GDPR The Actual Truth – Behind the scaremongering

 In News

Like many of you, my inbox has been inundated over the past few months with messages relating to GDPR. Most of you, I am sure, will see that most of these messages are little short of sales and marketing opportunities wrapped in a thinly disguised veil of scaremongering. Three emails today from three companies that I have had no previous affiliation with, want to offer me everything from GDPR-compliant software, to an ‘off the shelf’ GDPR compliant privacy notice.

“…any one of whom could report you to the ICO…”

One particular e-mail entitled “The one thing you MUST do for GDPR” goes on to tell me that “‘Your website is one of the few parts of your business affected by the GDPR which is public and therefore visible for anyone to see. This includes not only the Information Commissioner’s Office (ICO) itself, but also your customers and competitors, any one of whom could report you to the ICO for non-compliance, and the ICO is obliged to act on complaints they receive.”

Really scary right? It then directs me to a website where I can allegedly get a GDPR-compliant policy for a fee! My advice to you is to take any emails like this that you receive with a large pinch of salt! Most, if not all, are actually trying to sell you something on the basis that it will help you comply with EU GDPR. However, the reality is that they are exploiting the introduction of EU GDPR as a sales opportunity.

“I would argue fervently that there isn’t, or never will be, a single product that will ever achieve this”

One piece of software will not make you compliant with GDPR and I would argue fervently that there isn’t, or never will be, a single product that will ever achieve this. Even many of the GDPR gap analysis products that are advertised on many websites (at a cost of course) have no real value other than to tell you that you have a gap (which you possibly knew anyway) and provide no direction or guidance of what to do to close the gap!  The winners, are of course, the companies who benefit financially from the sales of such products and leave you with something you already knew!

Now I am sure that most of you will not fall into these traps, but regrettably there are some who will. Even the mass media are using scaremongering tactics in a bid to drive headlines. And this, quite frankly is misleading at best, but arguably irresponsible reporting in the main. Yes, Article 83 of GDPR does outline the conditions and penalties for imposing administrative fines, but the ICO can already issue fines for breaches of data under the Data Protection Act 1998.

The Data Protection Act – the truth

Talking of the Data Protection Act, I have lost count with the number of commentators, websites and even course training material that I have seen which tell me that EU GDPR replaces the Data Protection Act 1998.  Let’s clear this up straight away – it doesn’t! Parliamentary sovereignty means that Parliament can create any law that it chooses, and also it can alter or repeal any law made by a previous Parliament. The Data Protection Bill currently running through Parliament, has cleared the House of Lords and had its first reading in the House of Commons in January. The Bill, when it receives Royal Assent, will become the Data Protection Act 2018. Section 23 repeals the Data Protection Act 1998. You can track its progress here.

It is important to note that the new Data Protection Act, as well as amending a significant number of other Acts of Parliament, integrates a complete framework of data protection legislation across four key areas; general data processing, law enforcement data processing, data processing for national security purposes (including processing by the intelligence services) and regulatory oversight and enforcement.

While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force, including of course the requirement to comply with the EU GDPR. When the UK leaves the EU, the EU GDPR will be incorporated into the UK’s domestic law, using the term ‘applied GDPR’ under the powers in the European Union (Withdrawal) Bill, which is also currently before Parliament.

While many actors, commentators and websites appear to be focussed on the EU GDPR from May 2018, the actual changes in data protection legislation are far broader, and include:

  • the EU GDPR;
  • the applied GDPR;
  • The Data Protection Act 2018 (and all other legislation affected or amended by the Act);
  • regulations made under DPA 2018;
  • regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the EU Law Enforcement Directive.

It is highly likely that if you just focus on GDPR, you will actually miss many of the other changes in data protection legislation which are going on at the same time.  

For further information please do not hesitate to call us on 01183249444 or email us at

Written by Brian Penfold, Technical Director of Trident Assurance Services and qualified GDPR practitioner. 

Recent Posts

Leave a Comment

records file