Myth-Buster: GDPR

Leading international law firm Mishcon de Reya sets the record straight on all you need to know about GDPR

Readers will be well aware that the GDPR (General Data Protection Regulation) comes into effect in UK (and EU) law from 25 May 2018. Many will have been making arrangements to be ready for that date. But, among all the noise being generated around the importance of compliance, a number of issues have become confused in people’s minds, leading to the evolution of some myths. The UK’s data regulator, the Information Commissioner (and the Commissioner’s Office, the ICO) has issued a myth-buster. Here, we consider three of the big myths that we regularly face.

1. Because fines can now be as high as €20million, fines will be as high as €20million.

The ICO has tried, perhaps somewhat unsuccessfully, to dampen down that fear. With the current cap of £500,000, there have been two £400,000 fines, most recently to CarphoneWarehouse for not taking sufficient care to prevent data breaches and before that, to Talk Talk after their much-publicised data breach. The ICO is trying to make it clear that just because it fined businesses £400,000 against a £500,000 cap, it is not going to be issuing €16million fines under GDPR. We can expect fines to reach £1m or £2m for really serious breaches, but do not anticipate that they will go beyond that for some time.

2. Businesses need consent to process personal data.

This is not true: they can rely on other lawful bases for processing personal data. Most importantly, they might have a legitimate interest in processing the data which is not outweighed by the individual’s data rights. So, for example, an estate agent instructed to sell a property can process data relating to people looking to buy properties without expressly obtaining their consent. Indeed, to force them to consent to processing before agreeing to share property particulars with them might mean the consent was not freely given. Consent, however, is required for direct email and SMS marketing unless a limited exemption applies. That limited exemption is where a business has collected personal contact details in the course of a sale of goods or services, it may send electronic marketing to that person for its same or similar goods or services. That is known as the ‘soft opt-in’.

3. The whole of the GDPR applies only to bigger businesses.

This is false, GDPR applies to all businesses, of whatever size. Although GDPR is effective from 25 May, no-one is expected to be ‘compliant’ on that date. Compliance is an ongoing journey, and businesses, which have had two years to prepare for implementation, will be expected to continue to work towards better compliance in the months to come. One of the key aspects of the GDPR is ‘accountability’. What that means is that businesses are expected to keep sufficiently detailed and contemporaneous records of their compliance, which does only apply to businesses employing more than 250 people.

Adam Rose is a data protection partner at Mishcon de Reya

This article was originally featured in The Informer. To read the full magazine, please click here.