Thank you for contacting us.
We will get back to you as soon as possible.
GDPR Myths Busted
Although the General Data Protection Regulation, or “GDPR”, came into force last year (implemented by the Data Protection Act 2018) many businesses and organisations are still grappling with the implications the regulation has on their business. There have been a number of different approaches taken by businesses in the way they have chosen to implement GDPR and this has been underscored by conflicting advice. This blog addresses the five most common GDPR myths.
Myth number 1: GDPR is new
Data protection has been around for many years and data obligations were set out in the Data Protection Act 1998. The obligations on both businesses and employers that are enshrined within the GDPR and the new Data Protection Act 2018 are therefore largely an evolution of data protection that has already been in place.
A significant difference is that the enforcement actions and penalties which can be incurred for failing to comply with GDPR are now greater.
Myth number 2: You need consent in order to process personal data
We have all seen lots of media attention regarding consent to data processing and “opting in” to receive e-mails from businesses. In fact, under GDPR, and under the previous Data Protection Act 1998, there have always been a number of grounds on which an organisation can lawfully process personal data. Consent is just one of these. There are six grounds in total, including whether it is in the business’ legitimate interest to process data or if the processing is necessary for the performance of a contract. So, consent may not be needed. Businesses should identify the ground they rely upon to process each type of data they are collecting.
Myth number 3: Individuals have the right to be forgotten
Whilst GDPR does introduce the right of erasure, otherwise known as the right to be forgotten, this is not an unequivocal right. In particular, individuals have the right to have their data erased if their personal data is no longer listed for the purpose for which it was collected or processed, or if an individual objects to the processing of the data for direct marketing purposes, for example. However, the right to erasure does not apply if the processing is necessary to comply with a legal obligation or for the establishment exercise and defence of legal claims. There is therefore no general, overarching right to be forgotten under the GDPR.
Myth number 4: One size fits all when it comes to privacy statements
GDPR introduces the concept of “accountability” for compliance with the data protection principles. Part of this requires businesses to be transparent and inform data subjects about the data they are collecting about them, how they will process it and the grounds that they rely on to do this. Many businesses are updating or introducing privacy statements to comply, whether it is on their website or for their staff. It is a common misconception that one privacy statement is suitable for all purposes. This is counter intuitive to the purpose of GDPR which is to ensure that data subjects are aware of the data that is held about them and how it is being used. These privacy notices should be tailored to the data subject; the privacy notice that you actually put on your website will not be the same as the notice you provide employees as it will relate to different information.
Myth 5: You need to appoint a “Data Protection Officer”
This is not the case. A Data Protection Officer, or “DPO”, is only required for non public companies if your business’s core activity involves the large scale, regular and systematic monitoring of data or the large scale processing of special categories of data. Particular obligations and responsibilities are attached to the role of DPO and businesses should carefully consider and prepare prior to appointing a DPO for their business.
If you are in a business with any questions about data protection including whether you need to update your privacy notices, please contact Miranda Mulligan.
Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.