GDPR: Addressing myths and alleviating the fear

What is GDPR?

The General Data Protection Regulation – also known as GDPR – is a data protection regulation that will come into effect across Europe in May 2018. Today personal data is processed in so many different ways, and the law that regulates our practices was passed in 1998 – before social media and a variety of other information sharing norms we now know well. While the GDPR regulation has caused some anxiety among European organisations, the intent of the GDPR is to strengthen data protection practices and bring them into the 21st Century.

The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The UK’s decision to leave the EU does not affect our need to comply. We all must.

The GDPR will regulate, among other things, how individuals and organisations may obtain, use, store, and eliminate personal data (information that could be used on its own or in conjunction with other data to identify an individual). It is applicable to any organisation processing personal data of EU citizens regardless of its location or where those processes take place.

Enhancements to the law under the GDPR

While the GDPR retains much of the existing data protection directives, there are some important changes to note, including:

Expansion of scope (i.e. the broader territorial scope outlined above, and the extension of the law to data “processors”, not just “controllers”)Expansion of individuals’ rightsExpansion of definitions of personal and sensitive dataStricter consent requirementsStricter processing requirements

The GDPR-myths

There is currently a lot of hype around the new regulation and myths are rife. Some of the common misconceptions were addressed at the 2017 Granicus Public Sector Communications Conference in London, when Holly Bremner (Head of Dissemination) and Imogen Heywood (Engagement Manager) at the Centre of Excellence for Information Sharing, and David Teague (Regional Manager) at the Information Commissioner’s Office (ICO) spoke to a live and online audience of over 600 public sector professionals. You can watch the the talk here, and to summarise what they shared:

Myth #1: GDPR will be a big job for your data teams

One of the most common misconceptions of the GDPR is that it will require huge amounts of work, staff time and dedication to data protection. In reality, be assured that if you are already following data handling best practices per the requirements of the existing data protection directive, it’s likely your organisation will find preparing for the GDPR relatively simple.

Myth #2: You must have consent to use information under GDPR

A phrase that continues to be repeated on the topic of GDPR is that it “mandates individual consent” to use their information. In other words, all individuals must give their information willingly in order for key processes to continue as usual. This policy would not work across many public sector practices – for example, a police officer or investigator needing vital information in an emergency in order to do their duty. Most organisations in the public sector have a legal obligation to publish certain types of information that do not require consent, so the GDPR does not impede your ability to do your jobs. However, you should read the detailed guidance the ICO has published on consent under the GDPR, and use their consent checklist to review your practices.

Myth #3: GDPR means large fines

There are data breaches across the public sector regardless of GDPR’s regulations. A common misconception is that any breach under GDPR will result in large fines immediately. In reality, the ICO is not going to demand an organisation write a cheque the moment there is a data breach. However you should be able to show you’re working towards compliance and get there quickly – it’s no good just burying your head in the sand. Do plan and start implementing your preparations now.

The panel of speakers urged attendees that the most important thing to remember is that the GDPR presents a great opportunity to develop an effective communications strategy to eliminate these myths, now. Be seen as an authoritative voice and help lead your organisation along the way to full compliance. Comms teams can support staff to be confident in their data practices.

Read our second blog on preparing for the GDPR here for more guidance.


Posted on 3rd January 2018