10 GDPR myths

With the EU GDPR two-year implementation period ending on the 25th May 2018, activity is expected to intensify to meet the legislation in the next couple of months. Des Ward, Information Governance Director of Innopsis, the industry association for suppliers of digital infrastructure and services to the public sector, believes that there is a great deal of misunderstanding around the changing landscape for telecoms suppliers and their customers. Below he sets out and dispels ten myths concerning GDPR.

1. The regulations cover all personal data, not just personally identifiable information. People talk about Personally Identifiable Information (PII) in the same context as GDPR. While many people are simply using this as short-hand for personal data, it can actually cause issues when scoping your compliance activity. PII concerns itself with a limited set of personal data that can directly identify someone (e.g. name, address, date of birth, etc.), whereas Article 4 (and Recital 26) of the GDPR contains a far wider definition that includes metadata and ancillary information (e.g. networking details, cookies, etc.) commonly found during digital transactions.
2. Using encryption/pseudonymisation isn’t the answer (on its own). While encryption and pseudonymisation is commonly mooted as a means to reduce the scope of where GDPR requirements apply, care should be made to refer to Recital 26 (discussing the effectiveness of encryption and pseudonymisation in reducing the linkage to personal data) and the guidance on breach notification from the Article 29 Working Party (discussing how flaws in the implementation or current/future weaknesses could result in a reclassification of encrypted personal data and require notification of a breach even if it happened in the past). 
3. It’s not a security thing…it’s a governance thing. Many commentators talk about the GDPR as a security exercise, yet only 3% of the GDPR is concerned with information security as we understand it today. You have to understand the risks around confidentiality, integrity, availability and resilience, but also the risks to the rights and freedoms that you face for services that process personal data, as well as how your current activities address those challenges.
4. Managing risk creates opportunities as well as reducing threats. The UK Government’s Orange Book on Risk Management states: “Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The risk has to be assessed in respect of the combination of the likelihood of something happening, and the impact which arises if it does actually happen”. Indeed, we shouldn’t only focus on the negative impact from failing to comply with the GDPR – it’s possible to achieve positive outcomes through better understanding of information. 
5. Consent is the last resort, not the first. When people discuss the lawfulness of processing, they often discuss the requirement for consent. While consent can be a useful tool to determine if you are able to process personal data, it should be considered as the last resort when determining why you are processing information. Withdrawal of consent may prevent you from undertaking your legal obligations (e.g. for responding to lawful enforcement and managing financial transactions) or monitoring the security of systems. Consent is also unlikely to be something that will be relied upon when a data subject has no choice but to use your service. You need to clear on the purposes for processing personal data; you must ensure that consent (if required) is captured for each purpose, prior to processing. Consent must be distinct and not obtained just by agreeing to a contract or terms and conditions.
6. Data processors cannot state they were simply “following orders”. The GDPR has been described by Information Commissioner Elizabeth Denham as “an evolution, not a revolution” in data protection law but, in one area, it will fundamentally change. Until now, all responsibility and liability for compliance has rested with the data controller, but GDPR introduces the concept of “processor liability”. It formalises the compliance requirements of suppliers that process personal data as data processors on behalf of data controllers.  Although a breach of the Data Protection Act would likely result in the supplier being implicated anyway, it was the controller themselves who were directly responsible. Data controllers must provide written instructions on how processing must be conducted, and only use processors that can provide sufficient guarantees that the GDPR shall be complied with, otherwise they are still fully liable for any issues arising from the data processor’s activities.
7. Fines are not the only risk you face (don’t believe the hype). It is often argued that the reason for conforming with the governance requirements of the GDPR are the large fines that can be applied.  However, the ICO has made it clear that the multi-million figures being mooted are not likely to transpire. However, this is not to say that there will be no financial penalty from failing to comply with basic requirements for information governance but there are also other risks. For example, the impact from class actions could be significant. We’re seen that a controller can be held accountable for the failures in the wider legal framework outside of the data protection requirements.
8. Compliance with GDPR presents a great business opportunity. Through better understanding of information resulting from complying with GDPR, we can address a very real issue – recent estimates that 54% of data is unknown in terms of its contents (also called dark data), resulting in resources being wasted in protection and storage. GDPR compliance means we can not only embrace Cloud computing but also address the amount of unknown information held within our datasets through effective risk management and governance. Addressing this will not only result in compliance, but also reduce costs and deliver opportunities.
9. This isn’t new! Scoping and consent regarding processing of personal data have been applied within the current Data Protection Act 1998 and Privacy of Electronic Communications Regulation 2003 respectively, and are further reinforced through case law. There are very few truly new areas to GDPR, and even some of those are already required within the wider requirements of legislation such as the Companies Act 2006.
10. There are no ICO-certified GDPR professionals or courses. Don’t spend money on consultants claiming that they are either certified GDPR professionals or providing a service that can make you compliant – these are fallacies! In order to get the right guidance, you need to read the GDPR, monitor the Article 29 Working Party guidance and subscribe to the ICO blogs. The ICO guidance has been circulated to the Cabinet Office SME panel, and contains a list of 12 steps to take now, a self-assessment checklist and helpline for SMEs.