GDPR 2 months on: Myths busting
We have all been living with GDPR for two months now, so I thought it was time to take stock and see how the reality of GDPR is stacking up against some of the myths still circulating now that we're settling in to this brave new post-GDPR world.
Myth: "GDPR is all about huge fines & red tape"
Reality: OK so the stick is absolutely there, the Information Commissioner's Office (the ICO) can fine companies millions or 4% of turnover in the most severe cases. But the ICO don't lead with that and they want businesses to comply and to get on board with the intent of this legislation, which is about upholding individuals’ rights and organisations taking the right steps to protecting personal data in their care. GDPR is simply building on foundations of Data Protection and the spirit of fairness, transparency, accuracy, and security for the rights of the individual. However, that all said, GDPR is a step change and while we all get to grips with the new practices, change does bring disruption and there's work to do for many:
“The regulation, which gave all EU citizens unprecedented rights to access their personal data held by any business around the world, has placed a huge administrative burden on many companies and organisations. Facebook, Marriott, Netflix and Yoox Net-a-Porter have recorded surges in the number of requests they have received, with data officers said to be swamped by the deluge.” (Shaun Hurst, The Times)
Myth: "Anyone can be a Data Protection Officer (DPO)"
There still seems to be a lot of confusion and indeed misinformation about this one. You are mandated to appoint a DPO if you are a public authority or body; your core activities require large scale, regular and systematic monitoring of individuals; or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences. Dentists with NHS clients will need a DPO, for example. However, it’s a myth that anyone can be a DPO for two important reasons:
- independence: “the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.”
- knowledge and expertise: “you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.” (ICO). Considering the complexity of the legislation and the need to understand technology, privacy risk and be able to train and audit; it can be a hard role to properly fulfil.
..This is why Sympatico offer ‘The Independent DPO’ - a flexible and efficient outsourced model for businesses don’t want to or can't hire the role in, or for whom adding the responsibilities to an existing member of the team would cause a conflict of interest or skills gap.
Myth: "Consent is the only lawful basis for data collection"
This one was doing the rounds a lot at the beginning of the year, but remarkably I still com across it. Consent (which is now at a higher standard under GDPR) is just one of the 6 lawful basis for data processing under GDPR. The new law provides five other ways of processing data that may be more appropriate than consent, which include: legitimate interests, contract, legal obligation, public task and vital interests. For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
Myth: "GDPR is all about emails and marketing"
Yes, it’s important to ensure you have the proper legal bases for your marketing data and your CRM supports that, but GDPR is so much more than email marketing. The regulation recognises the value of personal data and seeks to protect it as it flows through organisation, and externally if there are transfers to suppliers and for sub processing. It’s about accountability for taking proper care of that data and keeping it safe, secure and being able to uphold individuals’ rights. That’s why it touches on HR, operations, your contracts, your supply chain, your IT and digital approach, and importantly your processes when it comes to information governance. GDPR requires you to get your house in order as a business and looking to the future so that you have the technology, culture and systems in place to keep security at the heart of your operations. And that’s why this law, and the implied respect for personal data is so important in the information age.
So overall, two months on but still a long way to go before the true spirit of GDPR is fully embraced and embedded for organisations across the UK.