GDPR Myths Busted


Information Commissioner Elizabeth Denham is on the war path of myths surrounding the upcoming GDPR which comes into force on 25th May 2018. Denham voiced her concern that the exaggerations are causing us to lose sight of the truth of GDPR: greater transparency, enhanced rights for citizens and increased accountability.

The Myth – The biggest threat to organisations from GDPR is massive fines

The Truth – Yes, under the GDPR the ICO will have the power to issue bigger fines than the £500,000 current threshold. The new maximum penalty has been increased to £17m or 4% of annual turnover. But Denham accuses the media of “scaremongering” when they say that the ICO will make examples of organisations for small infringements. She also states that the maximum fine will be used in exceptional cases only. The ICO has many other, less severe, tools which “are well suited to the task at hand and are just as effective”.

The Myth – You must have consent if you want to process personal data

The Truth – Consent has always been part of Data Protection law. GDPR simply clarifies that pre-ticked opt in boxes cannot be used to indicate consent, and that it must be straightforward for people to withdraw their consent should they choose.

The Myth – I can’t start planning for new consent rules until ICO formal guidelines are published

The Truth – The final guidelines are due to be published in December, but Denham states that the ICO’s draft guidance is unlikely to change significantly in the final wording.

The Myth – All details of personal data breaches much be reported to the ICO immediately and huge fines will be issued to organisations who don’t report on time

The Truth – Personal data breach reporting has always been best practice. Under the GDPR breaches only need to be reported if the breach could pose a risk to people’s rights and freedoms. Breaches do not need to be reported immediately. Rather “without undue delay” and where feasible, within 72 hours. Denham again reassures that fines will be proportionate and are only one potential outcome of infringement.

The Myth – GDPR is an unnecessary burden

The Truth – Without proper data protection procedures in place, all organisations risk damage to their customer relations and reputation, which will ultimately hurt their bottom line.

The GDPR simply demands more compliance with data protection and increased accountability, and organisations being forced to prove their compliance will in fact garner public trust and bolster company profits.