The UK Information Commissioner, Elizabeth Denham, has said there are some “outlandish myths” circulating around the forthcoming changes to data protection – the General Data Protection Regulations, GDPR.
She said that there are eight major myths “swirling around” which agents should be aware of.
Myth 1
The biggest threat to organisations is massive fines
Fact This law is not about fines. It’s about putting the consumer first.
It’s certainly true that under GDPR, the ICO will have the power to fine companies up to £17m or 4% of turnover. But it’s scaremongering to suggest that they will be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO has always preferred the carrot to the stick.
Myth 2
You must have consent if you want to process personal data
Fact The GDPR is raising the bar to a higher standard for consent.
The new rules clarify that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.
Consent needs to be explained in clear and plain language and organisations need to make sure that their existing consent meets the standards of GDPR or it will need to be refreshed.
However, consent is one way to comply with the GDPR, but it’s not the only way.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
The new law provides five other ways of processing data that may be more appropriate than consent.
Myth 3
GDPR is an unnecessary burden on organisations.
Fact The new regulations do demand more of organisations in terms of accountability for their use of personal data and it enhances the existing rights of individuals.
GDPR is simply building on foundations already in place for the last 20 years. If your organisation is complying with the terms of the Data Protection Act, and has an effective data governance programme in place, then you are already well on the way to being ready for GDPR.
Many of the fundamentals remain the same and have been known about for a long time: Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process.
Myth 4
All personal data breaches will need to be reported to the ICO
Fact It will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms.
So, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report it.
Myth 5
All details need to be provided as soon as a personal data breach occurs
Fact If a personal data breach needs to be reported, it needs to happen without delay and, where feasible, not later than 72 hours after having become aware of it.
Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later.
The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident.
Myth 6
If you don’t report a breach in time a fine will always be issued and the fines will be huge
Fact Fines under the GDPR will be proportionate and not issued in the case of every infringement.
Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.
“Tell it all, tell it fast, tell the truth” – Elizabeth Denham
Myth 7
Data breach reporting is all about punishing organisations
Fact The new law is designed to push companies and public bodies to step up their ability to detect and deter breaches.
What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.
The ICO understands that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.
Myth 8
GDPR compliance is focused on a fixed point in time – it’s like the Millennium Bug
GDPR compliance will be an ongoing journey and unlike planning for the Y2K deadline, GDPR preparation doesn’t end on May 25 – it requires ongoing effort.
That said, there will be no ‘grace’ period – there have been two years to prepare and the ICO will be regulating from this date.
Comments (5)
I have just registered on the site and had to tick a box agreeing to being sent newsletters.
No option not to receive newsletters. GDPR compliant?
Myth 1: FACT
Myth 2: Truth is worse than the myth
Myth 3: FACT
Myth 4: FACT
Myth 5: FACT
Myth 6: FACT
Myth 7: It’s a FACT but they don’t want to admit it
Myth 8: Truth is worse than the myth
I couldn’t wait to get to the end, in trying to dispel the myths she has only confirmed they are accurate and true,
not about money! The fines are mentioned all over the place and they are chomping at the bit to use them, of course if you tell on yourself then they may not fine you!
Oh and yes you are making things more onerous for us and now if they say yes, yes doesn’t necessarily mean yes! but there are other ways to make sure it’s a yes REALLY!!! You’ve made a laughing stock out of an incompetent rule improvement and I am laughing at that very statement with tongue firmly in place, ****** ridiculous people, thank heavens I’m selling and leaving, I love this business and my clients but these people who think they are improving things are making it impossible to run a business the way it has been and (with never a complaint or breach of any kind) always should be and please don’t tell me it’s to raise the standards of others, you are ONLY making it more difficult for all of us!!
No grace period yet the government guidance doesn’t get issued until the 11th April. Good work.
These “Myths” seem to have been confirmed as facts?