The UK’s information commissioner, Elizabeth Denham, has apparently become so infuriated with inaccurate claims about incoming data protection rules that she is penning a series of blogposts to “bust the myths”.
The European Union’s General Data Protection Regulation - which comes into force in May 2018 - and the UK’s impending Data Protection Bill, which will largely mirror the EU regulation, aim to increase personal data protection.
The new legislation includes higher fines, stricter rules on how companies can gain consent and increased rights for individuals, for instance allowing them to require organisations delete information held on them.
The confusion around the tighter regulations - not to mention the headline-grabbing fines of up to €20m, or 4 per cent of global turnover - are proving to be stuff of marketing departments’ wet dreams.
Company after company is pushing "self-assessment" kits to prove how under-prepared organisations are, while others are selling various widgets, gizmos and services that claim to help them comply.
And it seems the veritable mass of hype has come to the attention of the UK’s data protection watchdog, with Denham saying that if “misinformation goes unchecked, we risk losing sight of what this new law is about”.
Taking rumours about consent to task, Denham said that it is not true that all companies will have to get explicit consent to process personal data.
“The rules around consent only apply if you are relying on consent as your basis to process personal data. So let’s be clear. Consent is only one way to comply with the GDPR,” she wrote.
“The new law provides five other ways of processing data that may be more appropriate than consent.”
These include if processing is necessary to comply with another legal obligation, to allow a controller to carry out a task in the public interest - something public authorities are likely to need to rely on - or for “the purposes of legitimate interests”.
The Information Commissioner’s Office guidance says that the best way for organisations to tell if it is a legitimate interest is to ask if what they intend to do “is fair”.
However Denham acknowledged that organisations wanted, and needed, more clarity on this and that there would be more guidance from the EU’s working party on data protection next year.
But she warned there was “no need to wait for that guidance", adding: "You know your organisation best and should be able to identify your purposes for processing personal information."
She also emphasised that the idea that companies had to wait for the ICO’s final guidance on consent - it was put out for consultation earlier this year and is due to come out in December - was wrong.
“It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.”
Denham’s previous myth-busting was about fines, saying the idea that the ICO would just scale up penalties within the higher bracket was “nonsense”. She also noted that the ICO had yet to “invoke our maximum powers” - a £500,000 fine. ®