There are many myths surrounding GDPR and what you should and shouldn't do in order to comply, here we hopefully dispel some of those myths.
The biggest threat to organisations from the GDPR is massive fines
This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.
And that concerns me.
It’s true the ICO have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
But it’s scaremongering to suggest that the ICO will be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
You must have consent if you want to process personal data
The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
This has understandably created a focus on consent.
But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.
The rules around consent only apply if you are relying on consent as your basis to process personal data.
So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.
We have to get fresh consent from all our customers to comply with the GDPR
You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.
Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.
If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.
Taken from: ICO Blog | The Information Commissioner's Office.