3 GDPR myths you need to ignore

21st Oct 2019
Brought to you by
Share this content

Around this time last year, the infamous General Data Protection Regulation (GDPR) was in its infancy and was just starting to be enforced across the country. Well it turns out that this complicated bit of legislation is still confusing the life out of people - and from confusion arises misinformation. It’s like an American high school with rumours being flung about like jockstraps in the boys’ locker room and our poor little GDPR has been the target of some scurrilous untruths. Let’s look at some of the most pervasive myths about the GDPR that just won’t go away.

1) The biggest threat to organisations from GDPR is massive fines.

Straight in at the top is this rumour that has been sensationalised into its current form. While it’s true that the threat of huge fines (up to £20m or 4% of turnover) is definitely a raised hand, that doesn’t mean it will result in a slap. 

The original estimates predicted that fines under the GDPR would be 79 times higher than those issued under previous data protection regimes and that large companies, in particular, would be “made examples of” to get everyone in line.

This has proven itself to be wholly untrue as there hasn’t been a single GDPR fine to this amount issued by the ICO in the last year. The law is there to put the citizens and consumers first, not chastise organisations;  and besides, these huge fines would be saved for the worst data breaches.

2) You must have consent to process personal data.

Whilst the GDPR is raising the standards for consent, a lot of emphasis has been put on how valuable our data is and that our consent is paramount in using it which has caused a lot of confusion. We all remember the emails, good Lord the incessant, never-ending emails from every website you’d ever given your email address to: “We’ve updated our privacy policy”, “Would you still like to hear from us”.

But this general perception that without consent no data can be processed is incredibly misleading. Consent for data processing is just one way that an individual's information can be collected and used, but as the ICO ominously said back in 2017 - “it’s not the only way”.

For processing to be lawful under the GDPR legislation, a lawful basis needs to be identified before you start. For example: am I allowed into my sister’s room? No. But do I need to steal her clothes? Yes. Entry = Lawful.

3) All breaches, no matter how small, must be reported to data protection authorities.

Ok, let’s break this down. I was in the office the other day and I noticed a birthday card on a desk. The envelope next to it had the recipient’s name and address and I could guess at the age based on the “hilarious” innuendo plastered across the front. That person did not consent for me to see this data! My boss should have kept this secure! REPORTED!

Could you imagine? The ICO don’t care about these little discrepancies, nor should you. The only breaches that need to be reported are ones where it is likely to result in risk to people’s rights and freedoms. So no, not every breach needs to be reported. We’re not all Rebekah Vardys here.

Click here to find out more about how BrightPay Connect can help you with GDPR compliance. 


Written by Aoibheann Byrne | BrightPay Payroll Software