With many myths surrounding the new regulation, we have put together a GDPR summary to explain why these statements are in fact myths.
The biggest threat to business from the GDPR is the massive fines
According to the ICO, this law is not about fines, it is about putting the consumer and guy in the street first. Yes, the ICO can fine companies up to £17 million or 4% of turnover, but it is not true that the ICO will be making examples of organisations for minor infringements, or, that maximum fines will become the norm. The ICO prefer the carrot to the stick and are committed to guiding, advising and educating organisations on how to comply with the law under GDPR.
You must have consent if you want to process personal data
This myth lingers, all these months after GDPR. It is possible not to have pre-ticked opt-in boxes but you must make it clear and easy for people to exercise their right to otherwise withdraw consent. What GDPR does is to raise the bar to a higher standard of consent. Keep an audit trail; keep a record of when, and how, you got consent from an individual and what they told you at the time.
Remember that consent is only one way to comply with GDPR. There are five other reasons for processing data that may be more appropriate: contract, legal obligation, vital interests, public task or legitimate interests. You must identify one of these before you start – without it you have neither consent, nor lawful basis to process anyone’s data.
All personal data breaches will need to be reported to the ICO
Unless there’s a risk to people’s rights and freedoms from the breach, you don’t need to report. Otherwise yes, it is mandatory.
If you don’t report in time, a fine will always be issued and the fines will be huge
The Basis of Transparency principle within GDPR is, “Tell it all, tell it fast, tell the truth.” If you do just this, the fines will be proportionate, not issued in the case of every infringement and may, at times, be avoided. Remember, be open and honest from the start.
All details need to be provided as soon as a personal data breach occurs
The main point about reporting is this – you need to do it straight away and you have to provide certain details. If you do not have all the details available, more can be provided later. The ICO do not expect comprehensive reports at the outset of the discovery or detection of an incident.
Data breach reporting is all about punishing organisations
No, this is incorrect. It is about raising the level of security and privacy protections across the board of UK PLC. The regulator – the ICO – wants to make organisations better equipped to deal with security vulnerabilities. The Government and the ICO are simply pushing companies and public bodies to step up their ability to detect and deter breaches.
GDPR is an unnecessary burden on organisations
No. The GDPR will demand more of organisations in terms of accountability in the use of personal data but it enhances the existing rights of individuals. This is a big opportunity to gain your clients’ and suppliers’ trust. By improving privacy, security and data management, you reduce the number of people who have access to personal data and reduce the amount of personal data collected. An opportunity to get your house in order and get rid of data you no longer need.
Everyone needs a Data Protection Officer
Nope, not everyone. A Data Protection Officer (DPO) must be appointed in the following cases: public authorities; organisations that engage in large scale systematic monitoring; organisations that engage in large scale processing of sensitive personal data. Otherwise, no – though appointing one is to be encouraged in the interests of good practice.
We have to get fresh consent from all our clients to comply.
GDPR sets the bar high for consent. It is important to check your process and your records to ensure that existing consent meets the GDPR standard. If it does, you’re fine.
Note, if you have an existing relationship with clients who previously purchased from you, it may not be necessary to obtain fresh consent. The nature of the ongoing relationship means that they have, and have always had, the opportunity to cease contact at any time (e.g by not replying or unsubscribing to emails). It is not appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place.
Before sending emails, consider which is the most effective way to reach your client. It may not be via email and please consider data protection by design approach.
One final point on this, you may feel you’ll lose clients by bringing their consents to the GDPR standard. In fact, you will have better engagement with them and build client trust.
Parental Consent is always required when collecting personal data from children.
So wrong. Processing based on compliance with legal obligation, vital interests, or possibly even legitimate interests, does not require parental consent. See Art. 8(1) if you don’t believe me.
When relying on consent to process personal data, consent must be explicit
Wrong. Consent must be ‘unambiguous’, not ‘explicit’ (Art 4(11)). Explicit consent is required for processing personal data and this requires ‘opt in’. However for non sensitive data, unambiguous consent will suffice . This allows the possibility of implied consent if an individual’s actions are sufficiently indicative of their agreement to processing.
Our suggestion is to record how, and when, you collect the personal data. This gives Equal Clarity for the individual and the organisation.
Individuals have an absolute right to be forgotten
Unlike the right to opt-out of direct marketing, this is not an absolute right. Organisations may continue to process data if the data remains necessary for the purpose for which it was originally collected – Art. 6 and, if sensitive data is concerned, Art.9.
We can make GDPR make sense, so please call us for a chat on 0333 444 614 or email firstname.lastname@example.org