Before the European Union's new data protection law comes into effect on 25 May 2018, compliance officers at financial institutions must familiarise themselves with it even though they might not be directly responsible for its implementation. To this end, the British Information Commissioner has striven to allay a few 'myths' about it.

The ICO, which is the 'go-to' regulator for this important piece of legislation in the United Kingdom, is incensed with firms' belief in "Myth number 1: The biggest threat to organisations from the GDPR [General Data Protection Regulation] is massive fines." Elizabeth Denham, who was appointed commissioner last year, claims on her weblog that the issuance of fines has always been and will continue to be a last resort for the regulator: "Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned. It’s true...that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law." Rather tellingly, however, she does not say what the 'greatest threat' from the GDPR actually is.

The myth surrounding consent

Denham also writes: "There is a myth that you must have consent if you want to process personal data. Let’s be clear: consent is one way to comply with the GDPR, but it’s not the only way. Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information - each one of these examples uses a different lawful basis for processing personal information that isn’t consent."

The new law provides five other ways of processing data that may be more appropriate than consent. Processing is lawful if it is necessary for the performance of a contract with the data subject or to take steps to 'enter into' a contract; or for the obediance of a law; or to protect the vital interests of a data subject or another person; or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Planning to obey non-existent rules

Myth number 3 is "I can’t start planning for new consent rules until the ICO’s formal guidance is published." The ICO firmly believes that the absence of rules is no reason for a firm not to start deploying people and spending money. It has come up with some suggestions that might end up in the rules that it will eventually publish and expects firms to start treating those suggestions as though they were rules already - an attitude which might outrage some firms. Nevertheless, the three-week consultative process opened and ended in March and the ICO does not expect the outcome to be very different from the draft. It is not, however, saying which parts will stand and which will disappear.

On top of this, the ICO is waiting until "Europe-wide consent guidelines" (presumably it is only referring to guidelines concerning the 43% of Europe that the EU occupies and not the whole) appear in December before it publishes its own guidelines.

Cold-calling

In the meantime, the ICO has reminded companies which carry out direct marketing that it is much cheaper to screen numbers against the Telephone Preference Service (TPS) register properly than to have to pay a fine for making nuisance calls. Its warning comes after it fined a domestic energy saving firm called Home Logic UK Ltd £50,000 for making marketing calls to people who had made it clear that they did not want to be contacted in that way.

The TPS allows every citizen to register his number and opt out of receiving marketing calls. Between April 1 2015 and July 31 2016, it received 133 complaints from members of the public about nuisance calls made to their TPS-registered numbers by Home Logic. A further three were made by callers who were trying to pass themselves off as the firm. The ICO has had statutory responsibility for the TPS since December 2016. Firms engaged in direct marketing can subscribe to the register for 12 months for a cost of £2,640, or less for limited geographical areas or for time-specific periods.