Demystifying GDPR

Hi and welcome to the second of our series of blogs. Last week we covered off ‘What is GDPR and what are your obligations under the Regulation?’ This week, we look at some of the myths and misconceptions around GDPR.

There are a number of factors that have contributed towards the many myths that circulate round varying sectors. Here’s just a few we’ve noted over the past couple of years:

Myth 1 : GDPR is all about fines

Truth – Well, not quite.

The main driver behind the regulation was about empowering the data subject and giving back control of the information they share with organisations.

Here at Hogen Data, we have found that the most successful GDPR programmes are often undertaken by businesses who focus on enhancing the customer experience and improving how personal data is protected.

Sure, the fines are pretty hefty in the worst cases, but what price reputation? Loss of confidence by consumers and partners should also be a main consideration for your business.

What Can Your business do in the interim?

To avoid action by the Regulator, the first step should be to undertake a review of your data processing activity. That way, you can identify the gaps and start to pull together a plan.

We believe that showing this initial commitment will go a long way in defending your position and be the catalyst for imrovements

Myth 2 : You must give your consent to an organisation before they process your data

Truth – Nope, sorry!

Consent is not the only kid on the block. Indeed, there are 6 lawful basis upon which a Data Controller can rely upon to process your data, with consent being just one option.

Sure, certain activities in relation to direct marketing might need your permission, but other organisations will often use ‘Contract’ and ‘Legal Obligation’, depending on their relationship with you.

Regardless, they will need to clearly articulate this to you via their privacy notice ideally at the time the data is collected

What Can Your business do in the interim?

You can demonstrate good practices in relation to this by having a well-established Record of Processing Activity (ROPA) where you can record what processes your organisation undertakes including the lawful basis. Don’t forget, if you also process Special Category Data, you will also need to identify a further condition for processing this data type, under GDPR Article 9.

Whatever you decide to use as your lawful basis, remember the choice you make may impact the Rights and Freedoms of an individual. To that end, get it right first time and inform your customers by clearly communication Privacy Information in your Fair Processing Notices

Myth 3 : Data Breaches refer to the Loss of Data Only

Truth – No, there is more to it than just data loss

The Regulation defines a Data Breach as:

‘A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.’

So in reality, accidental or malicious deletion of data, sharing an email with an unintended recipient, losing access to data or gaining access to personal data you have no legitimate reason to view can all potentially become a Data Breach.

Whilst ALL data breaches need to be recorded, not all have to be reported to the Information Commissioner’s Office. This will rely on assessment of the breach and to determine the risk and impact to the rights and freedoms of a data subject. Don’t forget, the Regulation says you have up to 72 hours…..but don’t be caught out. This is a maximum time frame and should be dealt with ‘without undue delay’

What Can Your business do in the interim?

You should ensure that your staff are trained in recognising and reporting a breach.

Devise a process that deals with escalation and correct assessment

Ensure that all breaches are recorded whether reportable or not

Ensure you are aware of the details you will need to supply to the ICO if you believe it is reportable

Establish root cause of the breach and ownership for putting things right, going forwards

Myth 4: Compliance will cost my organisation thousands

Truth – Sorry to break this to you, but many argue that compliance doesn’t exist.

Yep, that’s right………….compliance is a myth………well sort of!

Here at Hogen Data, we prefer work with organisations to enable them to ‘Defend their Position’

The GDPR is a risk-based Regulation, meaning that its never a one size fits all and depends very much on the context of the organisation.

So rule number 1……………avoid avoid avoid those companies that promise you 100% compliance.

What Can Your business do in the interim?

The biggest risk is not understanding your data…….

If you don’t understand how, why and where your personal data is being processed, you’ll never understand your risks and be unable to address your gaps

At Hogen Data, we offer a number of set price options to enable you to assess the current position of your business practices, conduct a gaps analysis and present to you a risk paper that highlights what you are doing well and where there maybe some improvements to make.

This will include a number of recommendations and a ‘route to green plan on a page’, suggesting a risk based approach to improving your Organisational Privacy Measures

Myth 5: Our Business is too small, they’ll never look at us

Truth – How wrong you are!

Whilst the large organisations like British Airways and Marriot are making the news and newspaper headlines, activity is ongoing within the ICO in investigating all manner of business types.

Retailers, charities, and central government departments have all found themselves on the receiving end of enforcement notices and fines.

Aside of the Regulators activity, many law firms and claims management companies are now seeing lucrative opportunities in taking complaints from consumers who feel they have been mistreated in terms of their rights under the GDPR.

As technology develops and everyday life become digitalised, consumers are becoming more aware of how their data should be handled. This includes not only what data they give you , but also who an organisation subsequently share it with, how long it is retained, how and where it is stored and upon which lawful basis you rely upon to process that data in the first instance.

Now and in the future, consumers will want to know you are an organisation they can trust with their data.

What Can Your business do in the interim?

Start your GDPR journey and contact us today for a no obligation chat with one of our experienced team members, contact us on, via our website or 0151 459 9828

I’m going to start right from the beginning. Why? Because latest statistics indicate that over half of UK businesses still remain non-compliant and have yet to embark on their GDPR journey.

So, without further ado, what is the General Data Protection Regulation?

Well, in simplistic terms, a number of stakeholders from Supervisory Authorities in the EU got together and decided that the privacy laws needed updating, particularly as the last update was back in 1998!

The last 20 years or so has seen the greatest leaps in technology since time began. Just take a moment to think back to what we had in the late 90’s compared to now.

Mobile phones only made calls, social media was unheard of and the internet was in its infancy. Imagine if you’d told someone you could speak to anyone in the world from the palm of your hand, 20 years ago, the looks you would’ve got had you said you could pay for your shopping by tapping your phone onto the card reader……and don’t get me started on retina scanning, voice recognition and fingerprint identification.

I guess what I’m saying here is that someone, somewhere, thought we needed an updated Privacy Law that was more befitting of the technology we are now using in the 21st Century! In summary, we’ve moved on…..MASSIVELY! The rest, as they say, is history.

So in 2018, the Data Protection Act 2018 came into being, complementing the GDPR, whilst replacing the outgoing Data Protection Act 1998.

Given how the GDPR came about, you might be forgiven for thinking that the Regulation effects only European Countries. In fact, any organisation, regardless of where they are in the world, must comply with the regulation, if they process the Personal Data of EU Citizens.

So, what were the big changes under the GDPR?

Well, the obvious difference were the Fines that can be dished out by the Regulator. Previously, the biggest punishment the ICO could hand out was £500k. Now, you do not have to be a Finance guru to realise this was little deterrent for most organisations, particularly as a privacy programme could perhaps set an organisation back millions of pounds. In their eyes, it was perhaps worth the risk?