What is GDPR ‘fake news’
I think the fake news concept can be overused but we have talked about GDPR fake news in the past. It seems to be getting worse not better. More and more of our time at Cordery is being taking up by calls from our clients after their CFO or another member of the leadership team has attended an event or read a vendor paper. In the worst cases in the call the team is told that their budget has been withdrawn / reduced because GDPR or some aspects of it “just don’t apply to them”. The reality we’ve seen is that in every case it does. We put together a “dirty dozen” of the most frequent pieces of GDPR ‘fake news’ we’ve seen or heard about from our clients. The list is in our film and it is here:
- GDPR is enforced by a new Brussels-based data police force
- GDPR only applies to PII (and that’s a short list)
- Fines are based on 4% of profit (not turnover)
- GDPR is all very new
- The new data rights (like data portability and the right to erasure/right to be forgotten) just won’t be used
- Data Processors have no liability
- Organisations outside of the EU have no liability
- GDPR looks good but won’t be enforced
- GDPR doesn’t apply to financial services
- GDPR doesn’t apply to the health sector
- GDPR won’t apply because of Brexit
- GDPR brings in just one set of laws for the whole of Europe – the law will now be exactly the same across the EU
To be honest though it was hard to stop at 12 – we could easily have done 10 or 20 more.
Why is this an issue?
Aspects of data protection have always been pretty complicated and it’s sometimes hard enough to make the right call even when you don’t start with the wrong basic facts. I think I first reached out to the UK data regulator on a client’s behalf in the early 1990s (yes, I really am that old). At the time I was doing a lot of work for healthcare organisations and we were acting on behalf of a hospital that had a very complicated issue about a child in their care. The medical evidence suggested that the hospital had to make a life or death decision. The hospital and the doctors involved behaved properly and responsibly in talking this through in detail with the regulator with our help. I am still convinced we reached the right decision, but it was not obvious. Even before GDPR you needed to put some proper thought into the situation to get to the right answer.
Some bits of data protection aren’t that difficult. But there’s often a confusion in some minds between what the law is and what you’d like the law to say.
On the 25 January 2012 the European Commission introduced its new data protection Regulation which we now know as GDPR. I wrote about it within a couple of hours of the proposals being published. I am not ashamed of that brief alert (you can read it here https://www.lexisnexis.com/legalnewsroom/technology/b/cyber-risk-privacy/archive/2012/02/15/duane-morris-llp-alerts-and-updates-european-commission-issues-new-data-protection-proposals.aspx). Whilst there are things I would probably change now, this was the product of reading 119 pages end to end to quickly get the client alert out. One of the most controversial things at the time was that I said that the passage of GDPR into law would not be as smooth as the European Commission anticipated. It has become very apparent that the passage into law still isn’t smooth in some countries – for example the recently announced new German law which will sit alongside GDPR but take away some of GDPR’s essential aims at harmony. Some of the GDPR fake news comes from old articles like the one I wrote in 2012 – for example the fine levels have changed from the 2012 draft to the final version. But there are no excuses for some of the other alt.facts which are either misinformed, or just wishful thinking.
Why should we care?
The danger of GDPR fake news is it just reduces readiness. It is not responsible to speak at an event and tell people to forget about GDPR because Brexit means it will not apply in the UK. There is not a shred of evidence for this and that pronouncement from the “expert“ speaker might mean 70 or 80 organisations fail to prepare. I’ve had the same at an event last year where someone told a large audience that GDPR didn’t apply to financial services and was pretty shirty when I argued it did. The ‘evidence’ it seems was that he had spoken to a junior lawyer at a bank at a breakfast event who had said so. Was that enough evidence to tell 150 people in a room that they could stop getting ready?
You can probably sense my frustration in this blog and the in the film that André and I have produced. We have tried to mask our frustration with an attempt at the quirky, but this is a serious topic.
Declaring an interest
At this stage I should declare an interest in all of this. I was involved in trying to set out a more moderate position on GDPR and we produced position papers commenting on earlier drafts. Some of the suggestions we made were reflected in the final draft (like extending the time to report a breach to 72 hours) but others were rejected. Cordery also writes whitepapers and other material for technology vendors. In addition I am involved in Cordery’s GDPR Navigator subscription service which provides accurate information on GDPR and how it is being enforced across the EU.
I’m also concerned about our insurance premiums. I know that even as a specialist law firm with lots of experience in this area (and no claims on our policy) our insurance is expensive to back up the advice we give. I don’t want us to pay more for our cover simply because insurers are getting large numbers of claims from other people who have taken less care over the advice they give.
What can be done?
If you agree that GDPR fake news is a bad thing we’d encourage you to join the debate on social media. We are planning to highlight other aspects of GDPR fake news on twitter with #GDPRfakenews. You can also use the comments section on our YouTube film or email us. Do join our campaign to speak out if you feel inclined.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|