There has been plenty of discussion about the EU General Data Protection Regulation (GDPR) over the past year or so, and – naturally – some commentary has been misleading or simply wrong.
Some of those misconceptions have been collected in a blog series published by the Information Commissioner’s Office (ICO). It clarifies that the GDPR won’t lead to:
The GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of annual global turnover – whichever is greater.
This fact has been used to emphasise how important it is to comply with the GDPR. For instance, The Register claimed that, had the GDPR been in effect last year, fines levied against small and medium-sized enterprises would have had a “catastrophic” impact, potentially putting many of them out of business.
However, Elizabeth Denham, who heads the ICO, says financial penalties will be a last resort. This will almost certainly be the case for the majority of supervisory authorities, because although the GDPR aims to make organisations more accountable over handling personal data, in most instances that message can be made just as well with warnings, corrective orders and reputational damage.
This doesn’t mean that organisations don’t need to worry about being fined. There is no doubt that all supervisory authorities will be willing to levy big fines for flagrant breaches of the GDPR.
An overhaul of data protection practices
Some of the more hyperbolic commentaries on the GDPR suggest that organisations will be greatly restricted in what they can do. See, for instance, the Sun’s report that “[b]uilders, cleaners and gardeners could face huge fines just for sending an EMAIL”.
In truth, the majority of the GDPR’s requirements are similar to current data protection laws. The only thing that’s changed is that organisations need to emphasise data protection and give individuals greater control of their data. Organisations will certainly be allowed to send emails (and almost everything else that’s currently allowed), but they’ll need a legitimate reason to send the email, protect whatever information they have stored on the recipients and allow data subjects to access that information.
Many people we speak to are concerned about obtaining consent, so we explain that organisations don’t need to rely on consent to process data.
Consent is one of six lawful grounds for collecting personal data, but is the least preferable option. If you’ve used consent to collect data and then want to reuse that information for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses to consent or doesn’t reply must be removed from your records.
Similarly, individuals are free to withdraw their consent at any time. This means you have to remove them from your records, and if you don’t, your organisation risks disciplinary action from the relevant supervisory authority.
However, there are times when consent is the most appropriate basis, so you need to be aware of your obligations.
Unrealistic data breach notification requirements
There has been a lot of confusion about the rules for reporting data breaches. As the ICO notes, plenty of commentators have incorrectly claimed that all breaches need to be reported and that the reports need to provide thorough details of the breach.
It will only be mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. This covers significant economic or social disadvantages, such as discrimination, reputational damage or financial losses.
Organisations need to remember that if there’s a high risk to people’s rights and freedoms, they will also need to report the breach to the affected individuals.
Any breach that meets these requirements must be reported within 72 hours of discovery. This is why the report doesn’t need to include thorough details – at least initially. The GDPR understands that organisations won’t have all the facts by the deadline, but getting the basic facts down quickly expedites the process to recovery.
Within that deadline, organisations should at the very least be able to provide the potential scope and cause of the breach and the actions it plans to take to respond to and mitigate the problem.
Learn more about the GDPR
To find out more about how you can prepare for the Regulation, you should enrol on one of our GDPR training courses. Depending on your level of expertise, you might be interested in either:
These courses are available in both classroom and distance learning formats.
Book these courses together in our Combination Course and save 15%.