GDPR – Dispelling the Myths

In her address yesterday, Information Commissioner Elizabeth Denham reminded businesses throughout the UK that “DP-Day – is only 27 working days away”. For those who have, as yet, undertaken no work to achieve and demonstrate compliance, this timeframe will certainly add to existing pressure. With the deadline looming, we have found an increase in misinformation around data protection and GDPR. In an effort to help your compliance journey, let’s dispel some prominent myths.

Advice and support is available.

When working with barristers, solicitor firms and chambers, our clients often struggle to accept that, as the regulator, the Information Commissioner’s Office can also be a source of advice, support and resources. Perhaps given recent experience of regulatory regimes within the legal sector, this may be understandable. However, the Information Commissioner reinforced the message that there is “no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route”. For those adopting a genuine, responsible and diligent approach to becoming compliant, this should allay some concerns.

The ICO promises tough action.

Equally, we can experience a level of bravado or procrastination that GDPR and data protection is not a priority or irrelevant. There is a disbelief of the “hype” surrounding GDPR and the increased penalties. Notwithstanding their pragmatic approach, Denham warned “we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law”. In light of this, non-compliance is a high risk strategy for any barrister or chambers.

Monetary fines aren't the only sanction.

Recent images of ICO Enforcement Officers entering and searching the offices of Cambridge Analytica had sobering effect for many businesses. Most barristers believe their only interaction with the ICO would be if a data breach occurs. This notion fails to recognise other enhanced powers afforded through GDPR, specifically the power to audit all those who hold, use and share personal data. In the context of your own practice or Chambers, you will know best how concerning a compulsory data protection audit would be. It is worthwhile highlighting that a fine isn’t the only sanction to be concerned with. The Information Commissioner has flagged the range of sanctions available that “may not require a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies’ bottom line”.

Reporting a breach is now mandatory.

The notion of mandatory self-reporting causes considerable consternation, due to the misbelief that a self-report will result in an investigation. The ICO is investing resources to ensure the reporting process is “simple and effective”. Again, the Information Commissioner has stated “our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days”. Obviously, the circumstances and the nature of the breach will dictate whether an investigation follows thereafter – if so, your level and evidence of compliance will be critical to the overall outcome.

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 60 chambers to help them navigate through their compliance journey. We also offer a range of online training consultancy services and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount with code BCEW at checkout.