GDPR
Dispelling the myths of the GDPR
The General Data Protection Regulation (GDPR) is an EU law which will be enforced from 25 May 2018, replacing the Data
Protection Directive, and extends the historical EU expectation that personal data be kept secure and holds an organisation
accountable for data security.
While the principles are similar to those in the Data Protection Act (DPA), there are some additional requirements that UK
companies need to be aware of, notably in compliance and consent. These changes apply mostly to companies who are contacting
consumers and members of the public, so for those working on B2B, the changes aren’t as stringent. However, there are several
myths around about GDPR compliance, four of which are outlined below.
GDPR means you need to
change the way you
hold data
Consent is not the be all
and end all
Consent remains a lawful basis to transfer
personal data under the GDPR, and the
new regulations will raise the standard
for consent. However, many GDPR
compliance guides state that “data can only
be processed if explicit consent is given.”
The GDPR clarifies that this only applies
if you need consent to process data. ICO
further explains that “consent is one way
to comply with GDPR, but not the only
way.” If there is a legitimate interest for an
organisation to process data, then this is
acceptable under GDPR.
The UK won’t have to comply
with the GDPR because
of Brexit
The Information Commissioner’s Office
(ICO), the regulatory body which
oversees GDPR, has made it clear
that the legislation does not demand
a huge overhaul of a company’s data.
The fundamentals remain the same as
the DPA, with transparency, fairness and
security at the heart of the rights of the
individual whose data will be processed.
The biggest threat to
organisations is fines
The fines imposed are more than the
DPA limit of £500,000, and companies
could potentially face a maximum fine
of £17 million or 4% of annual turnover.
Nevertheless, ICO have made it clear
that they see their role as foremost
one of guidance and advice, and will
not be making examples early on in the
regulations.
The GDPR applies to companies which
offer goods or services to, or monitor EU
data subjects, and will still be in UK law
after Brexit takes place on 29 March 2019.
This has been clarified by
the UK government.
The GDPR regulation will mean companies will have to undertake some changes. However, as long as companies safely and
securely store their data, compliance with the new legislation will not be an overly burdensome process.
If you require assistance or have a query about how the regulations will impact you, ICO have a specialist helpline to deal with
these matters, and can be contacted by going to www.ico.org.uk/global/contact-us
16
Covered Spring 2018