The juggernaut that is GDPR has now come into force. We’ve known about this radical new change in privacy and data protection law for over two years and on 25th May it became law across the EU.
The past two years have allowed plenty of time for numerous myths to bubble up about the impact of the new rules on UK businesses. But which are the GDPR myths and which are GDPR facts?
Elizabeth Denham, the woman who holds the top job at the Information Commissioner’s Office, has been keen to dispel these rumours, commenting:
“I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get GDPR right when it comes into force.”
To separate fact from fiction, The ICO have been furiously posting a series of myth-busting blogs to keep the more outlandish rumours at bay.
Here, SMS gateway provider, The SMS Works have condensed all 9 GDPR myths into an easy to digest summary.
Myth 1 – Massive fines will rain down on organisations that break the rules
Under GDPR the ICO have the power to fine companies a mind boggling £17 million or 4% of global sales, whichever is the greater.
The ICO claim that it’s mere scaremongering to suggest that they will be on the rampage early on, making examples for trivial infringements or that monster fines will become the norm.
The ICO is ‘committed to guiding, advising and educating organisations about how to comply with the law under the GDPR’.
The comprehensive guides, are designed to help organisations understand all the changes that need to be made.
Myth 2 – You must have consent if you want to process personal data
Not in all cases. The GDPR raises the standard required for consent but that does not automatically mean that you need to obtain new consent in order to continue to contact people.
Consent is not the only route that can be used as a lawful basis for contacting people. If you don’t have properly documented consent then there may be other ways that you can identify grounds for continuing to make contact.
In total, there are five other ways of processing data that may be more appropriate than consent.
The new regulations state that pre-ticked opt-in boxes are not acceptable and that organisations need to make it easy for people to withdraw their consent at any time.
If organisations are using consent as the basis for legal communication, then is needs to be explained in clear and plain language. If any element is vague or woolly, it will need to be refreshed.
Myth 3 – GDPR creates an unnecessary new burden on organisations
There’s no doubt that the new regulations demand more in terms of accountability for use of personal information. GDPR also improves the existing protection and rights of individuals.
But there have already been rules in place for the past 21 years and GDPR is simply building on these foundations.
If your organisation is already complying with the terms of the Data Protection Act then you are probably well on your way to being compliant with GDPR.
Most of the general principles remain exactly the same and have been in place for decades. The GDPR simply adds further levels of protection and transparency that will benefit us all.
Myth 4 – All breaches of personal data need to be immediately reported to the ICO
It will be compulsory to report a data breach but only if it’s likely to create a risk to an individual’s rights or freedom.
So unless the breach is serious, you don’t need to report it.
Precisely what comprises ‘a risk’ is open to an element of interpretation and there will be greater clarity when the new law is tested after 25th May.
Myth 5 – All details need to be provided as soon as a personal data breach occurs
If a personal data breach occurs and it needs to be reported, then this should happen promptly and ideally within 72 hours of becoming aware of the breach.
Organisations are required to provide certain details when reporting a breach but if all the details are not yet available, then these can be provided at a later date.
The ICO won’t expect to be sent in-depth reports detailing all aspects of the breach at the outset of the discovery or detection of an incident.
Myth 6 – If you fail to report a breach in time, then you can expect a fine and it will be huge
Under GDPR, fines will not always be issued if an offence is minor. If a financial penalty is handed out, it will be proportionate to the offence committed.
Fines can be avoided if organisations are open and honest about all elements of a breach and work closely with the ICO in disclosing the potential impact to the individuals involved.
“Tell it all, tell it fast, tell the truth.” – Elizabeth Denham
Myth 7 – Reporting a data breach is all about punishing organisations
The new law is all about encouraging companies and public bodies to improve their data security and their ability to detect breaches if they occur.
The objective of the GDPR is not to punish organisations but to help them better equip themselves to deal with security weak spots.
The ICO is aware that cyber criminals may attempt to breach an organisation’s systems and that reporting a data breach will not halt illegal activity. But the new law will improve privacy protections and security levels across the board.
Myth 8 – GDPR is focused on May 25 2018 – it’s rather like the millennium bug
GDPR compliance is an ongoing journey and will need diligence and effort beyond the implementation date of 25th May 2018.
Unlike the millennium bug, GDPR is not a complete unknown and there should be no nasty surprises for organisation that have put in the preparatory leg-work.
There will however, be no grace period. The ICO are very clear on this. ‘There has been two years to prepare and the ICO will be regulating from this date.’
Myth 9 – Every organisation is required to appoint a Data Protection Officer (DPO)
Data Protection Officers are only required for public authorities or organisations that get involved in large scale monitoring or processing of personal data.
if you don’t fall into either of these categories then you don’t need to appoint a DPO although best practice suggests it’s a good idea.