Public Services > Central Government

Ten GDPR myths

Published 06 February 2018

Des Ward, information governance director of digital infrastructure industry association Innopsis, dispels some of the myths and legends around EU General Data Protection Regulation

 

The EU GDPR two-year implementation period ends on the 25th May 2018, and activity is expected to intensify to meet the legislation in the next couple of months. However, there remains a great deal of misunderstanding around the changing landscape for telecoms suppliers and their customers.

Here are ten myths concerning GDPR and my thoughts to dispel them. These myths are taken from an Innopsis whitepaper : “The EU GDPR: An Evolution or Revolution in Privacy?” It presents the challenges to suppliers not only from the GDPR, but also the current guidance from the Article 29 Working Party, and the current wide legal context of laws affecting information governance. 

  1. Regulations cover all personal data, not just personally identifiable information. People talk about Personally Identifiable Information (PII) in the same context as GDPR. While many people are simply using this as short-hand for personal data, it can actually cause issues when scoping your compliance activity. PII concerns itself with a limited set of personal data that can directly identify someone (e.g. name, address, date of birth, etc.), whereas Article 4 (and Recital 26) of the GDPR contains a far wider definition that includes metadata and ancillary information (e.g. networking details, cookies, etc.) commonly found during digital transactions.
  2. Using encryption/pseudonymisation isn’t the answer (on its own). While encryption and pseudonymisation is commonly mooted as a means to reduce the scope of where GDPR requirements apply, care should be made to refer to Recital 26 (discussing the effectiveness of encryption and pseudonymisation in reducing the linkage to personal data) and the guidance on breach notification from the Article 29 Working Party (discussing how flaws in the implementation or current/future weaknesses could result in a reclassification of encrypted personal data and require notification of a breach even if it happened in the past).
  3. It’s not a security thing…it’s a governance thing. Many commentators talk about the GDPR as a security exercise, yet only 3% of the GDPR is concerned with information security as we understand it today. You have to understand the risks around confidentiality, integrity, availability and resilience, but also the risks to the rights and freedoms that you face for services that process personal data, as well as how your current activities address those challenges.
  4. Managing risk creates opportunities as well as reducing threats. The UK Government’s Orange Book on Risk Management states: “Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The risk has to be assessed in respect of the combination of the likelihood of something happening, and the impact which arises if it does actually happen”. Indeed, we shouldn’t only focus on the negative impact from failing to comply with the GDPR - it’s possible to achieve positive outcomes through better understanding of information.
  5. Consent is the last resort, not the first. When people discuss the lawfulness of processing, they often discuss the requirement for consent. While consent can be a useful tool to determine if you are able to process personal data, it should be considered as the last resort when determining why you are processing information. Withdrawal of consent may prevent you from undertaking your legal obligations (e.g. for responding to lawful enforcement and managing financial transactions) or monitoring the security of systems. Consent is also unlikely to be something that will be relied upon when a data subject has no choice but to use your service. You need to clear on the purposes for processing personal data; you must ensure that consent (if required) is captured for each purpose, prior to processing. Consent must be distinct and not obtained just by agreeing to a contract or terms and conditions.
  6. Data processors cannot state they were simply “following orders”. The GDPR formalises the compliance requirements of suppliers that process personal data as data processors on behalf of data controllers. Data controllers must provide written instructions on how processing must be conducted, and only use processors that can provide sufficient guarantees that the GDPR shall be complied with, otherwise they are still fully liable for any issues arising from the data processor’s activities. Conversely, data processors have an obligation under the GDPR to inform controllers where they feel that an instruction infringes the GDPR, and inform the controller when they further outsource processing within their supply chain. Contracts compliant with the GDPR requirements are expected to be in place by the end of the implementation period on 25th May 2018.
  7. Fines are not the only risk (don’t believe the hype). It is often argued that the reason for conforming with the governance requirements of the GDPR are the large fines that can be applied.  However, the ICO has made it clear that the multi-million figures being mooted are not likely to transpire. However, this is not to say that there will be no financial penalty from failing to comply with basic requirements for information governance but there are also other risks. For example, the impact from class actions could be significant. We’re seen that a controller can be held accountable for the failures in the wider legal framework outside of the data protection requirements.
  8. Compliance with GDPR presents a great business opportunity. Through better understanding of information resulting from complying with GDPR, we can address a very real issue - recent estimates that 54% of data is unknown in terms of its contents (also called dark data), resulting in resources being wasted in protection and storage. GDPR compliance means we can not only embrace Cloud computing but also address the amount of unknown information held within our datasets through effective risk management and governance. Addressing this will not only result in compliance, but also reduce costs and deliver opportunities.
  9. This isn’t new! Scoping and consent regarding processing of personal data have been applied within the current Data Protection Act 1998 and Privacy of Electronic Communications Regulation 2003 respectively, and are further reinforced through case law. There are very few truly new areas to GDPR, and even some of those are already required within the wider requirements of legislation such as the Companies Act 2006.
  10. There are no ICO-certified GDPR professionals or courses. Don’t spend money on consultants claiming that they are either certified GDPR professionals or providing a service that can make you compliant – these are fallacies! In order to get the right guidance, you need to read the GDPR, monitor the Article 29 Working Party guidance and subscribe to the ICO blogs. The ICO guidance has been circulated to the Cabinet Office SME panel, and contains a list of 12 steps to take now, a self-assessment checklist and helpline for SMEs.

Des Ward is Information Governance Director of Innopsis , the industry association for suppliers of digital infrastructure and services to the public sector. He has been involved in information risk and governance within end user and supply organisations for over twenty years

 

 








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.