Myth Busting: UK Data Protection Laws


In this back-to-basics blog series, we aim to bust common misconceptions about EU and UK data protection laws and give you some insight into what you can really expect when complying with these regulations in your day-to-day jobs.

Myth: Data protection law stops all organisations and businesses from sharing personal data.

Wrong! Data protection law enables organisations and businesses to share personal data securely, fairly, and proportionately. The ICO’s Data Sharing Code of Practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law.

Myth: Data protection law prevents organisations from sharing personal data with the police.

Wrong! When the police ask organisations for information to help them investigate, prevent, detect, or prosecute a crime, UK data protection laws enable appropriate data sharing to take place. This means you can choose to share the data, but you don’t have to.

Myth: Consent is always needed to share people’s data with another organisation.

Wrong! You can usually share without consent if you have a good reason to do so and it is often inappropriate to rely on consent. Banks share data for fraud protection purposes, insurance companies request information for claims, and local authorities need personal data to process council tax bills – none of these examples use consent as a lawful basis to share personal information. EU and UK Data protection laws provide other lawful bases that may be more appropriate than consent.

Myth: ‘Personal data’ means any information relating to an identified natural person, i.e., someone who can be identified, directly, in particular by reference to an identifier such as a name.

Wrong! ‘Personal data’ means any information relating to an identified or identifiable natural person i.e., someone who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Myth: Data protection law is completely harmonised across the EU after GDPR.

Wrong! Although a key rationale of the GDPR was to harmonise data protection law across the EU, certain aspects of the GDPR are supplemented by domestic law and specifically allows for divergence in particular areas. One example is the age of consent (i.e., the age at which a child is able to give their consent to data processing): while GDPR sets this at 16, Member States can choose to lower this (to no younger than 13), as the UK has done.

Myth: ePrivacy law (e.g., rules re email marketing and cookies ) are completely harmonised across the EU.

Wrong! These rules are set out in a distinct EU Directive (not the GDPR). Unlike a Regulation, a Directive is not directly applicable in each Member State and must be implemented through domestic law in order to take effect. For this reason, direct marketing requirements, although similar, differ across the EU and the UK.

Myth: “I’m not processing personal data, so the GDPR doesn’t apply”

Wrong! Article 4 GDPR says ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

So, basically, anything done with personal data is ‘processing’, and the GDPR will apply.

Myth: “We’ve removed the individual’s name and assigned them a number instead – we don’t know who they are anymore, so this isn’t personal data”

Wrong! This process of coding personal data (so that it can no longer be attributed to an individual without the use of additional information) is known as pseudonymisation. While this can be a helpful security and privacy risk management measure, it does not bring the data set outside the scope of EU/UK GDPR: pseudonymised data is still personal data. (Only where data is anonymised i.e., it does not relate to an identified or identifiable individual, will it no longer be personal data).

Myth: The rules about international data transfers don’t apply when transferring personal data to another company in the same group.

Wrong!  The transfer rules apply where the receiver is a separate controller or processor and legally distinct from the sender, including separate companies in the same Group.

Hopefully, by covering some of the biggest myths surrounding EU and UK data protection laws, we have given you a clearer picture of what is expected when dealing with confidential data in any capacity. 

If any of the myths raised in this article have highlighted any gaps in your policies or understanding, don’t panic. Here at norm., we offer total business protection, providing award-winning cyber security and giving our clients peace of mind that they remain compliant and protected with all EU and UK data protection laws and legislation. 

Contact our team for more information or enquire online now to ensure your business is protected.

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: