GDPR: The myths and the reality, according to Riliance
By now, everyone working in the legal sector should be aware that the General Data Protection Regulation (GDPR) will be coming into force on May 25th. However, as is probably inevitable with such a lengthy and complex piece of legislation, various myths have arisen which have caused consternation in some circles.
This article aims to debunk some of those myths, most of which tend to prompt fear, confusion or inaction rather than a positive response to the changes that lie ahead. So what are the key myths surrounding GDPR? The Information Commissioner’s Office (ICO) has issued a blog that looks at the main ones. We’ll take a quick peek at them and explain the reality behind the myths – and later we’ll look at some of the help available for those who want to make absolutely sure that their chambers will be compliant in time for the deadline and beyond.
1) GDPR is unwanted and unnecessary
a) It’s just another burden. Perhaps the most widespread myth is that GDPR is another box-ticking exercise that’s basically a waste of time. It isn’t. It’s been developed to try and protect people from the misuse or abuse of their personal data. Inevitably, however, any legislation will involve changes. With GDPR, although these changes might at first glance seem to be time-consuming and pointless, the opposite is true.
Try looking at the new regulation from a different perspective. Yes, it makes you and your chambers more accountable for its data, but is that a bad thing if it helps to protect the rights of your customers? In reality, the new regulation presents organisations with an opportunity to review and refine their processes – a step that could ultimately protect you from costly accusations and legal action in the future.
Complying with GDPR gives you a greater understanding of the information you hold and ensures that you have the right security measures in place to protect it and its use. We believe that this could also provide you with some new business development opportunities. Finally, the new regulation is based on principles such as lawfulness, fairness, transparency, integrity and confidentiality – and that can’t be bad, surely?
2) Crime and punishment
a) The biggest threat from GDPR is massive fines. This myth, like many others, is based on elements of truth. For example, it’s true that those organisations that deliberately flout the law could face massive penalties – up to £17million or 4% of their turnover. However, this won’t become the norm – it’s likely to be the exception to the rule and is meant as a deterrent.
In reality, the new regulation hasn’t been developed to punish organisations – it’s about trying to safeguard people’s rights and preventing the criminal use of data. It’s also about clarifying issues around data security and helping organisations to recognise some of the challenges involved – and showing them ways of meeting these. It isn’t a case of meting out unnecessarily harsh penalties on organisations that are guilty of minor infringements.
b) Failing to report a potential data breach in time will always result in a huge fine. This is patently untrue. Again, it has an element of truth in it – the ICO can issue fines for failing to notify it of a breach or failing to notify it in time. But this is again a deterrent aimed at those organisations that deliberately and systematically ignore aspects of the new regulation.
However, not all infringements will result in a fine and the level of any fine that’s imposed will depend on the level of the infringement. The best way to ensure that you don’t get a fine is to be open and honest – to have the right safeguards and reporting procedures in place and to notify the ICO of any issues without delay. This especially applies if people’s personal rights (or the privacy of their data) are likely to be affected.
3) A case of consent
a) Consent or not consent – that is the question. Some organisations believe that consent is always essential for processing personal data. This isn’t quite right. Yes, consent is an important element of the new regulation, and must involve a clear and positive response (rather than a box-ticking exercise). Any consent that already exists must meet the standards set out by GDPR. You need to think about the type of consent you need and then ensure that it’s granted. It must also be easy for people to withdraw their consent if they want to do so. Having said all of this, consent isn’t the only way of complying with GDPR.
b) We can’t plan our consent yet. Other organisations believe that they can’t start implementing consent rules until the ICO has published its formal guidance on the issue. They’re wrong – this is another myth. The ICO has already issued draft guidelines and these are unlikely to change significantly, so they form a good basis for planning consent. In addition, most chambers have most of the tools they’ll need to implement the guidelines. If not, we can help – please remember, it’s safer and wiser to act now rather than to leave everything until the last minute.
4) Once more unto the breach…
a) All data breaches must be reported to the ICO. This is yet another myth based loosely on fact. Yes, it will be mandatory to report any personal data breaches that could affect people’s rights and freedom. But if a breach isn’t likely to have such implications, it doesn’t have to be reported!
However, it’s worth remembering that any high-risk breach that falls into the first category not only needs to be reported to the ICO – it should also be reported to any individuals who are likely to be affected.
b) When a personal data breach occurs, you have to provide all of the details involved. Not so! The truth here is that if a breach is likely to affect someone’s rights or freedom, it must be reported within 72 hours, wherever possible. You’ll need to give certain details at the time but others can be provided later. The main information the ICO will want to know initially includes the potential scope of the breach; its cause; and any actions you intend to take to remedy it and to prevent future occurrences.
c) Reports of data breaches are just used to punish people. Although chambers that have been responsible for a breach could face penalties, this isn’t the primary purpose of a report. The main aim is to protect personal data and to help companies to enhance their security processes so that they’re better equipped to detect and prevent any breaches. The information provided by the reports also helps the ICO to analyse any trends or patterns relating to security issues so that they can continue to improve data protection measures.
Meanwhile, your chambers can help itself by developing an effective GDPR culture that shows the ICO and your customers that you can be trusted with personal data.
5). I’m all right, Jack!
a) Your insurance already covers you for GDPR issues. This is another common misconception – that your Chambers doesn’t need extra insurance to cover GDPR, because your current insurance will cover you. This isn’t true – for instance, Bar Mutual won’t indemnify you against any penalties imposed by the ICO for breaches of GDPR. You’ll need top-up insurance, so your Chambers and barristers must ensure that they review their insurance requirements accordingly.
b) Once you’re compliant with GDPR, that’s it. Many organisations think of GDPR like the so-called millennium bug – once it’s sorted, no further action will be needed. However, GDPR will continue to evolve after its introduction on May 25th 2018. It’s true that your Chambers must be ready for GDPR by this date but it must also continue to monitor and address any new potential security risks that occur after that. Having a good reporting and review system in place and people who have clear responsibilities with GDPR are both key factors that will be taken into account if any data breaches occur and will help to reduce any future penalties.
GDPR compliance – the tools to meet the needs
All of these myths point to the need to have a strong GDPR culture within your chambers, including effective monitoring and reviewing processes. At Riliance, we’ve developed a comprehensive toolkit that will help to ensure that you comply with GDPR and that you have all the necessary systems, procedures and training in place that will show the regulator that you take data security seriously. This includes the appointment of responsible people, such as a Data Protection Officer, if appropriate for your chambers.
The issues we address in our toolkits for individuals and small businesses include: GDPR training; data access; client care; website review; and a compliance webinar. For larger businesses, we provide non-client breach reporting; DPO-client breach reporting; and a GDPR stress test. We also offer a fully outsourced service that includes all of these items plus risk profiling and third-party reviews. Finally, we have a host of other risk management solutions that will help your chambers to minimise the impact of any issues that might affect it.
Wherever you are in terms of GDPR compliance, if you need any help, please don’t hesitate to contact us. GDPR can sometimes seem like a very complex maze but we can show you a clear route through to full compliance.