GDPRubbish: Misinformation, scaremongering, and panic

Terror at the office
istock_DaniloKustaSalvadores
Share this content

Those who can, teach data protection strategies. Those who can’t, promote data protection solutions.

The General Data Protection Regulation (GDPR), the overhaul of data protection and privacy standards across Europe which becomes enforceable on the 25th of May 2018, is being squeezed for every drop of snake oil possible.

 Despite responsible providers’ best efforts to rise above it, the onslaught of “GDPRubbish” has sadly become the story itself. Even the UK information commissioner herself has had to start a series of blog posts busting the ridiculous myths being spread about GDPR.

The first step in healthy GDPR compliance is awareness: gaining an informed understanding of what the data protection revamp does involve. That means being able to separate the GDPRubbish from the GDPR and recognise what the requirements do not involve.

As your accountancy practice works towards the May 2018 deadline, be aware of these widely peddled falsehoods:

Myth: fines! Fines! Fines! OMG fines!

The most obvious sign of GDPRubbish is any advice which mentions fines in the first paragraph. We have even seen a reputable news channel reporting fines of up to one billion pounds, a sentiment best expressed in Dr. Evil’s accent.

While data protection regulators can and will increase the number and frequency of fines under GDPR, these will be necessary, proportionate, and only ever applied as a last resort. The fines totalling a percentage of a company’s global turnover, be that one billion pounds or not, will be reserved for the largest companies processing the biggest volumes of data and committing the worst data breaches.

Myth: This is EU overreach

GDPR is an update, overhaul, and modernisation of data protection rules which have existed across Europe since 1995. In the UK, these rules were brought into UK law as the Data Protection Act of 1998. GDPR is, in fact, already the European legal standard, but does not become enforceable until 25 May 2018.

The businesses which will struggle the most with GDPR compliance were the ones that were not in compliance with the existing UK data protection framework to begin with. Those who were already working at healthy levels of data protection compliance will find GDPR’s new requirements both easy and practical. Those who were not will have more work to do, and in that light, the effort spent on GDPR compliance will be the cost of catching up with what they should have been doing all along.

Myth: It won’t matter after Brexit

One of the more dangerous misconceptions about GDPR is that it will not apply after the UK leaves the European Union, whenever that will be. The UK government has already confirmed that we will go into GDPR and that it will remain the UK data protection standard for at least several years after the divorce.

The UK’s proposed Data Protection Bill, a long-term transitional arrangement between GDPR and any post-European data arrangement, will be introduced in Parliament in September, and its progress should be carefully monitored by accounting industry bodies.

Maintaining European data protection standards post-Brexit is not a mere matter of administrative convenience. One of the key principles of European data protection is that non-EU countries receiving European data must work to a data protection system deemed equal and adequate to European standards (e.g. GDPR). To abruptly leave GDPR on an arbitrary calendar date would cut off UK-European data flows overnight, leaving everything from web hosting to cloud storage to the UK’s entire digital sector floundering in its wake.

It is not in any government’s interest to cut off its nose to spite its face, and it is not in any accountancy practice’s interest to ignore a legally enforceable data protection standard based solely on its origin.

Myth: You can become “GDPR accredited” or “GDPR compliant”

Data protection, both before and after GDPR, is about integrating common-sense, responsible, and thoughtful user protection steps into your practice’s everyday processes and workflows. “Compliance” can only ever be a snapshot of one day’s effort. Believing that your business is “GDPR compliant” because you have completed a compliance process, be it an internal audit or an external training course, is a guaranteed way to make that compliance slip into meaninglessness.

Likewise, believing that your business has been “GDPR accredited” through a training course will only indicate that you have wasted your money. As of this writing, the UK’s data protection regulator, the ICO, has not approved any accreditations, certifications, or training courses, an awkward detail which has not stopped service providers from offering “authorised” courses all the same. Your practice would be better off having no training at all than displaying a certificate from the Walter Mitty Institute.

Facepalm: GDPR service providers who aren’t GDPR compliant

Finally, if the AccountingWEB team had a pound for every company we have seen promoting GDPR compliance services, software, or a white paper using a site which itself is not GDPR compliant, we would be able to enjoy a very good night out.

When choosing a service provider to help you on your compliance journey, it is your responsibility to make sure they are walking the walk. If you can spot the ways that a potential GDPR compliance provider has failed to comply with the provisions of the very thing they are teaching, congratulations: you know more about the regulation than they do.

About Heather Burns

Heather Burns profile image

I focus on UK and EU policy and legislation, and the ways they impact the digital economy. Outside AccountingWeb I am a digital law specialist for the web design and development professions.

Replies

Please login or register to join the discussion.

avatar
24th Aug 2017 20:24

A refreshing article with commonsense at its core.
Would you consider doing an article on MTD compliant software; whatever that means?
Thanks

Thanks (7)
avatar
25th Aug 2017 08:20

Si if an employee refuses there information to be shared with anyone else, what's the position with HMRC RTI Full Payment Submission. Does the employer provide information to HMRC for PAYE purposes or not? With the right to be forgotten, how does that sit with the legal obligations to retain PAYE information for a minimum of 3 years plus current. If an employer received such a request, would that individuals data be removed? When it comes to PAYE audit or NMW audit, what is the position of the employer if that data has been purged! And how about statute of limitation, record retention under Pensions, Health and Safety, etc etc. to what extent to the GDPR rights extend with regards to tax records.

Thanks (1)
avatar
to psimonparsons
25th Aug 2017 09:23

psimonparsons wrote:

Si if an employee refuses there information to be shared with anyone else, what's the position with HMRC RTI Full Payment Submission. Does the employer provide information to HMRC for PAYE purposes or not?.

What do you think? Aside from the legal requirement to provide the information to HMRC you could always take a more practical approach with the employee; "If you don't want us to legally report the payment to HMRC, which we will do, your alternative is not to be paid. Which is it?"
That should resolve it for you.

Thanks (3)
avatar
to psimonparsons
25th Aug 2017 11:50

These are classic examples resulting from much of the misinformation that has been spread - most of which is specific to marketing databases and email lists.

Yes, GDPR enhances and clarifies existing protections around consent, right to be forgotten etc : but only in situations where an organisation is relying on consent because it has no other justification for holding the data.

But consent is only one of the justifications for processing data that are enumerated under GDPR (full list https://ico.org.uk/for-organisations/data-protection-reform/overview-of-...).

In the case of HMRC RTI or PAYE record retention, this will fit under "Processing is necessary for compliance with a legal obligation". No consent is therefore necessary, nor is there a right to be forgotten. Similarly in other cases.

Then there are broader things like equal pay / race discrimination audits etc where there might not be a legal obligation but the company has a legitimate reason to retain at least some data to allow it to defend against potential legal claims. Again that's one of the listed reasons.

GDPR isn't really about making everyone consent to everything (and indeed to do so would potentially be confusing and counter-productive). That's a relatively small part of the new legislation, albeit important if relying on consent because of the changes to make sure that is definitely voluntary and informed (no more tucked-away pre-filled checkboxes).

GDPR is actually much more about an ongoing process within organisations of understanding what information is held, about who, how and for how long and ensuring there is a reasonable justification for this.

For example, you might need an ex-employee's payroll details for 7 years, but do you need to store their race / sexuality for that long? Could you wipe it once the realistic time period for a discrimination claim has passed? Could you aggregate it as anonymous statistical info at some point? Can you at least limit who has access to it?

Thanks (3)
avatar
to andyscotland
31st Aug 2017 14:16

I'm reading this chain with great interest. I'm particularly curious about organisations outsourcing their payroll. I understand that consent is not needed by an employer to process their own payroll, but where an organisation outsources its payroll processing, where does the employer (and the bureau) stand regarding consent/necessity? I have been unable to find any information about this.

Thanks (1)
avatar
to GeoffArcher
01st Sep 2017 15:36

That's a good question.

Broadly speaking, "processing" data includes sharing it with others who will carry out processing on your behalf. So if you have a legal justification to hold and process the data, and you pass it to a third-party service provider for that specific purpose, then you and they are both covered. There's no additional need for consent.

As usual, there are some caveats. As with the current DPA you'll need to take reasonable care to ensure that they are trustworthy, and that they are not going to use the data you're providing for another purpose. For example, they can't then approach your staff directly to sell them tax advice or whatever.

Usually you'd cover that with some contractual protections and a bit of due diligence. Exactly how involved you get depends on whether they're classed as an independent data controller or just a data processor. A data processor is essentially a subcontractor : you have ultimate liability for their actions so need to do more to show you've assessed and managed them appropriately. That said, GDPR levels the playing field a bit and gives processors new direct legal responsibilities (in theory reducing your exposure) than they have had in the past. A reputable provider will be able to advise and work with you on data protection matters.

Similarly, you can only share the data that's relevant to the processing being provided. So passing the payroll company things like age, gender and earnings of course is fine, but if they're on a big staff spreadsheet / new-start form that also has say ethnicity or emergency contacts then those details should probably be removed as it's unlikely they're relevant to the work the payroll provider is doing for you. Likewise you would pass bank details if the payroll company does the payments, but probably not if they just do the sums and give you the list of net figures. You may also want to clarify whether the service provider is transferring data outside the EU, which has a separate set of considerations.

So there's obviously various things to work through, but again fundamentally it comes down to common sense : if it's something you could legally do, it doesn't become a problem just because you get someone trustworthy to do it on your behalf.

Thanks (4)
avatar
to andyscotland
04th Sep 2017 14:38

Thanks Andy for taking the time to give such a detailed response. It's very helpful information. I'm sure others will find it useful too.

Thanks (1)
avatar
25th Aug 2017 13:46

As GDPR is currently effective, merely not enforced, most British companies still have their head in the sand.
Sadly, when picked up by lawyers, it had been traduced as a 'legal compliance issue' - whereas the actuality is that it is a business, and therefore also IT, process issue.

Even then, it will be a continuous process. As Heather states, there will be no such thing as certification around compliance
- and while the regulator will be initially gunning for big companies - a. as an example to the others and b. they need some big fines to pay for the infrastructure they need to implement
there will be years of major and minor coutr battles before the 255 shades of grey uncertainty are reduced to a managable 50 - there will, I am sure, never be certainty.

Thanks (0)

Related content