Back in 2018 when it first came to pass, there was a lot of confusion about the GDPR.
In some cases, there still is.
In this cribsheet we address some common misconceptions.
It doesn’t apply because of Brexit
The GDPR was imported into UK law by virtue of the Data Protection Act 2018. So, it does apply despite Brexit. See this article on GDPR post Brexit. (Meanwhile, we’ll refer to the GDPR in this note (instead of the DPA) as most people still think of it that way).
It’s not personal data if it’s public information
Sometimes people confuse personal data with confidential information, thinking that if something is in the public arena, it’s fair game.
This isn’t correct: Any information, that either: (a) by itself or (b) when combined with another piece of information, enables you to identify someone, is personal data – and as such it is to be protected in the way mandated by the GDPR.
For example, someone’s business email address still qualifies as personal data (even if it’s in the public domain on a company website), as it would be easy to trace back to the real-life person behind it. This is useful to note for budding B2B marketeers. To illustrate:
[email protected] is personal data
[email protected] is personal data
[email protected] is not personal data
Think of it like a crumb trail. If it leads you to a living person, it counts.
Small businesses are exempt
It is safe to say that no business is exempt: If your organization is engaged in a professional or commercial activity, the GDPR applies. The only meaningful exceptions are if you are still using paper records or (sadly) if you are processing the personal data of those who are deceased.
This means that even a consultant or a sole trader is required to process personal data in accordance with the GDPR.
Having said this, the bigger the size of your company the more stringent the GDPR expects you to be. This makes sense – a bigger organization is more likely to be processing more personal data, in more complex ways.
A sole trading painter and decorator for example, may only have a small number of email addresses and phone numbers in their smart phone. Whereas a larger company will be processing the personal data of its staff, consultants, contractors, clients, web site visitors, suppliers and may be sharing this data with others and/or transferring it overseas.
Generally, the greater the size and complexity, the more we are expected to keep on top of it.
All companies need a data protection officer
Not true. Every business can choose to appoint a DPO. But not every company needs to appoint a DPO.
Under the GDPR, there are broadly three instances when you don’t have a choice about this.
First is if you are a public body. Next is if your core business is about large scale, regular and systematic monitoring of people. A good example is a large retail website using algorithms to monitor the searches and purchases of its users and make purchasing recommendations to them. Think Amazon.
And third is if your core business is about processing special categories of personal data (such as data revealing racial or ethnic origin, political opinions, biometric data or health data) or data relating to criminal convictions and offences. A good example is a health insurance company processing health related information about a large number of individuals. Think BUPA.
You can only use personal data with consent
Thankfully the GDPR is not looking to be quite this restrictive. (It would bring business to a halt). But it does ask us to minimise, to justify and to be respectful.
Whenever we can achieve a desired outcome without processing personal data, then we must do so. Otherwise, there are six grounds under which we can lawfully process personal data. These grounds are called ‘Lawful Bases’. Consent is one. The others are Contract, Legal obligation, Vital interests (needed to protect someone’s life), Public task and Legitimate interests.
There is no one silver bullet. You’ll need to carefully evaluate which lawful basis applies for each processing activity. For some activities it’ll be consent, for others it might be contract or legitimate interests. The ICO generally frowns upon changing the lawful basis associated with a processing activity so it’s worthwhile investing the time to get it right from the start.
We must report all data breaches to the ICO
Not true. When a data breach occurs, our first action must be to contain it. Then we must work out if it’s serious enough to report: (a) to the ICO and (b) to the individuals affected by the breach.
We need to adopt a risk-based approach here. If the data breach is unlikely to harm the individuals concerned, there is no need to report.
See this article on Data breaches
Sometimes people think that if the person whose personal data is being processed (the data subject) doesn’t reside in the UK then the GDPR doesn’t apply.
But this is not the case, as follows:
If your business is based in the UK and the data subject lives in the UK, the GDPR applies.
If your business in the UK and the data subject lives in the EU, the GDPR applies.
If your business is in the UK and the data subject lives in China, the GDPR applies.
If your business and the processing you do is based in China and the data subject lives in China, the GDPR doesn’t apply.
Data protection laws are the same everywhere
It is true that the GDPR is widely seen as the gold standard in data protection. In this respect, it is safe to assume that if you comply with the GDPR, you are in reasonably good shape. However, many countries (and some states) have their own laws. In the US for example, many states have their own data privacy statutes. In China, data protection laws are still being developed.
When you are doing business internationally, you’ll need to comply with the (UK) GDPR on the home front and ensure that local laws are being observed elsewhere. (Note that the EU GDPR and the UK GDPR are more like fraternal twins than identical ones so there may be additional requirements to factor in).
It doesn’t matter how long I keep the personal data
Not true. The GDPR asks us to take a view – for each personal data set – as to how long we can legitimately hold on to it.
When trying to figure this out, it’s best to be practical and think broadly or look to other forms of regulation. For example, businesses are expected to hold onto financial data for 6-8 years. For legal claims you’ll want to be mindful of the statute of limitations (between 6 and 12 years). Yet for marketing data, you’ll naturally move much faster and clean up your database regularly because there is no point in marketing to out-of-date email addresses.
Once you’ve decided on the time frames, put together a data retention policy.
If I comply with the GDPR, the data will be safe
If only. Processing personal data lawfully is only half of the story. We must also enlist the right cyber-security technologies to keep it safe and seek to minimise the risk of data being compromised.
It’s helpful to think of ourselves as custodians – the personal data doesn’t belong to us. It belongs to the living person to whom it relates. We are using it for our own business purposes (in accordance with the GDPR) and we must do our best to protect it from cyber risk. See this article How good is your cyber security – My Inhouse Lawyer
You might also find it helpful to read our GDPR Golden Rules
Written by Twiggy Harding
Co-founder at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
How it works
It starts with a conversation about you. What you want and the experience you’re looking for
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
We use Workplans to map out the work to be done and when. We are responsive and transparent
Freedom to choose & change
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins