Busting GDPR myths with the ICO

With just a few months to go until the GDPR comes into effect, some misleading advice has been circulating about what the regulations really mean for businesses. To sort fact from fiction, here’s our summary of the Information Commissioner’s Office’s useful guidance tackling various myths about GDPR.

Uncover the facts

Myth #1: The biggest threat from the GDPR is massive fines

There have been plenty of headlines about huge GDPR fines putting plumbers or window cleaners out of business. There are even suggestions that fines will be used to fund the ICO.

In reality, GDPR isn’t about hitting businesses with big fines. It’s about transparency, better rights for citizens and increased accountability.

It is true that the ICO can fine businesses up to £17m or 4% of turnover. However, fines are usually a last resort. In 2016-17, out of 17,300 cases handled by the ICO, just 16 actually led to fines. There are lots of other measures they can use, such as warnings, reprimands and corrective orders. Those measures might damage your reputation – but they won’t bankrupt you.

Myth #2: You need consent to process personal data

Consent is one lawful basis for processing personal data, but it’s not the only one. You can also process people’s data to perform a contract you have with them (such as an employment contract), to comply with a legal obligation, to protect someone’s vital interests or to perform a task in the public interest.

To decide whether you need consent, work out which of these bases might apply to your organisation. A data protection impact assessment can help you understand how you can meet the conditions for processing.

Myth #3: You can’t plan for new consent rules until the ICO publishes its formal guidance in December

Obviously, businesses prefer to work to finalised rules. But you can still get started with the ICO’s draft guidance on consent, which is probably pretty close to the final guidance. Also, this guidance only covers consent – not the other bases for processing personal data (see Myth #2 above).

Myth #4: GDPR is an unnecessary burden on businesses

While GDPR will require some resources, it’s only another step in the evolution of data protection, which has been going on for the last 20 years.

If you’re already complying with the Data Protection Act, and have strong arrangements for data governance, you’re well on the way to complying with the GDPR.

Compliance tasks are scaled to the size of the risk involved, which eases the burden on SMEs.

Finally, data protection is about more than just complying with regulations. It’s about safeguarding your reputation, your customer relationships and your profits. If GDPR pushes you to guard against risks that could endanger your business, it’s more of a help than a hindrance.

Myth #5: You have to report every personal data breach to the ICO

Some press reports have claimed that you must report every personal data breach to the ICO.

In fact, you only have to report a breach if it’s likely to result in a risk to people’s rights and freedoms. If that’s not likely, you don’t have to report it.

This will be a new requirement, because reporting most personal data breaches is best practice, but not compulsory under the current law.

There will be guidelines to help you work out which breaches you have to report. For now, it’s a good idea to start looking at the sort of incidents that have happened, or could happen, at your firm or organisation, and get an idea of what would be a serious incident for you.

Myth #6: You have to provide all details as soon as a personal data breach occurs

If you have to notify the ICO about a data breach (see Myth #5 above), you should do so within 72 hours of finding out about it.

However, you don’t have to provide all the details straight away. All the ICO needs to know at first is what caused the breach, who or what might be affected, and what you plan to do about it.

Myth #7: If you don’t report in time, you’ll definitely get a big fine

It’s true that the ICO will have the authority to fine businesses for not telling them about breaches, or not telling them in time.

However, fines will be proportionate to the wrongdoing, and there won’t be a fine in every case. The best approach is to give the ICO all the information you have as soon as you can, and not try to cover anything up.

Myth #8: Data breach reporting is all about punishment

While the ICO can fine organisations, the main idea is to make sure personal data is secure.

When the public entrusts their data to firms, it’s important that they know that those who are careless with their data will be punished.

Many other countries around the world are tightening up their reporting too.


The ICO has published extensive guidance to help businesses prepare for the GDPR. Visit their data protection reform website for more information.