When it comes to the General Data Protection Regulation, there is a lot of ‘news’.
But little in the way of hard facts. Facts around what compliance looks like; around exactly what firms need to do to avoid breaching the new EU regulation.
So here, we set out to separate the myths from the reality: GDPR myth-busting to give you the facts about the new rules.
What is the GDPR?
The General Data Protection Regulation comes into force in May 2018. We’ve explored what it means in previous blogs on preparing for GDPR and 10 things you need to know for successful GDPR compliance.
Now – with the deadline drawing closer, and misinformation continuing to cloud the facts – we thought it was worth looking at some myths on the regulation. The myths were first published in a series of blogs by the Information Commissioner, Elizabeth Denham, over the last couple of months.
What are the myths surrounding the GDPR?
- Myth 1: Fines are the biggest threat to organisations from the new regulation
Not true, says the Information Commissioner. The prospect of hefty fines may grab the headlines (firms can be fined a maximum of £17 million or 4% of turnover under the new law, with commentators suggesting that it has the potential to be the next PPI scandal). But the main driver for compliance should be not fines, but reputational risk.
The new law is, in the words of the ICO, ‘about putting the consumer and citizen first’. Firms need to put this at the heart of their compliance strategy, rather than focusing on potential penalties.
- Myth 2: You must have consent if you want to process personal data
Although consent is a big part of the regulation, the new rules simply enhance current approaches. This means – for example – that pre-ticked opt-in boxes are not a strong enough indication of valid consent.
GDPR requires that you make it easy for people to withdraw consent – using clear and plain language. If your existing consent doesn’t meet the new standards, you need to request it again.
But while all of this emphasis on compliant consent has created a focus on consent, consent isn’t the only way to comply with the GDPR.
What the regulation actually says is that the consent rules only apply if you are relying on consent as your basis to process personal data.
There are other lawful bases for businesses and organisations to process personal information. Alongside consent, there are five other ways of processing data that may be more appropriate for your organisation.
It’s worth reading up on these to identify the lawful bases your organisation might have for processing data.
Whatever route you choose, your decisions will need to be documented so you can demonstrate to the ICO that you are correctly using the relevant lawful basis. But for you, it might not all be about consent.
- Myth 3: I can’t start planning for new consent rules until the ICO’s formal guidance is published
The blog acknowledges that many organisations are waiting until the final guidance on consent is published before deciding on an approach and putting plans in action.
The ICO is currently waiting for Europe-wide consent guidelines to be published before finalising its own guidance, for reasons of consistency. This is currently planned for December 2017.
There is already draft guidance on consent, released in the spring of this year.
Denham makes the point that when the final formal guidance on consent is published, it will only cover consent. So there’s also no reason not to get on with planning your approach to legitimate interests or any other lawful bases for processing.
- Myth 4: GDPR is an unnecessary burden on organisations
The ICO believes that ‘the new regime is an evolution in data protection, not a revolution’.
And while any new regulation will have an impact on an organisation’s workload, the Commissioner believes that ‘burden’ gives the wrong emphasis when preparing to comply.
The blog says that ‘If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR’.
Of course, that doesn’t mean there’s no work to do. Even regulated firms will have new provisions to comply with. Making a start – if you haven’t done so already – should be a priority.
But as the blog states, ‘by and large, the new GDPR regime represents a step change, rather than a leap into the unknown’.
Do small businesses face a disproportionate workload?
Some of the falsehoods around the ‘burden’ relate to the relative workload for smaller businesses. But the ICO points out that the principles of compliance are basically the same regardless of organisation size.
In fact, the types of business and type of data processing are far more relevant than the size of the organisation when it comes to GDPR. A smaller business that handles sensitive personal data may pose a far higher risk than a huge one that doesn’t.
Embedding a culture of compliance is the key to success
The new regulation undoubtedly presents a challenge. But as the ICO points out, any firm acting with integrity towards its contacts, with strong compliance processes in place, should already be in a strong position. There will be changes needed. But many of the myths that swirl around the GDPR aren’t helpful.
Hopefully this blog has cleared up some of the misconceptions.
It’s clear that having an entrenched good governance approach within your firm is a big plus when it comes to complying with the new regulation. The ICO blog repeatedly talks about the need to comply as part of a customer-centric culture, echoing the FCA’s emphasis on deep-rooted ethical approaches.
At LS Consultancy, we offer a complete solution with a range of cost effective, regulatory compliance and marketing products and solutions including copy advice that are uniquely suited to supporting firms.