Whilst it has been two and half years since the GDPR was implemented, misconceptions and myth about the GDPR are still rife. The GDPR and Data Protection Act are, of course, comprehensive pieces of legislation and not understanding it is natural for those who are not practising data protection law. However, misunderstanding something can sometimes be much more dangerous that not understanding at all. To make matters worse, the UK’s protracted divorce from the European Union (EU) has caused considerable confusion to the public about what will and will not be in place after the UK formally leaves the EU on 31st December 2020.
We have compiled a list of myths surrounding the GDPR and also its relevance in a post-Brexit world.
1. The GDPR will not apply anymore after the UK leaves the EU.
This is technically true, but not in the way people think about it. The UK implemented the Data Protection Act 2018 in UK Legislation, which embedded the GDPR into UK law. The Data Protection Act 2018 mirrors the GDPR in many ways and will continue to exist after Brexit.
However, more importantly, the Keeling Schedule has drafted what will be the ‘UK GDPR’, which will be implemented instead of the GDPR. We have reviewed the drafted ‘UK GDPR’, and the differences are, for all intents and purposes, very minor. What the ‘UK GDPR’ enforces (save for some minor details) is identical to the current GDPR.
For the majority of data subjects and organisations that control and hold people’s data, the way they operate will need to remain very much the same way after Brexit.
2. All breaches need to be reported to the ICO.
Data security breaches are not something to think lightly of. They can be extremely serious with dire implications to both the data subjects whose data is breached and to the organisations subject to ICO fines.
However, not every data breach needs to be reported to the ICO.
Recital 85 of the GDPR states that data controllers need to report data breaches to the ICO within 72 hours, however, it also states that there is no need to do that where
“the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
What this means, in reality, is where a data breach is so minor that it will not infringe on people’s rights and freedoms, then you may not have to report it to the ICO, although getting professional advice when it comes to data breaches is always recommended.
This will need to be a decision made by the appropriate people within an organisation. There should always be an investigation of a data protection breach. The decision on whether or not this needs to be reported to the ICO should be determined based on outcome of the investigation and sound professional advice.
3. I need consent to be able to lawfully process data.
Some organisations seem to have tunnel vision in obtaining consent from data subjects for their activities despite the fact that in many cases, consent might not be the most appropriate basis to process personal data. However, since consent is just one lawful basis required for a data controller to lawfully process data subjects’ data, you may want to consider what else might be appropriate. You should always be careful that you do not confuse consent with transparency. Even in situations where consent is not the most appropriate lawful basis to process personal data, you have an obligation to ensure the data subjects know exactly how their personal data is being processed and what rights they have in relation to that data.
Article 6(1) of the GDPR sets out the exemptions in which you can lawfully process data:
- Performance of a contract;
- Legal obligation;
- Protecting vital interests;
- Necessary for performance of a task carried out in public interest or in exercise of official authority vested in controller;
- Legitimate interests.
Article 9(2) of the GDPR sets out the exemptions in which you can lawfully process special category (sensitive) data:
- Explicit consent;
- Necessary for carrying out obligations of controller in field of employment, social security and social protection law;
- Protecting vital interests;
- Legitimate activities;
- Data made public by the data subject;
- Necessary for the establishment, exercise or defence of legal claims;
- Substantial public interest;
- Necessary for purposes of preventive or occupational medicine, assessment of working capacity of employee, medical diagnosis, provision of health or social care or treatment or management of health and social care systems on basis of Union or Member State Law;
- Public interest in particular areas;
- Necessary for archiving purposes in public interest, scientific or historical research purposes or statistical purposes.
4. Data Protection Compliance and Information Governance is a burden to my organisation and its resources
It is a popular myth that data protection only applies to specific data-driven organisations. In fact, some organisations choose to turn a blind eye to data protection and information governance altogether. Ignorance may be bliss in some situations but certainly not when it comes to fulfilling your responsibilities in data protection compliance and information governance (and at what cost?). There is a whole legal framework in place for a specific reason and that legal framework needs to be adhered to, otherwise not only can an organisation be levied with huge fines, the damage to its reputation could potentially do more harm in the long run.
There are actually a number of commercial benefits by ensuring you run a privacy-minded business. These are:
a) Customers are more likely to place their trust in companies who are transparent in how they use the personal data of their customers. In turn, this trust will translate to customer loyalty;
b) Companies who have better policies and data protection procedures in place are less likely to have to deal with complaints and/or disputes regarding personal data. This will lead to less time and resources being expended in managing avoidable situations;
c) Additionally, companies with better policies and data protection procedures in place are less likely to suffer data protection breaches. These breaches could lead to massive fines and ultimately distrust from customers.
5. Information which isn’t classified as ‘special category data’ isn’t ‘sensitive’.
Article 9(1) sets out certain categories which are considered to be ‘special categories’ of personal data. These are:
- Race/ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Sex life;
- Sexual orientation
However, just because some personal data does not fit into the above list, this does not mean organisations do not need to be careful or consider it ‘sensitive’. Organisations need to think about the potential impact to individuals’ rights and freedoms if that information was to be disclosed to a party who should not have access to it.
An example of this is financial or bank account details/records. This does not fit into the above list, but is obviously extremely sensitive and could have significant repercussions for the data subject if that information was leaked or disclosed where it should not have been.
Organisations need to be proactive and show initiative when dealing with personal data. There should be processes in place to ensure access is restricted and granted on a need-to-know basis, for example with enforcement of role-based access.