General Data Protection Regulation (GDPR)
Please visit this page regularly for updates on this important piece of legislation which will effect your business.
The first three updates are shown below in reverse order and are dated 25th August 2017, 16th August 2017 and 10th August 2017.
GDPR is an evolution in data protection, not a burdensome revolution
By Steve Wood, ICO Deputy Commissioner (Policy)
Our new series of blogs aiming to bust some of the myths that have developed around the General Data Protection Regulation (GDPR) are proving incredibly popular and we are pleased that so many of you are finding them useful.
Here at the ICO, we took the view that it was time to sort the fact from the fiction before the new law comes into effect on 25 May 2018, given some of the misinformation and outright scaremongering out there – some of which, it must be said, seems commercially driven.
Our first two blogs covered the myths surrounding new fining powers and the issue of consent, and this week we want to talk about another widely held misconception – that the new regime is an onerous imposition of unnecessary and costly red tape.
GDPR is an unnecessary burden on organisations.
The new regime is an evolution in data protection, not a revolution.
Let’s start of by being totally up front here. Any regulation has some sort of impact on an organisation’s resources. That’s unavoidable and GDPR is no different to any other new legislation in that respect. But thinking about burden indicates the wrong mindset to preparing for GDPR compliance.
What must be recognised is that GDPR is an evolution in data protection, not a total revolution. It demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals. GDPR is building on foundations already in place for the last 20 years.
If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR. Our GDPR overview and 12 steps to take now documents explain where there is continuity, what’s new and how to plan.
Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.
That doesn’t mean there’s any room for complacency. There are new provisions to comply with and organisations should start making preparations now, if they haven’t done so already. But by and large, the new GDPR regime represents a step change, rather than a leap into the unknown.
Much of the criticism about GDPR seems to have focused on the perceived burdens it will place on SMEs and smaller organisations. We have long recognised that SMEs may have limited time and resources for compliance and have acknowledged this in our regulatory approach. But many of these criticisms fail to recognise the flexibility that the key principles in the DPA and GDPR provide – they scale the task of compliance to the risk. Many of the principles reinforce tasks businesses will already to undertake in relation to record keeping – e.g. the principle on data minimisation.
The principles are essentially the same whether you are a small business or a multinational corporation. Many of the actions SMEs should take are practical and straight forward – our updated toolkit is a good starting point.
It is not the size of the organisation that’s relevant so much as the risk that particular businesses and types of data processing pose. Those handling particularly sensitive data, or processing personal data in potentially intrusive ways, for example.
Information management is key to compliance. Under GDPR, people will have strengthened subject access rights to the data you hold about them. This could well lead to more requests being received. So that’s a real burden, right?
Whatever the size of your organisation, GDPR is essentially about trust. Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships.
Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom.
The ICO’s annual research on privacy and data protection consistently shows that levels of public trust remain low. Conversely, it also shows that they would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly. And that provides a major opportunity and competitive advantage for those who can demonstrate that they get data protection right.
Consent is not the ‘silver bullet’ for GDPR compliance
By Elizabeth Denham, Information Commissioner.
Last week I launched a series of blogs to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).
Before the new law comes into effect on 25 May 2018, I feel bound to sort the fact from the fiction.
Because there is a lot of misinformation out there and for many who are new to data protection and the GDPR it’s creating uncertainty. Organisations that want to get it right – and we know that’s the majority – can sometimes feel like rabbits in the headlights, not knowing which way to leap.
Last week I set the record straight on our new fining powers.
My second blog tackles an equally high-profile issue – consent.
You must have consent if you want to process personal data
The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
This has understandably created a focus on consent.
But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.
The rules around consent only apply if you are relying on consent as your basis to process personal data.
So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.
Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.
Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing medical information.
Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.
The new law provides five other ways of processing data that may be more appropriate than consent.
‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working with the other European authorities to publish guidance on it next year.
But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.
Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.
But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.
I can’t start planning for new consent rules until the ICO’s formal guidance is published
I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.
Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.
Our series will continue next week.
GDPR – sorting the fact from the fiction
By Elizabeth Denham, Information Commissioner.
The General Data Protection Regulation comes into force on 25 May 2018.
That’s not new news. But it is a fact.
It’s also fact that not everything you read or hear about the GDPR is true.
For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.
And there’s a lot to take in. The Data Protection Bill announced this week gives more detail of the reforms beyond the GDPR, for example.
But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.
“GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.
For the record, these are all wrong.
If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.
So, I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force in 289 days.
This is the first in a series of blogs to separate the fact from the fiction. We’ll be publishing future myth-busting blogs on consent, guidance, the burden on business and breach reporting.
The biggest threat to organisations from the GDPR is massive fines.
This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.
And that concerns me.
It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment.
And just look at our record:
Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.
And we have yet to invoke our maximum powers.
Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.
Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.
But we intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
And you can’t insure against that.