GDPR – ICO sets record straight surrounding GDPR myths

By Sam Thomas | 22nd September 2017 | 14 min read

With less than nine months to go until the General Data Protection Regulation (GDPR) comes into full force, the Information Commissioners Office (IC0) has recognised that businesses are becoming increasingly concerned.

The ICO believes some concerns have arisen due to misleading press stories and developing myths surrounding the legislation. As a result, they have released a series of reports clearing up the myths surrounding the GDPR, we have taken a look at three key myths and what the ICO says about them:

Myth #1 - GDPR is an unnecessary burden on organisations”

The ICO say new legislation is an evolution in data protection, not a revolution. It demands more of organisations in terms of accountability and enhances the existing rights of individuals. GDPR is building on foundations already in place for the last 20 years. The ICO states if you are already complying with the terms of Data Protect Act, and have an effective governance programme in place, then you are already on the road to be ready for the GDPR.

Myth #2 - Increased fining powers threatening organisations” 

According to the ICO, GDPR is about putting the consumer and citizen first. GDPR does bring increased powers to impose much higher fines however, its scaremongering to suggest the ICO will be making early examples of organisations for minor infringements or these maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR.  

Myth #3 - “You must have consent if you want to process personal data

The ICO has stated that under current data protection laws consent has always required clear affirmative action – the GDPR now clarifies that pre-ticked opt-in boxes are not indications of valid consent. New requirements for clear and plain language when explaining consent is now strongly emphasised whilst also making sure that consent that a business already has meets the standard of the GDPR, if not then it needs to be refreshed.

However, it is important to understand that consent is one way of processing personal data but not the only way. For data processing to be lawful under the GDPR, businesses need to identify a lawful basis before they start. GDPR provides five other ways of processing data that may be more appropriate than consent.



How should I prepare?

We have developed a handy checklist of the nine keys steps your business should take to prepare for the introduction of the GDPR.

To give your business the best chance of complying by the 25th May 2018 implementation date why not print off the 9 steps to prepare for the GDPR checklist and tick off each step as you go!

Download your free GDPR checklist now!