Setting the record straight on GDPR

Victoria Cetinkaya, senior policy officer for Public Sector Engagement at the Information Commissioner’s Office (ICO), looks at the main aims and principles of GDPR, and dispels some of the recent misconceptions

Not everything you read or hear about the new General Data Protection Regulation (GDPR) is true. For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.

But there’s some misinformation out there too. Examples we’ve seen include ‘GDPR will stop dentists ringing patients to remind them about their appointments’ and we’ve even heard people saying that big fines will fund our work. If this sort of misconception goes unchecked, people lose sight of what the new law is about – greater transparency, enhanced rights for citizens and increased accountability.

The level of detail you need about the GDPR will depend on your job but the key principles apply across all sectors and all levels of staff. That means looking after people’s information, being transparent about what you’re doing with it and keeping their privacy rights in mind from the start of any project.

Many of the GDPR’s main aims and principles are the same as those in the Data Protection Act. So if you’re complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.

However there are new elements and some significant enhancements, so you will have to do some things for the first time and some things differently. The GDPR will include new obligations for organisations – such as reporting data breaches that pose a risk to individuals to us at the ICO, and in some cases to the individuals affected.

Another key change for organisations is understanding the new rights for the public. Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent. There’s a view from some that the new regime is an onerous imposition of unnecessary and costly red tape.

That’s not the case. GDPR is an evolution in data protection, not a revolution.

Busting misconceptions
It’s this kind of myth we at the Information Commissioner’s Office (ICO) are working to bust as we try to help organisations sort GDPR fact from fiction:

Myth: The biggest threat to organisations from the GDPR is massive fines.

Fact: This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or four per cent of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

Myth: You must have consent if you want to process personal data.

Fact: Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR. Consent is one way to comply with the GDPR, but it’s not the only way.

The new law provides five other ways of processing data that will in many cases be more appropriate than consent for public bodies. If you do need to rely on consent for any processing, the GDPR is raising the bar to a higher standard for consent. Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

Myth: All personal data breaches will need to be reported to the ICO.

Fact: It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms. So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Under the current UK data protection law, most personal data breach reporting is good practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulations (PECR), – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be a new requirement for many.

The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved. Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.

And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.
We’ve provided some initial guidance in our GDPR overview that high risk situations are likely to include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.
If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.

The main aim of the ICO is to help organisations get it right when it comes to using personal data – and that includes preparing for GDPR. There’s a wealth of material on our website to help.