IGA News

GDPR update: IGA support and GDPR myths debunked

GDPR update: IGA support and GDPR myths debunked

30 January 2018

Your Garage Guide to GDPR

Your business must comply with the General Data Protection Regulation (GDPR) by 25th May 2018, and this deadline is fast approaching.

You should now have received your Garage Guide to GDPR through the post and be working your way through the twelve sections, putting new processes in place to protect your customers’ data. If you’re not compliant in time, you could be liable to a fine of up to 4% of your turnover.

Remember if you would like further assistance with GDPR compliance, we are also offering the additional field based support services:

  • Half day Gap Analysis for £245
  • Full day GDPR Quality Assurance certification audit for £395
  • GDPR consultancy at £245 per half day or £395 per full day

Please call the member helpline on 0845 305 4230 for more information.

Busting GDPR Myths

The Information Commissioner’s Office (ICO), the UK’s independent body set to uphold the public’s information rights, has debunked the most common myths and worries that businesses have surrounding compliance that stem from misinformation being spread across the internet.

The myths and their true answers have been summarised below, but you can visit iconewsblog.org.uk/tag/gdprmyths for the full articles.

Myth #1

“The biggest threat to organisations from the GDPR is massive fines”

Fact: The ICO clearly says that the new GDPR is not about fines, but rather about ‘putting the consumer and citizens first’.

It is true that the ICO will have the power to impose fines much bigger than the £500,000 limit currently imposed by the Data Protection Act. In fact, under the new GDPR maximum fines will equate to £17 million or 4% of turnover. However, issuing fines is a last resort for the ICO.

The ICO intends to use those powers ‘proportionately and judiciously.’ There are various sanctions that can help organisations comply, these include warnings, reprimands and corrective orders. Although these are not economically damaging, the reputation of the organisation involved will suffer significantly.

Myth #2

“You must have consent if you want to process personal data.”

Fact: The ICO explains that ‘consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent.’ Under the GDPR, organisations must also make it easy for people to exercise their right to withdraw consent.

The language used to explain consent must be clear and plain. Plus, organisations must ensure that the consent previously obtained already met the standards of the GDPR. Otherwise, it must be refreshed.

It is important to note that consent is not the only way to comply with the GDPR. There are five other ways of processing data that, depending on the context, may be more appropriate than consent. It is crucial that organisations document the decisions made to be able to demonstrate to the ICO the lawful basis used. Data protection impact assessments can help in this case.

If you are relying on consent, there is another myth that the ICO wants to bust…

Myth #3

“I cannot start planning for new consent rules until the ICO’s formal guidance is published.”

Fact: The ICO is waiting until Europe-wide consent guidelines have been agreed before they publish their final guidance to ensure consistency. However, they have already published a draft guidance on consent, which is unlikely to change significantly, and provides organisations with many of the tools they need.

Myth #4

“GDPR is an unnecessary burden on organisations.”

Fact: ‘The new regime is an evolution in data protection, not a revolution’, the ICO blog reads. If organisations are compliant with the terms of the current Data Protection Act and already have a solid and effective compliance programme in place, then they are already ‘well on the way to being ready for GDPR.’

The ICO adds, ‘Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process are all things you should already be doing with data and GDPR seeks only to build on those principles.’ These principles are essentially the same whether you are a small business or a multinational corporation.

Information management is key to compliance and, under GDPR, ‘people will have strengthened subject access rights to the data organisations hold about them.’

Myth #5

“All personal data breaches will need to be reported to the ICO.”

Fact: It will be mandatory to report a personal data breach under the GDPR if it is likely to result in a risk to people’s rights and freedoms. Under the current UK data protection law, most personal data breach reporting is not compulsory.

If there is the likelihood of a high risk to people’s rights and freedoms, organisations will also need to report the breach to the individuals who have been affected. High risk situations may include, for example, potential discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

If organisations are not sure about a specific case, the ICO will be able to advise.

Myth #6

“All details need to be provided as soon as a personal data breach occurs.”

Fact: Organisations must report a personal data breach ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it.’

Organisations must provide certain details when reporting, but if the organisation does not have all the details available, more can be provided later. Some of the elements the ICO will want to know include: the potential scope and the cause of the breach, mitigation actions that organisations plan to take, and how they plan to address the problem.

Myth #7

“If you do not report in time a fine will always be issued and the fines will be huge.”

Fact: The ICO has made clear that fines will be proportionate and not issued in the case of every infringement. However, it is true that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. Organisations that systematically fail to comply with the law must know that we have that sanction available.

‘Tell it all, tell it fast, tell the truth.’

Myth #8

“Data breach reporting is all about punishing organisations.”

Fact: The main objective of GDPR is not to punish the organisations, but, ‘to make them better equipped to deal with security vulnerabilities.’ Although data breach reporting will not halt criminal activity, the law will raise the level of security and privacy protections. The new legislation is ‘focused on giving consumers more control over their data and increasing the accountability of organisations.’

Organisations must ensure that they have the roles, responsibilities and processes in place for reporting. Over the coming months, the ICO will introduce a new phone reporting service to enable businesses and organisations to report data breaches. This, alongside the website, will provide organisations with a quicker and easier way of reporting to the ICO.