The Information Commissioner has recently published her fourth article in a series of 'myth-busting' blogs to separate the facts about the new General Data Protection Regulation (GDPR) from the fiction.
'Setting the record straight on data breach reporting' follows blogs on the burden on business, consent and the threat of fines.
A total of eight myths have been addressed so far:
- Myth #1: The biggest threat to organisations from the GDPR is massive fines.
The Information Commissioner is keen to emphasise the Information Commissioner’s Offices’ (ICO) commitment to guiding, advising and educating organisations about how to comply with the law. The ICO intends to use its increased powers 'proportionately and judiciously'; issuing fines will continue to be a last resort.
- Myth #2: You must have consent if you want to process personal data.
Consent is only one way to comply with the GDPR. Headlines about consent have failed to mention the five other different lawful bases organisations can use for processing personal information. For example one of these is 'legitimate interests' and the ICO is working towards publishing further guidance on this next year.
- Myth #3: I can’t start planning for new consent rules until the ICO’s formal consent guidance is published.
Although the ICO has yet to publish its final consent guidance, the ICO’s draft guidance on consent is a “good place to start for now”. Since the draft consent guidance is unlikely to change significantly in its final form, organisations already have many of the tools to start their preparations. The current timetable for the final consent guidance to be released is December.
- Myth #4: GDPR is an unnecessary burden on organisations.
The GDPR is an 'evolution in data protection, not a total revolution'. The GDPR builds on the existing principles of fairness, transparency, accuracy, security, minimisation and respect for the rights of individuals which are entrenched in current UK data protection legislation. The ICO recognises that small organisations may have limited time and resources for compliance but points out that the GDPR requires a risk based approach to be taken when assessing how they comply with the new law.
- Myth #5: All personal data breaches will need to be reported to the ICO.
It will be mandatory to report all personal data breaches which are likely to result in a risk to individuals' rights and freedoms. If that is unlikely, there is no need to report the personal data breach, however organisations are advised to document such decisions to demonstrate compliance. Pan-European guidelines will assist organisations to determine thresholds for reporting personal data breaches. In the interim, the best approach is to start considering what constitutes a personal data breach in the context of your organisation.
- Myth #6: All details need to be provided as soon as a personal data breach occurs.
The GDPR requires personal data breaches to be reported without undue delay and, where feasible, not later than 72 hours after becoming aware of it. However, if not all of the details are available at this time, more details can be provided later as the investigation into the personal data breach goes on. The ICO is not expecting to receive a comprehensive personal data breach report straight away.
- Myth #7: If you don’t report a personal data breach in time a fine will always be issued and the fines will be huge.
Fines will be proportionate and can be avoided if organisations are open and honest. The Commissioner encourages business to: 'Tell it all, tell it fast, tell the truth.'
- Myth #8: Data breach reporting is all about punishing organisations.
The aim is to push organisations to step up their ability to detect and deter personal data breaches. The public need to have trust and confidence and personal data breach reporting increases accountability. Organisations should be preparing now by ensuring they have the roles, responsibilities and processes in place for reporting personal data breaches. The ICO have announced that they will be introducing a new phone reporting service to sit alongside a web reporting form to make reporting personal data breaches to the ICO quicker and easier.
The aim of the 'myth-busting' blogs is to correct the misinformation about the GDPR in the press and to put headline statements in context. The responses to the blogs indicate that these have been well received, particularly in relation to the blog on consent pending the publication of the ICO's final guidance.
There is no avoiding the fact that the GDPR will have an impact on an organisation's resources and although the GDPR builds on existing principles, there are new provisions to comply with. Whilst further guidance is due to be issued on various aspects of the GDPR, the overarching message is that organisations should be preparing now.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.