Last updated 23.4.

16

Myths of the GDPR

By Ardi Kolah BA (Hons), LL.M, FCIM, FRSA
Co-Programme Director, DPO Programme, Henley Business School

As the blogosphere goes into overdrive over the recent European Parliament adoption of the EU
General Data Protection Regulation (GDPR), its instructive to dispel some of the myths and theres
lots of them (!) circulating across LinkedIn and other social media channels within the two-year
transition period to full GDPR.

Below is a small collection of some of the myths doing the rounds right now but perhaps you can
contact me if you think youve come across another myth or simply want us to check it out for you.

Myth #1: Dont need to rely on consent for personal data processing as legitimate interests will
suffice

Under Annex 47 of the GDPR, its explained that the legitimate interests of an organisation (Data
Controller), including of a Data Controller to which the personal data may be disclosed or of a third
party, may provide a legal basis for processing, provided that the interests or the fundamental rights
and freedoms of the customer (Data Subject) are not overriding, taking into consideration the
reasonable expectations of the Data Subject based on the relationship with the Data Controller.

Legitimate interest could exist, for example, when theres a relevant and appropriate relationship
between the Data Subject and the Data Controller in situations such as the Data Subject being a
customer or in the service of the Data Controller, such as an employee.

At any rate, the existence of a legitimate interest would need careful assessment including whether
a Data Subject can reasonably expect at the time and in the context of the collection of the personal
data that processing for this purpose may take place.

The interests and fundamental rights of the Data Subject could in particular override the interest of
the Data Controller where personal data is processed in circumstances where the Data Subject
doesnt reasonably expect further personal data processing to take place.

However, its important to note:

This doesnt apply to public authorities

1
 The interests, rights and freedoms of the Data Subject override legitimate interests Art.6 1
(f), GDPR
The Data Controller will still have to tell the Data Subject that its processing data and give
them the right to object to processing of their personal data
Further guidance from the Information Commissioners Office (ICO) and the European Data
Protection Board (EDPB) as to what constitutes legitimate interests is likely to be published
in the future.

In the meantime, its safer to ensure that consent is obtained in accordance with the principles in
the GDPR, which in practice will mean that organisations should re-consent permission from Data
Subjects in this transition period to full GDPR as to process personal data of Data Subjects in
contravention of the GDPR will give rise to a significant Administrative fine.

Myth #2: Media organisations have a get out of jail card when it comes to complying with the
GDPR

Art.85, GDPR deals with processing of personal data and freedom of expression and information.
Member States shall by law reconcile the right to the protection of personal data pursuant to the
GDPR with the right to freedom of expression and information, including the processing of personal
data for journalistic purposes and the purposes of academic, artistic or literary expression.

For the processing of personal data carried out for journalistic purposes or the purpose of academic
artistic or literary expression, Member States shall provide for exemptions or derogations from the
provisions in Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and
processor), Chapter V (transfer of personal data to third countries or international organizations),
Chapter VI (independent supervisory authorities), Chapter VII (co-operation and consistency) and
Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the
protection of personal data with the freedom of expression and information.

Each Member State shall notify to the European Commission those provisions of its law which it has
adopted pursuant to the above and without delay any subsequent amendment law or amendment
affecting them.

However, many media organisations have subscriber information of its customers so the Data
Protection Officer (DPO) will still have to create appropriate training for all staff working in a media
organisation as to where journalistic purposes apply and where the media company must comply
with the GDPR with respect to the handling and processing of customers personal data.

Myth #3: Theres an extra 12 months after the expiry of the transition period for an organisation
to appoint a Data Protection Officer (DPO) where required.

This is a popular myth surrounding the GDPR and theres absolutely no basis for this! If anything, it
will take most organisations at least six months to integrate a DPO into the organisation, leaving 18 -
months for that individual to oversee compliance with the GDPR before the expiry of the transition
period in June 2018.

Myth #4: Theres no need to worry about training a DPO they just need to get on with the job!

This is a very high risk strategy - because the GDPR proscribes that the DPO must maintain her/his
expert knowledge and its much easier to point to a diary entry where youve enrolled on an
executive education programme at a business school! Its partly to tick a box exercise but in reality,

2
given the stakes are high when getting this wrong, its the first line of defence in terms of protecting
business continuity within the organisation.

Myth #5: A Personal Data Breach (PDB) is unlikely to attract a significant fine given the track
record of the ICO to date

Its easy to be lulled into a false sense of security that because enforcement under the Data
Protection Act 1998 wasnt something that most Board directors worried about, the same is true for
the GDPR.

Wrong.

The ICO is on a mission, with its new set of sharper teeth, thanks to the GDPR, to ensure that it takes
action in a more rigorous way. In fact, its on a mission to hire a record number of staff for the job
and its changing the way it works to take account of the One Stop Shop that makes it much easier
for any EU citizen to launch an action anywhere in the EU against an organisation that has abused
the use of personal data. The fines are up to 4% of global turnover or 20m, whichever is the
greater.

At this rate, can any organisation afford to get this stuff wrong?

Myth #6: If youre already compliant with the Data Protection Act 1998, youve nothing to worry
about

This one is often repeated by privacy experts and even lawyers. Again, its easy to be lulled into a
false sense of security that because you complied with previous data protection laws, youre in the
clear.

Wrong.

The GDPR and the DPA 1998 are materially different in many respects and in fact the GDPR is around
three times the length of the DPA 1998. For example, when it comes to the legal obligations imposed
on Data Controllers with respect to the way in which consent from a Data Subject can be obtained
and how notices to the Data Subject must be given.

Its more accurate to say that compliance with the DPA 1998 and observance of good practice that
goes well above legal requirements under the previous regime will prepare organisations make the
transition to full GDPR that much easier.

In conclusion, the Data Controller needs to evaluate the specific risks to the Data Subject laid out in
the GDPR and as a result the risk to the organisation for processing this personal data.

If youd like to learn more about the DPO Programme and how this can help ensure that your DPO is
up to date with their knowledge in this rapidly evolving area, contact Gemma Jones, Business
Development Manager, Henley Business School on +44 (0)7971 505247 or email
gemma.jones@henley.ac.uk