Those with firsthand experience of GDPR will know all too well the complications which can arise and the ever-constant battle required to remain compliant.
Our in-house barrister and GDPR expert, Ben Murphy has come across countless myths surrounding the GDPR in the last seven years.
He has compiled five common misconceptions that will your organisation navigate the complexities of data protection.
This is a widespread misconception. GDPR applies to structured filing systems containing personal data, regardless of format. Whether electronic or paper-based, if the information is organised in a way that allows for easy retrieval of data relating to an individual (e.g., an HR file), it falls under GDPR's remit.
The key is the structured nature of the data, not how the format in which it is held.
The Information Commissioner's Office (ICO) wouldn't be able to handle the volume of reports if every minor breach required notification. Reporting to the ICO is only necessary when a breach poses a significant risk of harm to the rights and freedoms of the data subject. Minor breaches, like accidentally sending an email containing basic contact details to the wrong colleague within the same organisation, should instead be reported to your organisation’s DPO and documented in your Breach & Near Miss Register.
While consent is a lawful basis for processing data, it's not the only one. Organisations can rely on other lawful bases, such as a contract of employment (for employee data) or public task (for health organisations). Consent will be most relevant where the organisation is processing sensitive personal data, such as sharing medical information with a third party.
Furthermore, you don't necessarily have to consent to a privacy notice. The Privacy Notice informs you how your data is processed, why, and what protections will be put in place - but your consent isn't always required.
SARs are not equivalent to court-ordered disclosure. While they allow individuals to see how an organisation processes their data and to check that this aligns with what they say they do in their privacy notice, SARs don't guarantee access to absolutely everything. Information may be redacted or withheld if it falls under specific exemptions. The purpose of a SAR is to ensure transparency of processing. not to gather evidence for legal proceedings or engage in a ‘fishing expedition’.
Despite dealing with sensitive personal data, data protection standards can vary within the legal sector. To address this, the ICO has approved a sector-specific standard known as LOCS:23, the first Article 42 certification scheme specifically designed for the legal sector.
This certification aims to establish a benchmark for data protection for chambers and law firms, ensuring personal information is handled with the utmost care and security by legal professionals.
The General Data Protection Regulation (GDPR) was designed to give citizens of the EU greater control over their data and to ensure that companies...
Data is critical to success in any industry, regarded as the lifeblood of any business. The ability to collect, store, and analyse data...