I think the fake news concept can be overused but we have talked about GDPR fake news in the past. It seems to be getting worse, not better. More and more of our time at Cordery is being taken up by calls from our clients after their CFO or another member of the leadership team has attended an event or read a vendor paper. In the worst cases, in the call the team is told that their budget has been withdrawn/reduced because GDPR or some aspects of it ‘just doesn’t apply to them’. The reality we’ve seen is that in every case it does. We put together a ‘dirty dozen’ of the most frequent pieces of GDPR ‘fake news’ we’ve seen or heard about from our clients:
- GDPR is enforced by a new Brussels-based data police force
- GDPR only applies to PII (and that’s a short list)
- Fines are based on 4% of profit (not turnover)
- GDPR is all very new
- The new data rights (like data portability and the right to erasure/right to be forgotten) just won’t be used
- Data Processors have no liability
- Organisations outside of the EU have no liability
- GDPR looks good but won’t be enforced
- GDPR doesn’t apply to financial services
- GDPR doesn’t apply to the health sector
- GDPR won’t apply because of Brexit
- GDPR brings in just one set of laws for the whole of Europe – the law will now be exactly the same across the EU
To be honest though it was hard to stop at 12 – we could easily have done 10 or 20 more.
Why is this an issue?
Aspects of data protection have always been pretty complicated and it’s sometimes hard enough to make the right call even when you don’t start with the wrong basic facts. I think I first reached out to the UK data regulator on a client’s behalf in the early 1990s (yes, I really am that old). At the time I was doing a lot of work for healthcare organisations and we were acting on behalf of a hospital that had a very complicated issue about a child in their care. The medical evidence suggested that the hospital had to make a life or death decision. The hospital and the doctors involved behaved properly and responsibly in talking this through in detail with the regulator with our help. I am still convinced we reached the right decision, but it was not obvious. Even before GDPR, you needed to put some proper thought into the situation to get to the right answer.
Some aspects of data protection aren’t that difficult. But there is often a confusion in some minds between what the law is and what you’d like the law to say.
On the 25th January 2012, the European Commission introduced its new data protection Regulation, which we now know as GDPR. I wrote about it within a couple of hours of the proposals being published (you can read it HERE). While there are things I would probably change now, this was the product of reading 119 pages end to end to quickly get the client alert out. One of the most controversial things at the time was that I said that the passage of GDPR into law would not be as smooth as the European Commission anticipated. It has become very apparent that the passage into law still isn’t smooth in some countries – for example the recently announced new German law which will sit alongside GDPR but take away some of GDPR’s essential aims at harmony. Some of the GDPR fake news come from old articles like the one I wrote in 2012 – for example the fine levels have changed from the 2012 draft to the final version. But there are no excuses for some of the other alternative facts which are either misinformed, or just wishful thinking.
Why should we care?
The danger of GDPR fake news is that it just reduces readiness. It is not responsible to speak at an event and tell people to forget about GDPR because Brexit means it will not apply in the UK. There is not a shred of evidence for this and that pronouncement from the ‘expert’ speaker might mean 70 or 80 organisations fail to prepare. I’ve had the same at an event last year where someone told a large audience that GDPR didn’t apply to financial services and was pretty shirty when I argued it did. The ‘evidence’ it seems was that he had spoken to a junior lawyer at a bank at a breakfast event who had said so. Was that enough evidence to tell 150 people in a room that they could stop getting ready?
You can probably sense my frustration in this blog. We have tried to mask our frustration with an attempt at the quirky, but this is a serious topic.
This article is a slightly amended version of the original article, which was first published HERE.