Fact or fiction? 8 common GDPR myths

15 Mar 2018

Separating fact from fiction when it comes to GDPR. Image: SvetaZi/Shutterstock

Henry Cazalet of The SMS Works discusses some of the most common misconceptions around the upcoming GDPR.

As GDPR frenzy hits fever pitch, The UK Information Commissioner’s Office (ICO) is keen to quash some of the more outlandish myths that have been swirling around.

As Elizabeth Denham, UK information commissioner, put it: “I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get GDPR right when it comes into force.”

Myth 1: The biggest threat to organisations from GDPR is massive fines

Fact: This law is not about fines. It’s about putting the consumer and citizen first.

It’s certainly true that under GDPR, the ICO will have the power to fine companies up to £17m or 4pc of turnover. But it’s scaremongering to suggest that they will be making early examples of organisations for minor infringements, or that maximum fines will become the norm.

The ICO is committed to guiding, advising and educating organisations about how to comply with the law under the GDPR.

The ICO has always preferred the carrot to the stick.

Myth 2: You must have consent if you want to process personal data

Fact: The GDPR is raising the bar to a higher standard for consent.

The new rules clarify that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.

Consent needs to be explained in clear and plain language, and organisations need to make sure that their existing consent meets the standards of GDPR, or it will need to be refreshed.

However, consent is one way to comply with the GDPR, but it’s not the only way.

For processing to be lawful under GDPR, you need to identify a lawful basis before you start. The new law provides five other ways of processing data that may be more appropriate than consent.

Myth 3: GDPR is an unnecessary burden on organisations

Fact: The new regulations do demand more of organisations in terms of accountability for their use of personal data, and it enhances the existing rights of individuals.

GDPR is simply building on foundations already in place for the last 20 years. If your organisation is complying with the terms of the Data Protection Act, and has an effective data governance programme in place, then you are already well on the way to being ready for GDPR.

Many of the fundamentals remain the same and have been known about for a long time – fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process.

Myth 4: All personal data breaches will need to be reported to the ICO

Fact: It will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms.

So, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Myth 5: All details need to be provided as soon as a personal data breach occurs

Fact: If a personal data breach needs to be reported, it needs to happen without delay and, where feasible, not later than 72 hours after having become aware of it.

Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later.

The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident.

Myth 6: If you don’t report in time, a fine will always be issued and the fines will be huge

Fact: Fines under the GDPR will be proportionate and not issued in the case of every infringement.

Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.

“Tell it all, tell it fast, tell the truth,” says Elizabeth Denham.

Myth 7: Data breach reporting is all about punishing organisations

Fact: The new law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.

The ICO understands that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

Myth 8: GDPR compliance is focused on a fixed point in time, like the Y2K Millennium bug

Fact: GDPR compliance will be an ongoing journey and, unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort. Unlike Y2K, the GDPR is not a complete unknown. That said, there will be no ‘grace period’ – there has been two years to prepare, and the ICO will be regulating from this date.

By Henry Cazalet

Henry Cazalet is director and co-founder of The SMS Works, which provides a low-cost and reliable SMS API for developers. He’s been involved in the world of business SMS and mobile marketing since 1999.