GDPR Myths: Sorting fact from fiction

Culture & performance






The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. As we are fast approaching the introduction of the legislation, the internet is currently awash with information about the changes it will bring. But it is worth keeping in mind that not everything you read or hear about GDPR is true.


Ultimately, GDPR places the onus on companies to understand the risks they create for others, and take steps to mitigate them. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework to build a culture of privacy that pervades an entire organisation.


Ian West, Director of Digital Information at Project One, featured on a previous episode of Venturi’s Voice podcast where he shared his views on how data shapes the world we live in. Recently, Ian has been involved in many projects focused on GDPR. So for this post, we caught up with him again to explore some common areas of misunderstanding around the incoming legislation.


Huge fines are the biggest threat to businesses


GDPR gives the Information Commissioner’s Office (ICO) the power to fine companies up to 4% of their global annual turnover or €20m – whichever is the higher. However, these kinds of fines will likely be very rare. They will only be applied to companies that blatantly ignore the law or fail to notify the ICO of privacy breaches that “affect people’s rights and freedoms.”


In a recent blog post the ICO made it clear that imposing huge fines will be a last resort. Suggestions that the ICO will be making examples out of companies for minor infringements or that massive fines will become the norm are just scaremongering.


“It is very unlikely that the one off breaches or first of a kind breaches will receive anything other than a small fine, in fact the regulator has said that fines will be appropriate and applicable to the nature and impact of the breach,” said Ian.


Instead of fines, the first-line sanctions the ICO will use to get companies to comply include warnings, reprimands and corrective orders. While such measures will not harm businesses financially, Ian was quick to point out that they won’t do their public image any favours.


“Reputational damage, loss of shareholder value, decline in customer confidence and customer numbers can have a far more draconian impact that any fine that could be imposed. Bad news tends to stick around for a very long time,” he said.


It’s all about hacking


Much of the press on this topic centres on hacking and GDPR breaches. But the scope of the legislation is much broader. For example, it currently costs £10 for individuals to get their data from organisations under data protection law. Under GDPR, this charge will be scrapped –  individuals can request a copy of their data for free.


As a result, organisations can expect more individuals wanting a copy of their data, including customers and employees both past and present. The time limit for responding to these requests is 30 days. Ian offered some thought-provoking insight into how this will alter the business landscape over the coming years.


“It is safe to say that any organisation with a large number of customers, especially end consumer customers, will see a significant rise in Data Subject Access Requests (DSARs). Companies that do not treat their clients well will also see a dramatic rise.


“I expect ambulance-chasing lawyers to get into this space offering no win no fee type activities and class action lawsuits against errant organisations. We will also likely see a rise in social media campaigns focused on bringing together disgruntled communities of people to place consolidated mass DSAR requests on badly performing companies,” he said.


Even top-performing companies will need to be prepared to handle an increased workload. In order to cope, appropriate strategies need to be put in place.


“Organisations should get their data in order to enable them to automatically answer DSAR requests. If you can get to a point where a single press of a key can provide all the consolidated data for a Data Subject, that would be best. Also build a DSAR management strategy and staff a team of people to focus on this. Plan for the worst and hope for the best!” said Ian.


Obtaining ‘consent’ is the only way to collect data


GDPR brings in more stringent rules about obtaining explicit consent to collect and process customer information. There is a new array of adjectives used to describe different forms of consumer consent  such as “explicit” “unambiguous” and “informed”. Understandably, many within the advertising industry are concerned about what this will mean for their business.


While consent is the most viable (and perhaps only) option when it comes to particular aspects of collecting personal data for advertising, the same is not true when collecting data for other purposes. In fact, there are six other ways GDPR allows for personal data to be collected and processed. Businesses need to examine the legislation and ascertain what legal basis they have to collect data.


Importantly, companies will also be held responsible for the way their collected data is shared and traded by their partners. Ian explained that this will add an additional layer of complexity on top of existing governance processes.


“This is one of the largest changes created by the GDPR legislation. Organisations tend to have reasonably good contracts with their suppliers and customers – but what they don’t have is any form of agreements with third parties that their suppliers or customers may use. A simple example is an organisation outsourcing their payroll to a payroll provider – an all too common scenario and nothing unusual. These outsourced arrangements are often covered by very comprehensive contracts.


“However, what happens if the payroll provider uses a cloud based service such as AWS or Azure? Does the original organisation (the data controller) have any understanding of the contract between the outsourcer and the cloud vendor? Usually not. Here we have the concept of Controller, Processor, and Sub-Processor and this leaves the controller wide open to breach threats which they have no contractual control over.  


“This is where business process management becomes a key facet of GDPR. Legal teams will have to look not only at their own contracts but all the contracts of their suppliers,” he said.


GDPR is a Europe-only issue


This is not true. GDPR will affect any company, irrespective of where they are located, if they offer goods or services to consumers in the EU. Therefore, almost all large enterprises fall within the scope of the legislation.


It is only IT departments who need to take action


Because GDPR is heavily linked with personal data, the word “data” tends to imply that this is some kind of IT issue. However, GDPR is a cultural change in terms of how organisations process personal data throughout the organisation. This means achieving compliance will need to be a team effort from all departments within the company.  If they haven’t already, board members should work with IT to initiate a company-wide conversation about the impact GDPR will have on each department.


“Every employee needs to be trained on what they can and cannot do with personal data. A member of staff perpetrating a data breach because “they didn’t know” or “they have always done it that way” just isn’t good enough. That sort of response will incur the wrath of the regulator and invite the higher percentage fines. Everyone needs to be aware of their own responsibilities when it comes to preventing breaches. For this to be done effectively it has to be communicated from the boardroom downwards,” said Ian.