Given the amount of information available, it is surprising that there is so much misunderstanding about the GDPR (General Data Protection Regulation), which will come into force in May 2018.
In part this is down to sensational reporting of the more lurid parts of the regulation; the greatly increased fines available to the Information Commissioner’s Office (ICO), the increased reporting requirements placed on companies, the changes to lawful authority for data processing. There is a lot to digest in the GDPR, and that for some organisations it will mean substantial changes to the way data is handled, processed and protected to ensure GDPR compliance.
Let us walk you through some of the some of the more persistent GDPR myths and see if we cannot replace them with more useful GDPR facts…
The GDPR is a brick wall that all companies will run up against in May 2018
The ICO have been offering advice with regards to the GDPR for two years, and the regulation builds upon the existing Data Protection Act (DPA). The arrival of the GDPR should therefore not be a surprise. Moreover although the regulation comes into effect in May this year, GDPR compliance will be an evolving journey for nearly all companies affected by it. While it is true that organisations should be preparing for the GDPR now, full compliance will almost certainly only be achieved after May. There are new provisions and new considerations which for some will require considerable work to comply with. The ICO has repeatedly made it clear that their aim is to assist organisations to comply and have persistently downplayed their punitive powers.
Under the GDPR all data breaches must be reported to the ICO
This simply isn’t true. What is true is that any data breach that is likely to result in a risk to people’s rights and freedoms must be reported to the ICO. If on the other hand a data breach is detected which does not pose a threat to people’s rights and freedoms, there is no obligation to report it.
Key to this therefore is the ability of an organisation to monitor the security of its data and any attempts to breach that security. Tied to this is the ability to quantify and log all such attempts. This is an area where we can offer considerable assistance to companies who are unsure exactly how they can move confidently towards GDPR compliance.
If a reportable breach occurs, all information must be provided to the ICO immediately
Clearly this is wrong, as it is nearly impossible to do this even with the best systems in place. It can sometimes be easy to assume that government departments live in a bubble that is completely divorced from the reality but this is not the case here. The GDPR requires that the ICO be notified of a reportable breach without undue delay and, where feasible, no later than 72 hours after the organisation becomes aware of it. The ICO does not expect to receive all information relating to a breach immediately and will not punish an organisation simply because it can take time to fully determine the extent and nature of any breach. Once again preparation to deal with a breach ahead of the fact will pay considerable dividends should it occur.
The ICO is just waiting to fine you billions as soon as something goes wrong
No, they’re not. What is true, and has been the focus of much reporting of the GDPR, is that the maximum sanctions available under the GDPR are substantially increased. Arguably this is a reflection of the importance of data to all of us and the exponential growth of the knowledge and data-based economy. The dangers of real damage to organisations and individuals has increased as more and more data is held by companies, and the sanctions reflect this reality.
While the ICO has considerable powers to enforce GDPR compliance, a company would have to act in a wilfully egregious manner to incur its full wrath. Moreover there is no reason for any organisation to find itself in that situation providing that it takes timely steps to ensure that it complies with the new requirements.
Fundamentally the GDPR has been formulated to punish companies
This is a conspiracy-level worldview that really has no basis in reality and is not one that we share. The GDPR was formulated at European level to create a common standard to which all organisations are expected to operate with regards to data security and processing. It is a matter of public policy and is not designed nor intended to punish any business sector. The GDPR is intended to protect us all, regardless of whether or not we find ourselves having to actively comply with its conditions.
Explicit consent is the only way to lawfully process data under the GDPR
The nature of consent and its importance has been clarified and re-defined under the GDPR but it is only one of the lawful bases under which an organisation can process data, and it may not be the most appropriate. Part of the essential preparation for the advent of the GDPR is correctly identifying the appropriate lawful bases under which your organisation will process data. This is important and if you are unsure about this facet of the GDPR you should talk to us in advance of May. There are several lawful bases but once chosen it can be difficult to change them should you discover subsequently that you have not chosen the most appropriate basis.
There are other myths out there, but they are variations on a theme. The GDPR is a substantial piece of regulation and it is important to many companies and organisations. We are ready now to help you identify what your organisation needs to do to comply and to provide practical solutions to achieve ongoing compliance with the regulations.