Information Commissioner’s Office dispels GDPR Myths

From May 25 2018 the new EU General Data Protection Regulations (GDPR) will come into force.  The new EU GDPR has been designed to strengthen online privacy rights. This will cover everything from data sharing to consent for data collection and will impact any small or large business.

As we near May 2018, the news of GDPR has become a hot topic and alarm bells have started to ring with organisations searching for the facts that will help them prepare for the changes in regulation.  Sadly, whilst there is a wealth of information available on the topic, not all sources have their facts straight.

Thankfully, the Information Commissioner’s Office (ICO) has stepped in with a series of blogs on the topic which help sort the myth from the fact.  For those of you short on time, we have summarised myths 1 to 4 here, but urge you to visit the ICO’s blog site to read and absorb its advice in full.

Myth #1

The biggest threat to organisations from the GDPR is massive fines.

The reality:

UK Information Commissioner, Elizabeth Denham, is keen to point out that the new law is not about fines, but is about “putting the consumer and citizen first.”

She explains: “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act (DPA) allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

“But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

Of the 17,300 cases concluded by the ICO last year, Denham highlights that only 16 of them resulted in fines for the organisations concerned.

She also advises that while the larger fines certainly indicate the increased importance attached to personal data in the 21st century, it is the whole range of tools that the ICO will have access to that will enable them to deal with serious breaches “proportionately and judiciously”.

“Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that”.


You must have consent if you want to process personal data.

The reality:

While current data protection law requires a clear, affirmative action from the individual, the ICO explains that GDPR is now ‘raising the bar to a higher standard for consent’, meaning that pre-ticked opt-in boxes are no longer good enough.

As Denham says, “The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”

However, despite the above being firmly focused on consent, Denham explains that consent is not the only way to comply with GDPR.

“Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR,” she says, stating that there are other lawful bases organisations can consider using under GDPR

“Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information. Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.”

The new EU GDPR actually lays out five other way of processing data that may be more applicable to your business. Visit ICO’s website to read its guidance on the matter.

But once you have decided on the best way for your organisation to proceed, what is key is that you document these decisions so as to prove to ICO which lawful basis you’re using if questioned.

Myth #3

We must wait for ICO’s formal guidance before implementing new consent rules.

The reality:

The ICO’s final guidance on consent is due to be published in December.  However, you can make a head start now by reviewing ICO’s draft guidance on consent, which according to Denham, is unlikely to change significantly in its final form.

Myth #4

GDPR is an unnecessary burden on organisations.

The reality:

Not so, says Steve Wood, Deputy Commissioner for Policy at ICO, who clarifies that the ‘new regime is an evolution in data protection, not a revolution’.

Wood explains that GDPR simply builds on the fundamentals of the Data Protection Act (DPA), such as fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process, and that if your business already complies with the DPA and has an effective data governance in place, then you are just a step away from GDPR compliance.

And while acknowledging that the new regulations will require organisations to make certain new provisions, Wood believes that there are opportunities to had from the GDPR.

“Whatever the size of your organisation, GDPR is essentially about trust.  Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships.”

“Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom.

“The ICO’s annual research on privacy and data protection consistently shows that levels of public trust remain low. Conversely, it also shows that they would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly. And that provides a major opportunity and competitive advantage for those who can demonstrate that they get data protection right.”

The Credit Protection Association is a credit management company established in 1914. If you supply goods or services on credit then we can help you!

See all our latest news here!

Keep up to date with the latest news by following us on social media:-

CPA on Linkedin

CPA on facebook

CPA on twitter

 What can CPA do for you?

Read our blog – The Hidden cost of slower payers.

Read Our Blog – How to overcome common excuses for non-payment

Read our blog – Debt collection agency

Read our Cash Flow Advice

Read about our overdue account recovery service

Read our blog – What is credit management?

Read our blog -What is a credit management company?

Read our blog -Credit Management that works!

Read our blog – How to select a debt collection agency

click to see read about our successes

Please call us on 0330 053 9263 to discuss how CPA can help your cashflow. Alternatively, either email us or use our contact form.

I consent to supplying my personal information that may be used for marketing purposes and agree with the privacy policy.