The document discusses common myths about the General Data Protection Regulation (GDPR). It summarizes six myths: 1) that fines under GDPR will be massive, but fines will be proportionate; 2) that consent is required for all data processing, but there are alternative bases; 3) that consent alone ensures compliance, but other requirements still apply; 4) that IT can ensure compliance with technology solutions alone, but people and processes are most important; 5) that all businesses must appoint a Data Protection Officer when the requirement is narrow; and 6) that all breaches must be reported within 72 hours, when reporting depends on risk level. The document provides the realities behind each myth.
10. @danmabyblue37.com
The Reality
q Consent is one possible basis for processing personal data.
q There are 5 others: contractual necessity, legal obligation, protection of vital interests,
public interest necessity and legitimate interests.
ü NB additional requirements of an exemption for “special categories of data”
q Consent is basically only really useful where you can’t rely on any of the others –
typically, in relation to direct marketing.
q Consent is hard to get right, easy to exceeds and easy to lose.
q Basically, consent is rubbish.
'
13. @danmabyblue37.com
The Reality (1)
You probably don’t have consent, actually
q Freely given, specific, informed?
q Affirmative action?
ü i.e. no “we will assume you consent unless”
q Not ties to something that consent isn’t necessary for?
ü i.e. no “by using our service you consent to us spamming you up the wazoo forever
more”
q Sufficiently granular?
ü i.e. separate consent for each purpose
q As easy to withdraw as to give?
'
17. @danmabyblue37.com
The Reality
q Data protection is a boardroom issue
q IT is involved, but so are Operations, HR, Sales, Marketing…
q There is no turnkey solution to GDPR compliance
ü People and Process first!
ü Technology tools can help with particular issues e.g. data
discovery, record keeping, data housekeeping, security etc.
'
20. @danmabyblue37.com
The Reality
q Most businesses will not be obliged to appoint a DPO
q You must appoint a DPO only if:
ü You’re a public authority
ü Your core activities require regular and systematic monitoring of data subjects
ü Your core activities consist of large scale processing of special categories of data
q Otherwise, you don’t have to… but might want to anyway?
'
23. @danmabyblue37.com
The Reality
q Not a straight myth, but only kinda true
q Data breaches must be reported to the ICO by the controller UNLESS “unlikely to
result in a risk to the rights and freedoms of the natural persons”
ü Encrypted?
ü Retrieved unopened?
ü A bunch of corporate email addresses?
q Obligation is “without undue delay and, where feasible, no later than 72 hours
after having become aware of it”
q Give (good) reasons if late, phased reporting
'
24. @danmabyblue37.com
A few things that aren’t myths
q Still applies, Brexit notwithstanding
q Extraterritorial effect
q Primary obligations for data processors
q Record keeping
q New subject rights
q New contractual requirements for processors
q More prescriptive security requirements
q Stricter rules on consent 🤟