As GDPR frenzy hits fever pitch, The Information Commissioner’s Office (ICO) is keen to squash some of the more outlandish myths that have been swirling around. As Elizabeth Denham, said UK Information Commissioner put it: “I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get GDPR right when it comes into force”.
To separate fact from fiction, they’ve been publishing a regular series of myth-busting blog articles. The series of blog articles, which have been posted over a nine-month period and 7000 words, have been condensed into one easy to digest summary by Henry Cazalet, founder and director of The SMS Works.
So, lets bust some myths…
Myth 1: The biggest threat to organisations from the GDPR is massive fines
Fact: This law is not about fines. It’s about putting the consumer and citizen first.
It’s certainly true that under GDPR, the ICO will have the power to fine companies up to £17 million or 4% of turnover. But it’s scaremongering to suggest that they will be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO is committed to guiding, advising and educating organisations about how to comply with the law under the GDPR.
The ICO has always preferred the carrot to the stick.
Myth 2: You must have consent if you want to process personal data
Fact: The GDPR is raising the bar to a higher standard for consent.
The new rules clarify that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.
Consent needs to be explained in clear and plain language and organisations need to make sure that their existing consent meets the standards of GDPR or it will need to be refreshed.
However, consent is one way to comply with the GDPR, but it’s not the only way.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
The new law provides five other ways of processing data that may be more appropriate than consent.
Myth 3: GDPR is an unnecessary burden on organisations
Fact: The new regulations do demand more of organisations in terms of accountability for their use of personal data and it enhances the existing rights of individuals.
GDPR is simply building on foundations already in place for the last 20 years.
If your organisation is complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR.
Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process.
Myth 4: All personal data breaches will need to be reported to the ICO
Fact: It will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms.
So, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.
Myth 5: All details need to be provided as soon as a personal data breach occurs
Fact: If a personal data breach needs to be reported, it’s needs to happen without delay and, where feasible, not later than 72 hours after having become aware of it.
Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later.
The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident
Myth 6: If you don’t report in time a fine will always be issued and the fines will be huge
Fact: Fines under the GDPR will be proportionate and not issued in the case of every infringement.
Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.
“Tell it all, tell it fast, tell the truth.” – Elizabeth Denham
Myth 7: Data breach reporting is all about punishing organisations
Fact: The new law is designed to push companies and public bodies to step up their ability to detect and deter breaches.
What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.
The ICO understands that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.
Myth 8: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Bug
GDPR compliance will be an ongoing journey and unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.
Unlike Y2K, the GDPR is not a complete unknown.
That said, there will be no ‘grace’ period – there has been two years to prepare and the ICO will be regulating from this date.