The ICO's Myth Busting Article on GDPR Explained
Of all the information available on the subject of the new General Data Protection Regulation, one thing is certain; there is a lot of information to consider. Just over eight months out from the implementation of the new General Data Protection Regulation, the publication of a new blog from the Information Commissioner's Office provides helpful snapshots for firms looking to interpret how the ICO might deal with the incoming regulations.
In the first blog post, the Information Commissioner sought to allay some misinformation relating to assumptions about the incoming regulations, including that the GDPR will prevent firms from communicating with their clients or customers, or that all breaches must be reported to the ICO. Elizabeth Denham's myth busting blog also offers a timely reminder; that GDPR is first and foremost about greater transparency, and the benefits that brings for businesses and customers alike.
Whilst the benefits are clear, firms need to remember that the regulations also bring an increased accountability, and while many aspects of the GDPR will be the same across the board, some will differ depending on the type of firm and the kind of business conducted. Which brings us neatly onto the ICO's myth #2 - you must have consent if you want to process personal data.
The Commissioner confirms that the rules around consent only apply if you are relying on consent as your basis to process personal data. In total, the GDPR provides six lawful ways of processing data;-
compliance with a legal obligation;
necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
necessary to protect the vital interests of a data subject or another person;
necessary to protect the vital interests of a data subject or another person; necessary for the performance of a task carried out in the public interest (...);
necessary for the purposes of legitimate interests pursued by the controller or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject.
Whichever purpose you decide is applicable to your firm or business, the Commissioner offers a reminder that decisions need to be thoroughly documented to be able to demonstrate to the ICO which lawful basis you use. And ultimately, pre-ticked opt-in boxes will no longer be a legitimate means of demonstrating consent, if that is the basis on which you process your data.
Myth #3 considers the idea that firms cannot start planning for the new consent rules until the ICO's formal guidance is published. In fact, the ICO's draft guidance sets out many of the tools firms will need to begin preparations.
If preparing for GDPR is turning into a headache, we can help. We are holding the second instalment in our seminars over September and October, aimed at helping you implement the GDPR with ease. We cover the key changes you need to make, recent clarifications from the ICO in relation to consent, not-for-profit organisations, privacy notices, breach notifications and subject access requests, and how your peers are transitioning to full compliance. You don’t need to have attended the previous seminar – to join, simply click the link to book your place at any of the following events:
21 September 2017 – 9am until 3pm
St. George’s Conference Centre, Leeds, LS1 3DL
27 September 2017 – 9am until 3pm
Etcvenues, Bonhill House, EC2A 4BX
5 October 2017 – 9am until 3pm
Jurys Inn, Newcastle upon Tyne, NE1 4AD