The document discusses common myths about the General Data Protection Regulation (GDPR). It summarizes six myths: 1) that fines under GDPR will be massive, but fines will be proportionate; 2) that consent is required for all data processing, but there are alternative bases; 3) that consent alone ensures compliance, but other requirements still apply; 4) that IT can ensure compliance with technology solutions alone, but people and processes are most important; 5) that all businesses must appoint a Data Protection Officer when the requirement is narrow; and 6) that all breaches must be reported within 72 hours, when reporting depends on risk level. The document provides the realities behind each myth.

1. @danmabyblue37.com
GDPR Workshop
🤓

2. @danmabyblue37.com
I’m no legal expert
🖐

3. @danmabyblue37.com
😲

4. @danmabyblue37.com
Myth Busting
🧠

5. @danmabyblue37.com
Myth 1
💸
OMGMASSIVEFINES!!!!!

6. @danmabyblue37.com
The Myth🦄

7. @danmabyblue37.com
The Reality
“Predictions of massive fines under the GDPR that simply scale up
penalties we’ve issued under the Data Protection Act are nonsense
Don’t get me wrong, the UK fought for increased powers when the
GDPR was being drawn up. Heavy fines for serious breaches reflect just
how important personal data is in a 21st century world. But we intend
to use those powers proportionately and judiciously.”
- Elizabeth Denham, Information Commissioner, 9 Aug. 2017
'

8. @danmabyblue37.com
Myth 2
🙏
Consent with everything

9. @danmabyblue37.com
The Myth
“You have to have consent to process personal data”
- Nearly everyone, all the time
For example…
“The Data Protection Bill will require explicit consent to be necessary
for processing sensitive personal data.”
- An actual DCMS press release (no, really)
🦄

10. @danmabyblue37.com
The Reality
q Consent is one possible basis for processing personal data.
q There are 5 others: contractual necessity, legal obligation, protection of vital interests,
public interest necessity and legitimate interests.
ü NB additional requirements of an exemption for “special categories of data”
q Consent is basically only really useful where you can’t rely on any of the others –
typically, in relation to direct marketing.
q Consent is hard to get right, easy to exceeds and easy to lose.
q Basically, consent is rubbish.
'

11. @danmabyblue37.com
Myth 3
💩
Consent is all you need

12. @danmabyblue37.com
The Myth
“It’s all ok as long as you have consent”
🦄

13. @danmabyblue37.com
The Reality (1)
You probably don’t have consent, actually
q Freely given, specific, informed?
q Affirmative action?
ü i.e. no “we will assume you consent unless”
q Not ties to something that consent isn’t necessary for?
ü i.e. no “by using our service you consent to us spamming you up the wazoo forever
more”
q Sufficiently granular?
ü i.e. separate consent for each purpose
q As easy to withdraw as to give?
'

14. @danmabyblue37.com
The Reality (2)
Consent might be a legal basis on which you process, but you still have to do that
processing in accordance with GDPR.
Fairly, transparently Keep safe and secure
Purpose limited, minimised Record keeping
Accurate, not retained for
longer than necessary
Rights exercise
'

15. @danmabyblue37.com
Myth 4
👎
IT will sort it out

16. @danmabyblue37.com
The Myth
“Data protection is an IT issue”
“Buy this ‘thingy’ and you’ll be compliant”
🦄

17. @danmabyblue37.com
The Reality
q Data protection is a boardroom issue
q IT is involved, but so are Operations, HR, Sales, Marketing…
q There is no turnkey solution to GDPR compliance
ü People and Process first!
ü Technology tools can help with particular issues e.g. data
discovery, record keeping, data housekeeping, security etc.
'

18. @danmabyblue37.com
Myth 5
😳
Data Protection Officers

19. @danmabyblue37.com
The Myth
“All businesses have to appoint a Data Protection Officer.”
“All businesses with more than 250 employees have to appoint a Data
Protection Officer.”
…or some variation on that theme.
🦄

20. @danmabyblue37.com
The Reality
q Most businesses will not be obliged to appoint a DPO
q You must appoint a DPO only if:
ü You’re a public authority
ü Your core activities require regular and systematic monitoring of data subjects
ü Your core activities consist of large scale processing of special categories of data
q Otherwise, you don’t have to… but might want to anyway?
'

21. @danmabyblue37.com
Myth 6
🤮
Breach reporting

22. @danmabyblue37.com
The Myth
“All data breaches have to be reported within 72 hours”
🦄

23. @danmabyblue37.com
The Reality
q Not a straight myth, but only kinda true
q Data breaches must be reported to the ICO by the controller UNLESS “unlikely to
result in a risk to the rights and freedoms of the natural persons”
ü Encrypted?
ü Retrieved unopened?
ü A bunch of corporate email addresses?
q Obligation is “without undue delay and, where feasible, no later than 72 hours
after having become aware of it”
q Give (good) reasons if late, phased reporting
'

24. @danmabyblue37.com
A few things that aren’t myths
q Still applies, Brexit notwithstanding
q Extraterritorial effect
q Primary obligations for data processors
q Record keeping
q New subject rights
q New contractual requirements for processors
q More prescriptive security requirements
q Stricter rules on consent 🤟

25. @danmabyblue37.com
#GDPRubbish
🥊
If watching a bunch of lawyers getting apoplectically angary is
your idea of a good time…

26. @danmabyblue37.com
#WPEssex
👍
Credit:
Dan Hedley
Irwin Mitchell LLP
@DanHedleyIM

27. @danmabyblue37.com
#WPEssex
👋
Dan Maby| @DanMaby
Blue 37 | @blue37digital

28. @danmabyblue37.com
I’m no legal expert
❤