Data protection myth busting

It doesn’t apply because of Brexit

The GDPR was imported into UK law by virtue of the Data Protection Act 2018. So, it does apply despite Brexit. See this article on GDPR post Brexit. (Meanwhile, we’ll refer to the GDPR in this note (instead of the DPA) as most people still think of it that way).

It’s not personal data if it’s public information

Sometimes people confuse personal data with confidential information, thinking that if something is in the public arena, it’s fair game.

This isn’t correct: Any information, that either: (a) by itself or (b) when combined with another piece of information, enables you to identify someone, is personal data – and as such it is to be protected in the way mandated by the GDPR.

For example, someone’s business email address still qualifies as personal data (even if it’s in the public domain on a company website), as it would be easy to trace back to the real-life person behind it. This is useful to note for budding B2B marketeers. To illustrate:

Belle.Brown@myinhouselawyer.uk is personal data

Belle@myinhouselawyer.uk is personal data

Info@myinhouselawyer.uk is not personal data

Think of it like a crumb trail. If it leads you to a living person, it counts.

Small businesses are exempt

It is safe to say that no business is exempt: If your organization is engaged in a professional or commercial activity, the GDPR applies. The only meaningful exceptions are if you are still using paper records or (sadly) if you are processing the personal data of those who are deceased.

This means that even a consultant or a sole trader is required to process personal data in accordance with the GDPR.

Having said this, the bigger the size of your company the more stringent the GDPR expects you to be. This makes sense – a bigger organization is more likely to be processing more personal data, in more complex ways.

A sole trading painter and decorator for example, may only have a small number of email addresses and phone numbers in their smart phone. Whereas a larger company will be processing the personal data of its staff, consultants, contractors, clients, web site visitors, suppliers and may be sharing this data with others and/or transferring it overseas.

Generally, the greater the size and complexity, the more we are expected to keep on top of it.

All companies need a data protection officer

Not true. Every business can choose to appoint a DPO. But not every company needs to appoint a DPO.

Under the GDPR, there are broadly three instances when you don’t have a choice about this.

First is if you are a public body. Next is if your core business is about large scale, regular and systematic monitoring of people. A good example is a large retail website using algorithms to monitor the searches and purchases of its users and make purchasing recommendations to them. Think Amazon.

And third is if your core business is about processing special categories of personal data (such as data revealing racial or ethnic origin, political opinions, biometric data or health data) or data relating to criminal convictions and offences. A good example is a health insurance company processing health related information about a large number of individuals. Think BUPA.

You can only use personal data with consent

Thankfully the GDPR is not looking to be quite this restrictive. (It would bring business to a halt). But it does ask us to minimise, to justify and to be respectful.

Whenever we can achieve a desired outcome without processing personal data, then we must do so. Otherwise, there are six grounds under which we can lawfully process personal data. These grounds are called ‘Lawful Bases’. Consent is one. The others are Contract, Legal obligation, Vital interests (needed to protect someone’s life), Public task and Legitimate interests.

There is no one silver bullet. You’ll need to carefully evaluate which lawful basis applies for each processing activity. For some activities it’ll be consent, for others it might be contract or legitimate interests. The ICO generally frowns upon changing the lawful basis associated with a processing activity so it’s worthwhile investing the time to get it right from the start.

We must report all data breaches to the ICO

Not true. When a data breach occurs, our first action must be to contain it. Then we must work out if it’s serious enough to report: (a) to the ICO and (b) to the individuals affected by the breach.

We need to adopt a risk-based approach here. If the data breach is unlikely to harm the individuals concerned, there is no need to report.

See this article on Data breaches

Location, location

Sometimes people think that if the person whose personal data is being processed (the data subject) doesn’t reside in the UK then the GDPR doesn’t apply.

But this is not the case, as follows:

If your business is based in the UK and the data subject lives in the UK, the GDPR applies.

If your business in the UK and the data subject lives in the EU, the GDPR applies.

If your business is in the UK and the data subject lives in China, the GDPR applies.

If your business and the processing you do is based in China and the data subject lives in China, the GDPR doesn’t apply.

Data protection laws are the same everywhere

It is true that the GDPR is widely seen as the gold standard in data protection. In this respect, it is safe to assume that if you comply with the GDPR, you are in reasonably good shape. However, many countries (and some states) have their own laws. In the US for example, many states have their own data privacy statutes. In China, data protection laws are still being developed.

When you are doing business internationally, you’ll need to comply with the (UK) GDPR on the home front and ensure that local laws are being observed elsewhere. (Note that the EU GDPR and the UK GDPR are more like fraternal twins than identical ones so there may be additional requirements to factor in).

It doesn’t matter how long I keep the personal data

Not true. The GDPR asks us to take a view – for each personal data set – as to how long we can legitimately hold on to it.

When trying to figure this out, it’s best to be practical and think broadly or look to other forms of regulation. For example, businesses are expected to hold onto financial data for 6-8 years. For legal claims you’ll want to be mindful of the statute of limitations (between 6 and 12 years). Yet for marketing data, you’ll naturally move much faster and clean up your database regularly because there is no point in marketing to out-of-date email addresses.

Once you’ve decided on the time frames, put together a data retention policy.

If I comply with the GDPR, the data will be safe

If only. Processing personal data lawfully is only half of the story. We must also enlist the right cyber-security technologies to keep it safe and seek to minimise the risk of data being compromised.

It’s helpful to think of ourselves as custodians – the personal data doesn’t belong to us. It belongs to the living person to whom it relates. We are using it for our own business purposes (in accordance with the GDPR) and we must do our best to protect it from cyber risk. See this article How good is your cyber security – My Inhouse Lawyer

You might also find it helpful to read our GDPR Golden Rules