After months of press and hype, the General Data Protection Regulations (GDPR) come into effect this month on 25 May 2018.


There’s a lot of scaremongering out there – you may have had emails offering you costly GDPR compliance services so that you don’t get hit with heavy fines.


You will definitely have been receiving emails from many organisations requesting that you consent to remain on their mailing list.  In most cases, if the companies originally obtained consent legitimately from you to put you on a mailing list then this is completely unnecessary.  If, however, they hadn’t received consent from you and they continue to email you after 25 May 2018 without providing you with an option to unsubscribe then they are breaking the GDPR regulations. 


The AAT have provided useful guidance on mailing list consent which can be found at https://www.aatcomment.org.uk/gdpr-mailing-lists-the-myths/


Interestingly, we all think of mailing lists as an explicit tick box to gain consent nowadays.  However, if someone has provided you with their email address in order for you to give them a quotation, or if somebody gives you their business card at a networking meeting, this is categorised as legitimate consent to email them so it’s ok to add them to your mailing lists (provided that you give them an option to unsubscribe).


The Information Commission’s Office has published a set of 9 Myth Busting Blogs which are designed to dispel the scaremongering – these are summarised below but you can read the full blogs at https://iconewsblog.org.uk/tag/gdprmyths/


Myth #1:

The biggest threat to organisations from the GDPR is massive fines.


This law is not about fines. It’s about putting the consumer and citizen first.

Myth #2

You must have consent if you want to process personal data.


The GDPR is raising the bar to a higher standard for consent.

Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

This has understandably created a focus on consent.

But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.

The rules around consent only apply if you are relying on consent as your basis to process personal data.

So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.

Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.

Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.

Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information.

Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.

The new law provides five other ways of processing data that may be more appropriate than consent.

‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working to publish guidance on it next year.

But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.

Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.

But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.

Myth #3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.


I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.

But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.

Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.

Myth #4

GDPR is an unnecessary burden on organisations.


The new regime is an evolution in data protection, not a revolution.

Let’s start off by being totally up front here. Any regulation has some sort of impact on an organisation’s resources. That’s unavoidable and GDPR is no different to any other new legislation in that respect. But thinking about burden indicates the wrong mindset to preparing for GDPR compliance.

What must be recognised is that GDPR is an evolution in data protection, not a total revolution. It demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals.  GDPR is building on foundations already in place for the last 20 years.

If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR.


Myth #5

All personal data breaches will need to be reported to the ICO.


It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.

So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Myth #6

All details need to be provided as soon as a personal data breach occurs.


Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.

Myth #7

If you don’t report in time a fine will always be issued and the fines will be huge.


Fines under the GDPR will be proportionate and not issued in the case of every infringement.

Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that we have that sanction available.

Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.

Tell it all, tell it fast, tell the truth.

Myth #8

Data breach reporting is all about punishing organisations.


Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.

The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future.

We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.

Myth #9:

GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug


GDPR compliance will be an ongoing journey

Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.

It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.

That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.


Helen Fielding

3 May 2018