GDPR is an evolution in data protection, not a burdensome revolution

Listen to our March 2018 podcast answering your questions on GDPR myths.

By Steve Wood, Deputy Commissioner (Policy).

Myths-BlogOur new series of blogs aiming to bust some of the myths that have developed around the General Data Protection Regulation (GDPR) are proving incredibly popular and we are pleased that so many of you are finding them useful.

Here at the ICO, we took the view that it was time to sort the fact from the fiction before the new law comes into effect on 25 May 2018, given some of the misinformation and outright scaremongering out there – some of which, it must be said, seems commercially driven.

Our first two blogs covered the myths surrounding new fining powers and the issue of consent, and this week we want to talk about another widely held misconception – that the new regime is an onerous imposition of unnecessary and costly red tape.

Myth #4

GDPR is an unnecessary burden on organisations.


The new regime is an evolution in data protection, not a revolution.

Let’s start off by being totally up front here. Any regulation has some sort of impact on an organisation’s resources. That’s unavoidable and GDPR is no different to any other new legislation in that respect. But thinking about burden indicates the wrong mindset to preparing for GDPR compliance.

What must be recognised is that GDPR is an evolution in data protection, not a total revolution. It demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals.  GDPR is building on foundations already in place for the last 20 years.

If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR. Our GDPR overview and 12 steps to take now documents explain where there is continuity, what’s new and how to plan.

Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.

That doesn’t mean there’s any room for complacency. There are new provisions to comply with and organisations should start making preparations now, if they haven’t done so already. But by and large, the new GDPR regime represents a step change, rather than a leap into the unknown.

Much of the criticism about GDPR seems to have focused on the perceived burdens it will place on SMEs and smaller organisations. We have long recognised that SMEs may have limited time and resources for compliance and have acknowledged this in our regulatory approach. But many of these criticisms fail to recognise the flexibility that the key principles in the DPA and GDPR provide – they scale the task of compliance to the risk. Many of the principles reinforce tasks businesses will already to undertake in relation to record keeping – e.g. the principle on data minimisation.

The principles are essentially the same whether you are a small business or a multinational corporation. Many of the actions SMEs should take are practical and straight forward – our updated toolkit is a good starting point.

It is not the size of the organisation that’s relevant so much as the risk that particular businesses and types of data processing pose. Those handling particularly sensitive data, or processing personal data in potentially intrusive ways, for example.

Information management is key to compliance. Under GDPR, people will have strengthened subject access rights to the data you hold about them. This could well lead to more requests being received. So that’s a real burden, right?

Whatever the size of your organisation, GDPR is essentially about trust.  Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships.

Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom.

The ICO’s annual research on privacy and data protection consistently shows that levels of public trust remain low. Conversely, it also shows that they would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly. And that provides a major opportunity and competitive advantage for those who can demonstrate that they get data protection right.

Steve WoodSteve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.
This entry was posted in Steve Wood and tagged , , , . Bookmark the permalink.

37 Responses to GDPR is an evolution in data protection, not a burdensome revolution

  1. Darren Revell says:

    Steve I think you missed the point on burdensome that SME’s are making. In just the last 5 days about 20 people have commentated, who almost all have the same qualifications yet have disagreed on basic fundamentals of GDPR. What was the question? Is B2B contact data personal data?

    The burden you have given then is where to get the advice, how to test the advisor knows what they are talking about and how to validate their work without having to pay a lawyer. Evolution does include so much cost.

    The ICO keeps consistently missing the point on the misuses of data will lead to customer reputation loss. That is just scaremongering and patronising at the same time to SME’s. Why?

    If I buy a silk pillowcase from an online silk retailer I want to know my PI is safe, will not be exposed in cyber attacks, won’t be used for identity theft etc. I could care less if the silk retailer wants to send me an email in 5 years as they have a sale ion for silk pyjamas, I have my own PI protection there I UNSUBSCRIBE.

    As there is no control over who gives the GDPR advice, the situation we have now is lots of stories that because there was no consent for me to opt in for silk pyjamas the website is in breach when it sends me an email. The stories go back and forth and result in the only way to know is to pay a GDPR lawyer to tell you who is right or wrong. When you then hear this is our best guess as there is no case law.

    Try busting that myth and you are in breach of common sense if you use terms like building trust, relationships, reputation, customer relationships etc when you do.

    • Ken Leren says:

      As of last week, yes and no.. Company mailboxes are not personal data (the legal persona does not have protection), but individual mailboxes are personal data. So you can email, but not I’m assuming the same interpretation extends to telephone..

      Stop ranting and start reading – you might find it more useful in adapting your business to the new regulations.

      • Pete Austin says:

        @Ken. Sadly you’re wrong. Just because an email address looks personal, and even if it matches the person that you’ve been communicating with, that doesn’t make it personal.

        Your example of might not be an individual mailbox (personal data). It might be an alias for a shared company mailbox (not personal data).

        We do this. We have a standard mailbox for tech support, but with lots of *personal* aliases so that customers can communicate with a technician using “their” email address. But behind the scenes everything goes into the single mailbox of the case tracking system.

      • Tim Morgan says:

        As individual company mailboxes are considered personal data, that would imply all emails to/from individuals are personal but they are still the property of the company. The lawful basis is contractual. Company emails are subject to acceptable use, monitored and retained for legitimate interests. What rights does the individual have?

  2. Simon Ghent says:

    Another blog that is extremely welcome however I fear that you may be encouraging a laissez faire attitude.

    GDPR is perceived as onerous by many because regulation and enforcement of the DPA has been a catastrophic failure. It is virtually ignored within the SMB sector which means that for these organisations to now become ready for GDPR / Eprivacy many have got work to do.

    In addition to data privacy many organisations also have substantial gaps in their data security. Again this needs driving home by widespread adoption of basic frameworks like Cyber Essentials. When I visit solicitors that deal in sensitive data but don’t even have basic passwords in place you understand the extent of the ICOs failure in enforcing good governance.

    The end result is that rather than downplaying the work involved many businesses need a kick up the backside and told to get a move on.

    I totally accept that myths and bad advice abounds and the ICO has a duty to set the record straight. However it also has a duty to ensure that the UK has a robust data privacy and security environment. This seems to be somewhat forgotten on these blogs thus far.

    Doing the right thing has many business benefits but Directors across the SMB and SME sector perhaps need to be reminded that they don’t have a choice.

  3. Guy Pyetan says:

    Most systems aren’t geared up for the dissageragtion of data implied by the gdpr legislation. Forget company policies. The software itself can’t handle it and much needs to be rearchitected.

    That aside I fail to see how one can claim that gdpr isn’t burdensome and worrisome when people are not sure whether they can hold data or even use it. Can a marketing organisation collect pi on indiviuals and use it for marketing? The way I read gdpr probably not but perhaps.. Can a recruitment consultancy collect and built a database of cv’s and use them to sell services? Probably not but perhaps. The answers are not definitive. In each case it seems to me like one needs consent and for example that the recruitment consultancy might well only be able to hold a c.v on file for the period of finding a single job for someone and beyond that delete it. Where does this leave the large job search companies likes indeed or monster jobs? This isn’t scare mongering. It’s the way the legislation has been drafted and it’s a problem. It’s going to lead to a lot of organisations fundamentally changing their business models, possibly erroneously. Of course the basic idea of transparency and trust is imporrant. Whilst I welcome the blog I’m not sure the myth busting idea is being achieved.

    • Nicholas Street says:

      Hi Guy, as long as the websites and recruitment agencies give the individual submitting personal information, a disclaimer that covers the ability of who to contact to stop, retract and notification of who has accessed the information, then the GDPR is pretty much covered. If I post my CV on a job board, a recruiter downloads my CV, then I expect an email from the site informing me, recruiter has downloaded you cv, contact them here to stop, retract or find out why.

      The GDPR is about all parties involved in dealing with Personal Identifiable Information (not PI as PI could mean a lot of things, but PII as in the person must be identifiable) so that if my CV suddenly gets out of the EEA without my permission or notification, then the site disclosing that information is in breach and held accountable. If a person downloads my CV and emails that information outside of the EEA without my consent, then that individual is in breach.

      This protects the companies reputation of just selling your information on without infoming their customer, and protects you should you start getting lots of cold sales calls from companies outside the EEA selling fake services.

      This maybe a kick in the teeth for companies that have call centres in India, especially if the individual refuses the right for their PII to be accessed outside of the EEA. Think of what could happen to Experian in the US? Recently a Health care person was fined £1400 for accessing records with a valid company reason? Or when your out and here people talking about names of people they work with or dealt with?

      To me, it makes people and companies that I associate with more responsible and accountable for my identity.

      • Pete Austin says:

        @Nicholas Street. You forgot the 8 individuals’ rights which are not simple at all. Only a small part of the GDPR is about data protection.

        Your hypothetical recruitment agency needs to implement things like the right to data portability – including the difficult task of how to be sure the person requesting a copy of data is actually the data subject.

        You’re not the only person with your name, so a birth certificate or driving license is not enough, and email addresses can get re-allocated.

  4. Chad Colby-Blake says:

    I find these blogs insightful and encouraging that I am on the right track. I look forward to the next and please keep them coming. However, must agree in part with Simon. Over the last 20 years governance as not been as good as it could be with many everyday situations being technically in breach of DPA/GDPR principles. This equates to a lot of work for most organisations regardless of size as they now fear the large potential impact to their pocket which was tolerable before, and they were happy to risk it with some basic frameworks in place. Look at recruitment agencies, for example. I pass over my details as I’m interested in the job they are handling but as details are passed over via phone and email in an ‘organic’ way I’m not given a privacy notice or spiel about purposes or lawful basis, who they might share the data with (the ultimate company advertising the role aside), or how long the agency will keep it for (ever get called 2 years later about a ‘great opportunity’?? – have I said I wanted them to?). There are loads of similar examples. I guess you could say I’m consenting to the processing as I want to progress the application, but have I really freely consented and been given all the necessary information to give that consent (do I care??!) and where is any consent recorded by the organisation? Legitimate Interests raises its head again, if used instead…if I challenge will there be a robust balancing assessment the company can produce? There is much tightening up that could/should be done. Will this make life clunky and onerous (think Cookies and the concerns that raised)?

    • Anonymous says:

      Glad that’s all cleared up then. I have been involved in privacy regulation in some form or other for nearly 30 years now. The latest is that some salesman wants me sell me a course to become a “certified EU GDPR practitioner”. Certified by whom exactly? You can imagine my response. Common sense rules here. Address the risk, and the compliance follows in my experience.

      • Guy Pyetan says:

        Ultimately certified by a certifications/standards body, the same as all other certifications. A certification should help to ensure a certain standard and level of knowledge (if not understanding – a fool is still a fool regardless of training). A course is also an accelerant to knowledge. Ultimately though common sense, understanding of legislation, appropriate understanding of risk and the management thereof is the way to go.

  5. Adam Saunders says:

    The GDPR is clearly worded, written and aimed at organisations that engage in direct marketing. The trouble is, the further what you do as an organisation is from direct marketing, the harder it is to relate the GDPR to what you do and the harder it is to understand what impact it is going to have or what you should be doing about it. What would be really useful would be a slew of different case studies giving examples of how different organisations (particularly small ones who won’t have resources to throw at this) might categorise different types of data and look at what legal justifications they might use for processing that data.

    It’s also a basic tenet of any communication process that you tailor your communication to the needs of your audience. The 12 point checklist might be great for a large company that can dedicate a senior manager to sorting through it; what is the owner of the local corner shop/coffee shop/local butcher going to make of it? Not a lot I reckon.

    The ICO needs to produce some much more basic guidance and quickly. Other governmental agencies have done that successfully in recent times, much could be learned from The Pensions Regulator and the auto-enrolment process. If you compare the information provided by TPR to small employers and the clarity of that information to what is available from the ICO on the GDPR – it’s breathtaking. Two laws that impact every employer, but the quality and clarity of information available are miles apart.

  6. DJ says:

    Does GDPR mean that *every* web form that asks for even just someone’s name and/or telephone number has to be encrypted end-to-end?
    If so, that is massive.

    • Simon Clark says:

      Aren’t they all using https ?

    • Derek Crabtree says:

      That is just good security practice (under principle 7 of the DPA)! If a company is asking for this kind of information and have not implemented SSL (https) I presume they don’t know what they are doing and do not give them any information.

  7. DJ says:

    Does GDPR mean that companies whose internal CRM systems contain their current customer contact data but where the software doesn’t allow it to be hidden from internal staff will need to delete all their customer data?

  8. Steve Tooby says:

    Does GDPR differ much to S 29 of DPA in relation to prevention and detection of crime etc?
    Am I interpreting it right in that we should revise our Fair Processing Notices so that they are more contractual than voluntary?

    • Simon Clark says:

      I would suggest that you look at the ways in which your data is being processed. If any of that is outsourced, then you need two way indemnity contracts with your processors in case of a breach taking place. Processors are now just as liable as controllers. Oh and if any of your processors are in a country for which there is no reciprocal data privacy agreement (i.e. places like South Africa or India etc.), then you need to change processor to use one that is, or bring that work in house.

  9. PJ says:

    Some excellent comments here. I too am getting bamboozled by the conflicting advice on whether B2B contact data is included or excluded in the scope. Would be really helpful for someone in ICO to answer these comments for the benefit of all of us trying to do the right thing.

  10. Corporal Jones says:

    We are all doomed!

  11. Timothy Mallet says:

    I look forward to seeing each and ever Local Authority, all those in the Health Sector (including all Doctors Practices), the Legal Profession (such as Solicitors), the Police, plumbers, electricians, local car dealers, the local shop who delivers my newspaper – to name a few – all implementing encryption prior to May 2018. Or at least encryption at rest.

    Plus Mr Solicitor/barrister, when carrying court papers to court please ensure they are held in a securely locked cage which is handcuffed to your arm.

    Nah, its not a burdon..

  12. Timothy Mallet says:

    I did of course mean burden….Burdon was a singer I believe.

  13. Darren Revell says:

    GDPR Myths this week. WordPress websites can’t achieve GDPR compliance. If you don’t have ISO accreditations you can’t be GDPR compliant. GSPR compliance can’t be given to suppliers with low credit scores. GDPR can’t be achieved if you keep your UK data on a German Server. That is just this week on LinkedIN and most all of them came from one firm.

    There is apparently no burden from GDPR, I mean it takes no time at all to go and find the real answers to these myths.

    You know what would work best, is if you had a service where suspected myth could be sent in and you added them to your website for searching and your statement per myth.

    Then this burden you think we don’t have might not actually be such a large burden.

  14. Pingback: GDPR - What Small Businesses Need To Know - UKcentric

  15. GDPR is no different to any other new legislation in that respect. But thinking about burden indicates the wrong mindset to preparing for GDPR compliance.

  16. Madeup Name says:

    For a start, this “Leave a Reply” form isn’t going to be compliant as it requires me to put in an email address and doesn’t go through the rigmarole of telling me exactly what will be done with it.

    For a small retail business, the GDPR is going to be virtually impossible to comply with.

    Taking the wording of the legislation exactly: if someone rings us up with a parts enquiry and we have to take some details – including name and phone number – so we can call them back, it looks as it we’d have to explain to them the whole required list, including what we’re going to do with their data (call them back), when we’re going to destroy it (after we’ve called them back) and a load of other stuff about who to complain to to etc..

    In reality, we – and most other businesses – aren’t going to do this, because all it will do is annoy customers.

    Okay, that’s obviously not what the legislation will have been intended to do, but it’s so badly worded, that’s what is says.

    • Pete Austin says:

      @MadeUp name. Your example is clearly not covered by the GDPR. I refer you to entry (15) on page 9 here.

      The task of handling a parts enquiry that you describe could be done perfectly well by jotting down the personal information on a “post-it note”, which would not fall under the GDPR. The relevant quote is: “Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation”.

      The fact that you may use a computer, rather than a small piece of paper is irrelevant, because
      “the protection of natural persons should be technologically neutral and should not depend on the techniques used”.

      I hope this puts your mind at rest.

  17. Pingback: GDPR: evolution or revolution? What's the truth? - Legal blogs, corporate governance and commercial law - Jordans Corporate Law

  18. Pingback: GDPR is an evolution in data protection, not a burdensome revolution – NACFB Compliance Services

  19. Siz says:

    With respect, it is for industry to judge on how burdensome the requirements are, not the ICO.

    I am aware of a company – not an SME – which is fully compliant with the current DPA but which has had to apply a team of about a dozen people since the beginning year to work on compliance with the GDPR.

    Only the companies themselves will understand exactly how their systems and procedures are going be impacted.

  20. Pingback: GDPR Friday Roundup – 1st September 2017 – The Data Guardians

  21. Pingback: Conform cu prevederile GDPR: Este GDPR o povara? Mituri GDPR

  22. Simona says:

    “Much of the criticism about GDPR seems to have focused on the perceived burdens it will place on SMEs and smaller organizations.” With the current range of solutions, in many cases, it is a matter of willingness to comply instead of fixing imaginable burden. For example, SharePoint out of the box can identify approximately 80 types of sensitive information and then to enable a range of workflows in order to monitor the compliance. For organizations that can’t rely only on numeric based sensitive information, they can deploy solutions such as to define and automatically identify any type of personal information. Once information is identified workflows can automatically manage it further. I am not dismissing the fact that information has to be monitored, but I find it reasonable. Information is an asset, like any other type of asset, it has to be protected.

  23. Pingback: GDPR Checklist | GDPR Self Assessment Data Protection Checklist..

  24. Anonymous says:

    I appreciate the need for the GDPR in today’s world and I value that the basis of the legislation is privacy as a human right.

    However, I cannot accept that implementing compliant processes in a way that addresses three interlocking pieces of legislation (the GDPR, the Data Protection Act and the ePrivacy Regulation) is anything less than onerous – especially for large organisations with many data sources, CRMs, contact forms and so on. It is taking hours and hours of research and understanding to even know what the nuances of the legislation are, let alone design and implement processes.

    For many digital marketers the day job is starting to feel like something out of the bureaucratic dystopia in the Terry Gilliam film Brazil, even if the principles behind the legislation are noble.

  25. winfocus11 says:

    Data Processing pertains to the capture, digitisation and processing of data that originates from various sources. TypistPool offers customised business data processing services that match with international standards in terms of precision and timely execution. To know more about business data processing click here

Leave a Reply