Information Commissioner’s Office (ICO) dispels GDPR MythsOctober 24, 2017
As you’ll have heard by now, as from May 25 2018 the new EU General Data Protection Regulations (GDPR) will come into force. The new EU GDPR has been designed to strengthen online privacy rights and covers everything from data sharing to consent for data collection and will impact any business large or small that processes or controls the data of individuals.
As we near May 2018, the news of GDPR has become a hot topic and alarm bells have started to ring with organisations searching for the facts that will help them prepare for the changes in regulation. Sadly, whilst there is a wealth of information available on the topic, not all sources have their facts straight.
Thankfully, the Information Commissioner’s Office (ICO) has stepped in with a series of blogs on the topic which help sort the myth from the fact. For those of you short on time, we have summarised myths 1 to 4 here, but urge you to visit the ICO’s blog site to read and absorb its advice in full.
The biggest threat to organisations from the GDPR is massive fines.
UK Information Commissioner, Elizabeth Denham, is keen to point out that the new law is not about fines, but is about “putting the consumer and citizen first.”
She explains: “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act (DPA) allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
“But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
Of the 17,300 cases concluded by the ICO last year, Denham highlights that only 16 of them resulted in fines for the organisations concerned.
She also advises that while the larger fines certainly indicate the increased importance attached to personal data in the 21st century, it is the whole range of tools that the ICO will have access to that will enable them to deal with serious breaches “proportionately and judiciously”.
“Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that”.
You must have consent if you want to process personal data.
While current data protection law requires a clear, affirmative action from the individual, the ICO explains that GDPR is now ‘raising the bar to a higher standard for consent’, meaning that pre-ticked opt-in boxes are no longer good enough.
As Denham says, “The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”
However, despite the above being firmly focused on consent, Denham explains that consent is not the only way to comply with GDPR.
“Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR,” she says, stating that there are other lawful bases organisations can consider using under GDPR
“Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information. Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.”
The new EU GDPR actually lays out five other way of processing data that may be more applicable to your business. Visit ICO’s website to read its guidance on the matter.
But once you have decided on the best way for your organisation to proceed, what is key is that you document these decisions so as to prove to ICO which lawful basis you’re using if questioned.
We must wait for ICO’s formal guidance before implementing new consent rules.
The ICO’s final guidance on consent is due to be published in December. However, you can make a head start now by reviewing ICO’s draft guidance on consent, which according to Denham, is unlikely to change significantly in its final form.
GDPR is an unnecessary burden on organisations.
Not so, says Steve Wood, Deputy Commissioner for Policy at ICO, who clarifies that the ‘new regime is an evolution in data protection, not a revolution’.
Wood explains that GDPR simply builds on the fundamentals of the Data Protection Act (DPA), such as fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process, and that if your business already complies with the DPA and has an effective data governance in place, then you are just a step away from GDPR compliance.
And while acknowledging that the new regulations will require organisations to make certain new provisions, Wood believes that there are opportunities to had from the GDPR.
“Whatever the size of your organisation, GDPR is essentially about trust. Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships.”
“Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom.
“The ICO’s annual research on privacy and data protection consistently shows that levels of public trust remain low. Conversely, it also shows that they would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly. And that provides a major opportunity and competitive advantage for those who can demonstrate that they get data protection right.”
Stay tuned for our next GDPR Myth Buster blog and if you’d like to speak to one of our expert lawyers about any concerns you have regarding the new EU GDPR, please do get in touch.
In light of the upcoming GDPR, we are updating our mailing lists and using the change in regulation as an opportunity to ask our clients and associates how they would like to hear from us and what they’d like to hear about.
All contacts who have not re-subscribed by May 2018 will be deleted from our database in line with new GDPR regulations.
Please note you can unsubscribe from our mailing list at any time either by contacting us by email on email@example.com , telephone on 01753 865165, by clicking the “unsubscribe” link on any emails you receive or by visiting our unsubscribe page.