The General Data Protection Regulation (GDPR) has been in effect now since the 25th of May 2018. Yet, despite a huge effort on the part of the Information Commissioner’s Office (ICO) to dispel the uncertainty around GDPR compliance, a number of myths and misconceptions have sprung up around what the law entails and how it could impact both companies and individuals.
Never before has data protection been so much in the public eye, largely due to a number of high-profile breaches involving major companies such as British Airways or Marriott; with both now facing two of the largest fines in ICO history.
More than ever, people are becoming aware of the dangers posed by the misuse of their data and the rules surrounding governance. But, despite this increased awareness, a number of false beliefs around data protection have continued to spread and gain traction.
Alice Wilson is a data protection officer (DPO) at Higher Education Further Education Shared Technology Information Services, (HEFESTIS) – a non-profit organisation that provides a DPO and CISO Shared Services to colleges and universities in Scotland.
Wilson, who has more than ten years experience working in data protection, is keen to share some of the most common fallacies she has encountered, and advise what she thinks needs to be done to help remedy the situation.
As she puts it, “data protection isn’t there to restrict you” and should not be considered a barrier to doing business or handling data.“It’s about making sure there are policies and procedures in place to ensure data is used appropriately, is kept safe and that there is greater transparency around how it is used.”
The most common and persistent misconception that exists around GDPR is about the need for consent, she says. “Generally, people believe that you can’t do anything with someone’s data unless they agree to it, but that has not been the case for decades,” she explains.
“Under GDPR there is a list of conditions that must be met for consent to be valid. What GDPR has done is strengthen the rules around consent in that it must be a fully informed and freely given choice.”
This misconception makes many organisations “nervous” according to Wilson, because they think they can only process data if they have explicit consent to do so. However, this only applies if they are relying on consent as a basis to process personal data.
“Consent is one way to comply with the GDPR, but it’s not the only way. For processing to be compliant under the GDPR, you need to identify a lawful basis before you start. There are five other conditions for processing personal data – contract, legal obligation, vital interests, public task and legitimate interest.”
Wilson says that this false notion around consent links to another prevalent misconception that data protection rights are a barrier and can lead to a “data protection says no” scenario.
“Because of the misconception around consent, sometimes organisations will use it as an excuse for not sharing data,” she says. “They will say they cannot share that data because they do not have consent or because the DPO says no, even if they used to share that data before GDPR.
“This is really unhelpful and perpetuates the belief that data protection is more restrictive rather than helpful.”
Wilson emphasises the point that data protection does not prevent the sharing of data with appropriate bodies when it comes to a life or death matter – for example, if a vulnerable young person goes missing. “The regulator will not come along and fine you for sharing life-saving data, that can help protect a vulnerable person,” she says.
“Some aspects of data protection should be a matter of common sense. Don’t disclose information unless it is appropriate to do so and, similarly, don’t share just because a stranger asks you to. I always tell people to take a step back and think about it from the perspective of the data subject and how they would feel if that information was disclosed about them.
“Ask yourself, is it justified, proportionate and necessary to share that data for the purpose it was collected for?”
This misconception over consent links directly to incorrect assumptions about the data subject’s rights. Some people, Wilson says, mistakenly believe that the right to be forgotten is absolute or that companies cannot use their data without explicit consent. However, this is not the case. For example, certain organisations have a legal requirement to hold data on people.
“You can’t go to HMRC and say delete all my data,” Wilson notes. “They have a legal requirement to hold data on you for tax purposes.”
Other organisations with a similar right include local authorities, banks sharing data for fraud protection, and insurance companies processing claims information.
On the subject of how these misconceptions continue to spread she compares it to the problem of fake news and misinformation. “Despite having a host of data practitioners and DPOs battling to dispel these myths, there are still numerous articles circulating online that repeat and spread these inaccuracies. Sadly, there are more people reading these inaccurate articles than the informed ones.”
To remedy the situation, Wilson advocates for more data protection training to be provided for staff. In particular, for employees that handle sensitive data and/or large volumes of data for specific purposes and could benefit from extra knowledge in this area. For instance, most HR departments will handle large amounts of personal and sensitive data. Therefore, “specific training regarding data directly related to their area of work would help provide greater clarity over how that data should be used”, says Wilson.
“As well as training, we need to continue to raise awareness about GDPR. The ICO is doing a great job but we must keep pushing to dispel these myths”
If you would like to come along to DIGIT’s 3rd annual Data Protection Summit on the 10th of December at Dynamic Earth in Edinburgh there is now a waiting list. You can register your interest to attend at dataprotectionscot.com