GDPR myth-busters

We’re noticing a very common trend here at Data HQ. Our clients are becoming increasingly aware that the new General Data Protection Regulation (GDPR) law is looming however; they are becoming increasingly confused by the myriad of communications.

It’s clear more guidance and education is required. The Information Commissioner’s Office (ICO) have confirmed they will publish their formal guidelines on consent before the end of 2017. However, we thought we’d address the most commons myths we have come across:

MYTH 1. You can’t start planning until the ICO releases their formal guidelines

Untrue. It is easy to put things off however, there is enough information on GDPR available to start the process. Using this as an excuse could leave you in hot water, with very little time to get sorted come the deadline in May 2018.

The good news is, if you’re currently compliant with the existing Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) then you’re in a strong position to embrace any changes.

When thinking about GDRP this useful 10 Step Guide may help with preparations.

MTYH 2. You must have consent to process data

Untrue. The rules around consent only apply if you are relying on consent as your basis to process personal data. To be clear, consent is one way to comply with the GDPR, but it’s not the only way. There are different lawful bases organisations will have for processing personal information under the GDPR. For processing to be lawful under the GDPR, you need to identify a lawful basis before you start. For example, local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information – these organisations use a different lawful basis for processing personal information that isn’t consent.

The new law provides five other ways of processing data that may be more appropriate than consent. ‘Legitimate interests’ is one of them and there is already ICO guidance about legitimate interests under the current law.

You should be able to identify your purposes for processing personal information and you will need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR

The ICO’s draft guidance on consent is a helpful source. When they publish their formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. They are clear it’s guidance on consent and will only cover consent.

Without doubt the GDPR is raising the bar for consent. Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

When it comes to B2B data verses B2C data. As its stands, B2B data for Sole Traders and Partnerships will be treated in the same way as B2C data and therefore, opt-in is required. For registered businesses, then the current guidelines from the ICO state that ‘opt-out’ will remain the standard. However, you will have to comply with other rules to use opt-out; such as providing easy route to opt-out, the sender clearly identifies themselves and includes their registration number and contact details and the message is of a B2B nature.

MYTH 3. The biggest threat of the GDPR is the large fines

Untrue. Without doubt, the threat of a large fine (maximum £17million or 4% of turnover) is a huge incentive for organisations to get their house in order. However, the ICO are keen to make the point this law is not about fines. Its very much about putting the consumer and their privacy rights first.

Heavy fines for serious breaches reflect just how important personal data is becoming in this current era. At Data HQ we believe there are many benefits and opportunities attached to the new regulation.

While fines may be the sledgehammer in the ICO’s toolbox, its worth noting they have access to other tools. Like the DPA, the GDPR offers a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit the bottom line - reputations will be tarnished. Something you can’t insure against!

MYTH 4. Every Organisation will need to appoint a Data Protection Officer (DPO)

Untrue. Early iterations of the GDPR specified all organisations with 250 employees, or processing more than 5,000 personal data records, would need to formally appoint a DPO. However, these specifications have since been amended throughout the draft stages.

In its present form, Section 4 of GDPR states that DPO’s must be appointed if your organisation is:

- A public body

- A private sector controller whose core activities consist of processing operations that require ‘regular and systematic monitoring of data subjects on a large scale’

- A private sector controller whose core activities consist of processing special categories of personal data – i.e. sensitive personal data under the UK DPA

Further reading: Data HQ's complete guide to the GDPR