GDPR Fines! GDPR Fines! GDPR Fines! The war cry of solicitors and tech consultants across Europe for the past year has become so loud that it’s almost impossible to distinguish it from all the other noise on social media and in the news.
Despite all the huffing and puffing of these GDPR ‘experts’, there has been little substance or actionable advice to their messages and presentations, other than to sign up with them if you want to avoid costly penalties for non-compliance. In fact, much of the information they’ve pushed-out is at best misleading and at worst completely incorrect. For those of you interested in discerning the fact from the myth, this piece is for you.
Robert Streeter, News UK’s Data Protection and Privacy Officer, emphasised the importance of separating fact from fiction regarding the regulation. He stated: “When you read about ‘expert’ comment on GDPR, I’d advise taking that with caution and examining your own approach to it. There’s a lot of misinformation circulating.”
Expanding on the ICOs highly successful myth busting blogs, this article looks at two of the most wildly misleading rumours circulating through compliance networks across the UK and Ireland.
What is GDPR?
The General Data Protection Regulation comes into effect in May 2018. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, that is vastly different from the time in which the 1995 directive was established.
- MYTH: The fines under the GDPR will be huge and the biggest threat for organisations.
FACT: The Information Commissioners Office (ICO) is keen to point out that the main purpose of the GDPR is to give the data subjects more control of their own data and determine how companies can us that data. The threat of substantial fines being imposed on your business is a great way for data protection consultants to drum up business, and although technically they are not lying about the size of the fine, what is being omitted are the measurements the ICO will be using to assess whether a fine is the best approach. As the ICO has pointed out in the past, the fines are not the main purpose of the regulation, empowering the data subject is. GDPR is not designed to prevent businesses from being breached, it is designed to mitigate the impacts of a breach on the data subject and your recovery period. If you are compliant then you are doing exactly what GDPR was designed to do and will most likely find a friendly, helpful ICO if any incident does occur.
However, as the information commissioner has pointed out in her recent blogs, the office now has the power to issue considerable fines, up to £17 million or 4% of turnover for non-compliance. So, while the ICO has the authority to fine up to that amount, imposing huge fines will be a last resort and reserved for those companies that have not put the appropriate measures in place to protect the personal data in their care, or misuse the data for their own financial gain.
- MYTH: You must have consent if you want to process personal data.
FACT: Consent is a major part of the new regulation. However, the new rules simply enhance current approaches by making sure the data subject’s consent is given freely, for example, this means that pre-ticked opt-in boxes are no longer a strong enough indication of valid consent and that the data subject has been fully informed of the reasons the data is being requested and who will have access to it.
The GDPR requires that you make it easy for people to opt-out or withdraw consent – using clear and simple language. The data subject needs to be provided with enough information about how their data will be used and by which companies (including your third-party processors) in order ensure it is informed consent. If your existing consent fails to meet the new standards, you will need to request it again. Companies must remember that personal data must only be used for the purpose consent was given.
The ICO recently highlighted five other ways the GDPR allows for personal data to be processed. It’s important to know what your options are in relation to consent, but even more important to ensure you are obtaining and processing personal data in a way that is fully compliant with the regulation. You must understand your business reasons for using that data subject’s personal data, identifying what data you need to provide your service (identifying the data you need may seem like a major headache for you and your business right now, but minimising the data you need in the long term could save you time and money, especially given storage costs).
Even if consent is not required you must only use the data for lawful purposes and not try to side step the rights of the data subject, or our friendly ICO may not seem so friendly if you do.
To summarise, there are a number of compliance frameworks companies can use to help keep them on the right side of the regulation, such as ISO 27001:2013 and BS10012 PIMS or simply develop your own in-house procedures. Most importantly, don’t give into the hysteria so many ‘experts’ are trying to manufacture.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.