.
While employers may bemoan such a ‘GDPR stunt’ a pragmatic opinion suggests the former employee would likely have lodged a (free) tribunal claim anyway.
It is clearly inappropriate to rewrite history by succumbing to extortion, to destroy disciplinary evidence (dependent upon retention policies), or to provide false references, but DLP wonder just how many employers, facing similar situations in the coming months and years, will make similar decisions.