GDPR Myths – Fact or Fiction?

12 Oct, 2017

Following on from our recent articles on GDPR (click here for more details) we look here to debunk some of the many myths that seem to be going around about these key regulations coming in to force on 25th May 2018.

  1. GDPR is irrelevant because of Brexit

A complete myth.  The UK Government has already confirmed its commitment to implement GDPR regardless of the Brexit negotiations.

  1. You won’t be able to e-mail clients/customers anymore

Whilst the current situation is confusing, it is certainly not the case that you will not be able to e-mail your clients and customers.  When it comes to marketing it seems that unless the data subject has opted in and given consent for all types of communications of this nature, then you would be in breach if you e-mailed them (we will be writing about this in the future).  However, under GDPR you will still be able to e-mail customers information relating to their contract, maintenance and transactional e-mails.  For this, GDPR requires a clear relationship, genuine mutual interest, a balance of interests, expected and appropriate processing and without infringement of individual rights and freedoms of the individual.  The regulations certainly do not prevent you from e-mailing customers ever again.

  1. You can only process personal data if you have consent to do so from the individual.

Consent has indeed be tightened up under GDPR (we will be writing about this in the future) but bear in mind that consent is only one way to comply.  There are five other lawful ways for you to be able to process data.  These are set out by the ICO here .

  1. You will have to report all data breaches to the Information Commissioner’s Office (ICO) and to individuals.

You will only have to report a personal data breach to the ICO under GDPR if it is likely to result in a risk to people’s rights and freedoms – if there is no risk, there is no need to report.

These new reporting requirements will mean some changes to the way that businesses handle and respond to personal data breaches.

Individuals only need to be notified if there is a high risk to people’s rights and freedoms.  High risks includes the potential of people suffering significant detrimental effect for example, discrimination, damage to reputation, financial loss or any other significant economic or social disadvantage.

  1. The fines under GDPR will be the biggest threat for organisations

The ICO is keen to point out that the main purpose of GDPR is to put individuals’ rights first, not about fining businesses.  Of course the threat of hefty fines makes for good headlines but it is not the main purpose of the regulations.

It is true to say that with the regulations comes the ability for ICO to issue to pretty big fines.  The prospect of a fine amounting to either 4% of global turnover or £17 million is nothing to be ignored.  However, as with any new legislation it’s probably wrong to think that the ICO is ‘out to get us’ for the most minor of infringements.  Naturally there will undoubtedly be some cases of fines hitting the news as the regulations bed in but don’t forget, the power to fine already exists under the Data Protection Act and is still seldom used by the ICO.

The ICO assures businesses that they intend to use powers of fining “proportionately and judiciously” preferring other sanctions in their armoury including warnings, reprimands and corrective orders.  Damage to reputation may be a bigger threat if you are on the receiving end of one of these sanctions.

These are just some of the many myths going around at the moment.  The reality is, no-one really knows at this stage what the implications will be.  However, one thing we should probably all bear in mind is that GDPR is hailed as an evolution of data protection not a revolution.  GDPR merely seeks to build on the foundations of The Data Protection Act which has been in place for nearly 20 years.   All businesses should be complying with this in any event and with effective governance in place under the DPA we should all be well on our way to being ready for GDPR.

The key to further compliance is information management.  Policies and procedures such as those contained in ISO 27001 Information Security Management System can also help businesses on their way to compliance with GDPR.  For more information about how ISO 27001 can help you take a look at our website or call our friendly Client Services team on 01905 670303

ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.

Do you want to get ahead of your competition? Win more tenders or save time and money on reoccurring issues? Contact us today on 0330 058 5551 or email

Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.

Related Posts

Three Steps to Start Your Net Zero Emissions Journey

22 Oct, 2021

Organisations are being urged to act now and set out their plans of becoming net zero.  Here are three simple steps you can take to start your journey today.

What is COP26 and How Will it Affect You?

22 Oct, 2021

COP26 is fast approaching but what is it and how could it affect the way organisations operate in the future?

Sleeping Out to Help Out

22 Oct, 2021

Last week, Jennifer, Kerrie and Amy braved the cold for the Big Worcester Sleep Out to raise money for three Worcester charities.  Find out how they got on here…

Can You Help Make a Family’s Christmas?

11 Oct, 2021

Our Bingo Box challenge is back! With the Foodbank giving out more food than they are receiving in donations, we’re hoping to help feed even more families this Christmas.