HomeInsightsTop 5 misconceptions of GDPR

Article by

With the General Data Protection Regulation (GDPR) less than a year away, all businesses in Europe should be preparing to ensure that they are compliant with the new requirements. However, whilst awareness (and concern) about GDPR has grown, we regularly encounter misunderstandings and misconceptions about how GDPR should be addressed. Here are 5 of the most common ones:

1. GDPR does not govern direct marketing (and neither did the Data Protection Act). 

Any personal data processed around direct marketing, such as  mailing lists will need to be done in accordance with GDPR. GDPR also gives data subjects the right to object to direct marketing (Article 21) but the requirement for third party consent and ‘soft opt-in’ are currently governed by the Privacy and Electronic Communications Regulation 2003. The rules are being updated by the ePrivacy Regulation (currently in draft form) with a view to coming into force on 25 May 2018.  The definition of consent and the fines for direct marketing will be taken from GDPR and the regulator will also be the Information Commissioner’s Office (ICO).

2. The duty to notify the ICO of a data breach (Article 33) is a new requirement. 

Currently data protection advises that the ICO is notified if a data breach occurs which is likely to cause damage or distress to data subjects.  Whilst GDPR makes this mandatory rather than advisable, it is still currently recommended and a failure to notify today, where the ICO feels you should have, will count against a controller.

3. GDPR has direct effect and therefore Member States can sit back and do nothing. 

There are a number of areas of GDPR that require Member States to interpret and finalise wording, including around employment and exceptions to processing.  Each Member State will need to pass legislation to implement these aspects of the GDPR.

4. White listed countries that have received adequacy decision from the Commission, such as Canada and New Zealand, will need to update their legislation in line with GDPR to remain white listed. 

The Commission may require these territories to do this in due course, but as of 25 May 2018 all white-listed counties will remain white-listed (Article 45(9)).

5. Brexit makes GDPR redundant. 

Absolutely not.  There are many reasons why GDPR will come into force in the UK:

  • GDPR will come into force before Brexit (in all likelihood);
  • GDPR has extra-territorial effect so it will apply to British companies offering goods or services to EU citizens;
  • the UK aims to keep all EU legislation in force on the date of Brexit;
  • the Department for Culture Media & Sport, ICO and Queen have all praised GDPR as good legislation; and finally
  • the UK will wants to remain part of a single-data-market and be able to receive personal data from the EU.  The easiest way to do this is to be white-listed and, so long as the UK’s legislation matches GDPR, it is difficult to imagine the Commission not whitelisting the UK.