Latest news blog


Home / News /
GDPR Myth Busting by ICO- Part 1



GDPR myths busted by ICO

GDPR Myth Busting by ICO- Part 1

With May 2018 fast approaching, GDPR is taking headlines across the recruitment sector. But at the same time there’s a lot of misinformation about the GDPR, especially with so much that we are reading every day in the news.

To set the record straight, the Information Commissioner’s Office (ICO) has decided to debunk a few of the notable myths about GDPR. Through a series of blogs, ICO clarifies the common misconceptions around GDPR. In her blog about separating the ‘fact from the fiction’, UK information commissioner Elizabeth Denham cautions ‘that not everything you read or hear about the GDPR is true’. She added:

I’m worried that the misinformation is in danger of being considered truth.

“GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.

For the record, these are all wrong.

Myth #1: The biggest threat to organisations from the GDPR is massive fines.

Fact: Denham states ‘This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.’

While Denham agrees that ICO will have the power to impose fines much bigger than the £500,000 limit set by the Data Protection Act, and that companies are fearful of the maximum £17m or 4% of turnover under the planned UK data protection law, she thinks it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

She further says that issuing fines has always been, and will continue to be, a last resort.

Denham notes that while fines may be the sledgehammer in their toolbox, they have access to lots of other tools which include sanctions to help organisations comply – warnings, reprimands and corrective orders.

Myth#2: You must have consent if you want to process personal data.

Fact: The GDPR is raising the bar to a higher standard for consent.

Consent, which seems to be most misconstrued part of the GDPR is the next ‘high-profile issue’ addressed by Denham. She says “the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and plain language when explaining consent is now strongly emphasized.  And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it”.

She further clarifies that consent is not the only way in which to comply with the GDPR as there are five other ways to lawfully process personal data, for example, the legitimate interests condition.  For organisations wanting more information on this, there is already a guidance about legitimate interests under the current law on the ICO website or they can get from the Article 29 Working Party.  ICO is working on publishing the guidance on consent next year but Denham says ‘there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.’

The Commissioner reinforces that organisations will need to document their decisions to be able to demonstrate to the ICO which lawful basis justifies the data processing.

Myth #3: I can’t start planning for new consent rules until the ICO’s formal guidance is published.

Fact: If organisations are relying on consent, the ICO’s “draft guidance on consent is a good place to start right now”.  ICO is working on publishing their final guidance on consent in December 2017 but it’s unlikely that the guidance will change significantly in its final form.

Denham adds that when formal guidance on consent will be published, it will not include guidance on legitimate interests or any other lawful bases for processing. The guidance will only cover consent.

Myth #4: GDPR is an unnecessary burden on organisations.

Fact: The new regime is an evolution in data protection, not a revolution.

Steve Woods, Deputy Commissioner for Policy at the ICO writes GDPR is an evolution in data protection, rather than a total revolution. It puts more responsibility and accountability on organisations for their use of personal data and enhances the existing rights of individuals. “GDPR is building on foundations already in place for the last 20 years”.

If a company is already complying with the Data Protection Act, they are well on their way to being prepared for the GDPR.  ICO’s GDPR overview and 12 steps to take now documents explain where there is continuity, what’s new and how to plan.

“Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process — these are all things you should already be doing with data and GDPR seeks only to build on those principles,” Wood further writes.

Whether you are a small business or a multinational corporation, the principles essentially remain the same. Wood suggests that SMEs should take practical and straightforward actions and the ICO’s updated toolkit is a good starting point.

“Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom.”

Stay tuned for more on GDPR myth busting

In our next article, we will cover few more myths dispelled by ICO.

The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves.  All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.



Share this post
Related posts



Contact us to know how our recruitment experts can help you achieve better results.