GDPR Myth Busting – The ICO will impose massive fines for data breaches

The Information Commissioner can issue a monetary penalty for failing to comply, there are two tiers:

1. The highest €20 million Euros or 4% of the total annual worldwide turnover, whichever is higher. This applies to any failure to comply with the data protection principles, any rights an individual may have, or in relation to transfers of personal data overseas.

2. If there is an infringement of other provisions, the standard maximum amount will apply, which is €10 million Euros or 2% of the total annual worldwide turnover, whichever is higher.

You are likely to incur the wrath of the ICO if you persistently, deliberately or negligently flout the regulations or misuse data. The ICO’s have stated that this will particularly apply to large companies in the technology sector. However many small firms fear the ICO will be heavy-handed in dealing with non-compliance. The Information Commissioner herself has said that small businesses which did not make extensive use of customer data would not come under close scrutiny.

Accountability is one of the key data protection principles – this means that you must be able to demonstrate your compliance. For most small businesses this means you should identify your Information Assets and record what Personal Data is held, where it came from, who you share it with and what you do with it in an Asset Register.

Find out more

GDPR Myth Busting – If we receive a deletion request we have to delete everything about them

The Right to be forgotten (or the right to erasure) is not an absolute right and does not apply where there is a lawful reason for the continued processing.

HR records often present issues. For tax purposes, you need to keep records of people who have worked for you for 7 years, including a name, start date and termination date. But you are unlikely to have a lawful reason to keep other information such as emergency contact details, passport scans and bank details.

You should set out retention periods and securely delete unnecessary data, in hard copy and electronic formats including backups, when it is no longer required.

This also makes it easier to respond to a data subject access request, as if you don’t have the information you can’t supply it.

Find out more

GDPR Myth Busting – Well, consent is required for marketing! 

Not necessarily. The ICO is clear that marketing of your own products and services can be a legitimate interest. If you can show that the way you use people’s data is

  1. proportionate,
  2. has a minimal privacy impact, and
  3. people would not be surprised or likely to object to what you are doing, then consent is not required.

However, with respect to direct marketing, the Privacy and Electronic Communications Regulations take precedent.

Consent is not always required for direct marketing in business to business communications, but you have to be a little careful as sole traders and some partnerships are treated as individuals.

For direct marketing to individuals, consent is usually required, although marketing related to products and services similar to those they have already bought is OK.

If you are required to have consent under the Privacy and Electronic Communications Regs then this is the Legal Basis of Processing to use for GDPR.

Find out more

GDPR Myth Busting – We need the data subjects permission to process their data

No, you don’t – you must have one of six lawful reasons for processing data set out in the regulations, but not necessarily Consent. This includes:

  • where you are carrying out a Contract with the data subject or are taking steps to enter into a contract, a law firm carrying out conveyancing, or an insurance company getting information to prepare a quote.
  • where a law specifically requires the processing to be done, such as money laundering checks or employee right to work checks.
  • for your own or a third parties, legitimate interests. This is best where you use people’s data in ways they would reasonably expect and has little impact on privacy. For example, it is a legitimate interest for an internet shopping site to have contact details and a delivery address for shoppers.

Find out more

GDPR Myth Busting – Using professionals to deliver marketing services takes away the worry

If you pay a third party to do your marketing, you are both responsible for complying with GDPR and the Privacy & Electronic Communication Regulations.

If the ICO were to take enforcement action, they would usually take it against the ‘instigator‘. If a specialist subcontractor deliberately ignored the rules they might also consider taking action against them.

Whatever the situation it is a legal requirement to have a written GDPR compliant agreement in place, with suppliers that have access to your personal data. It needs to set out your contractor’s responsibilities and if possible, guarantees of compliance.

Find out more

GDPR Myth Buster – It’s all about marketing

No, it’s not.

Personal data is any information relating to an identifiable person who can be directly or indirectly identified.

What identifies an individual could be as simple as a name or a number or could be an IP address or a cookie.

The rules apply to both electronic personal data and to certain manual filing systems.

Processing means doing just about anything with the personal data including collecting, storing and disposing of it.

Employees and job applicants are covered so it can relate to making notes about candidates at a job interview. So don’t write anything that you don’t want the candidate to read as they have a right to make a subject access request.

In relation to marketing, we also have to bear in mind the Privacy and Electronic Communications Regulations which apply when you send electronic marketing messages, by phone, fax, email or text.

Find out more

GDPR Myth Buster – I’ve been in business for years and never had a problem

That’s great news.

The ICO’s like many regulators have an issue-driven enforcement policy.

If there is a significant data breach or numerous complaints then enforcement action may well follow.

If this happens, the ICO will ask how you demonstrate compliance.

If you can’t you will have no excuse and have to face the consequences which more than likely will include reputational damage.

Find out more