8 GDPR Myths Upsetting Organisations – Busted!

The General Data Protection Regulation (the 'GDPR') is coming soon - May 25th 2018 in fact. But, many GDPR myths have already reared their ugly heads in recent months, worrying organisations that they are not doing enough when implementing a compliance strategy.

These myths have arisen through scare-mongering tactics, misinformation or a complete lack of knowledge about the intention of and framework for, this new data protection law.

Don't get me wrong. Organisations are looking for guidance on GDPR to end uncertainty and get compliance right first time; but not all the much-needed guidance is published yet, and probably won't be finalised for several months. To relieve this pressure, if you are already complying with data protection, have policies and procedures in place to deal with compliance, then GDPR compliance is an evolutionary step for your business. You just need to start familiarising yourself with how GDPR changes the data protection regime so that when guidance is finally published, it comes as no surprise.

Despite disagreements over the Brexit timetable, the UK's Information Commissioner is now on record as stating that the GDPR will definitely come into force in May 2018.

8 GDPR myths busted

Here are 8 GDPR myths which the UK data protection regulator has already busted.

Myth 1

Under GDPR, massive fines are the biggest threat to organisations.

Wrong! This law is not about fines. It’s about putting the consumer, citizens and employees first. The ICO (Information Commissioner's Office) which regulates data protection in the UK has a commitment to guide, advise and educate organisations on how to comply with data protection law. Including under GDPR.

The ICO has stated "it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."

Definietely a case of dangling the carrot rather than using the stick.

Myth 2

You must have consent if you want to process personal data.

Not always. The GDPR is raising the bar to a higher standard for consent. But, there are five other ways which allow you to process personal data and which you consider more appropriate than obtaining consent. You will need to identify them at the start for processing to be lawful under the GDPR.

For example, local authorities processing council tax information; banks sharing data for fraud protection purposes; and insurance companies processing claims information.

Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.

Do not wait for guidance about from regulators or sector-specific authorities. You know your organisation best and should be able to identify your purposes for processing personal information.

Myth 3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.

Yes you can. Whilst business organisations want certainty and assurance of harmonised rules, you can read the ICO’s draft guidance on consent. The ICO has stated that it’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.

The ICO's formal guidance on consent, when published, will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.

Myth 4

GDPR is an unnecessary burden on organisations

Yes and no! Compliance across any regulatory regime costs time, money and resources. But, the new regime is an evolution in data protection, not a revolution.

Thinking simply about regulatory burden indicates the wrong mindset to preparing for GDPR compliance. The law demands that any organisation, whether public, private or 3rd sector is accountable. As a business, you need to know your customer, your clients and employees. See GDPR as a way to get competitive and collaborative advantage by building trust and confidence across your community. GDPR is simply building on foundations already in place for the last 20 years.

Myth 5

I need to report all personal data breaches to the ICO.

No! It will be mandatory to report a personal data breach under the GDPR only if it’s likely to result in a risk to people’s rights and freedoms.

Myth 6

I must provide all details as soon as a personal data breach occurs.

No, you must report a data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

However, the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO has stated that it will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. The ICO will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.

Myth 7

If I don’t report in time the ICO will always issue a huge fine.

No. You can avoid fines if you are open, honest and report breaches without undue delay. This approach works alongside the basic transparency principles of the GDPR.

The ICO has said its  earlier blog fines under the GDPR will be proportionate and not issued in the case of every infringement.

Be aware that the ICO has the ability to issue fines to organisations for failing to notify and failing to notify in time. Note that the sanction is available to deal with organisations which systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks.

Tell it all, tell it fast, tell the truth.

Myth 8

Data breach reporting is all about punishing organisations.

No. What concerns regulators most is the ability for organisations deal better with security vulnerabilities. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches.

The ICO recognises that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future.

Final points

Up until 25 May 2018 the current Data Protection Act will still apply to data breaches. After this date the new law will kick in. Organisations are now advised to start working towards GDPR compliance without further delay.

This article is based upon posts published on the ICO blog plus on E RADAR.