The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and aims to create an onus on companies to understand the risks they create for others, and to then mitigate those risks. According to the Information Commissioner, the new regulation is all about moving away from viewing data protection law as a box-ticking exercise and, instead, towards creating a standardised framework that can be used to build a culture of privacy that pervades an entire organisation. Given how important data has been to recent economic development, it is hardly surprising that a fair amount of fear and doubt has been cast over the impact of GDPR.
As someone who has been dealing with GDPR and data compliance for a number of years, I have heard a whole host of misconceptions. So, as the implementation date is here I thought I’d take the time to address seven of the most common misconceptions that currently surround GDPR.
1) GDPR will hurt businesses
Compliance of any kind tends to require businesses to incur some costs and many companies operating in the EU are no stranger to data protection laws. For these companies, adhering to GDPR will simply be a matter of adapting already existing business processes to ensure that they are in line with the new legislation. Then, on the other hand, there are other businesses that are only now realising the importance of privacy and GDPR, and it is this second group that has an important task ahead of them.
But it’s not all doom and gloom. Let’s not forget that GDPR was created with economic growth in mind; designed to promote the responsible handling of personal data within a regulated digital single market. The European Commission believes that this, in turn, will promote trust in the digital economy and, in doing so, will act as a driver for long term growth and stability.
2) All businesses need to hire a Data Protection Officer (DPO)
Hiring a Data protection officer is not always required. The GDPR lists some specific cases where organisations must appoint a designated DPO. Outside these cases, it is recommended that organisations assign a person to be responsible for GDPR compliance.
3) GDPR is just about preventing data breaches
Of course, data security is an important part of GDPR, but there is so much more to it that just that! For example, GDPR covers the privacy of minors extensively and sets limits to ensure their rights are protected. On top of this, there are many rights attributed to individuals that don’t necessarily fall under data security, e.g. the right to access, portability and the right to be forgotten. Did you know, it currently costs £10 for individuals to get their data from organisations under the current data protection law? Under the GDPR, it will be free subject to various exemptions such as repetitive requests, manifestly unfounded or excessive requests or further copies.
As well as helping to prevent data breaches, GDPR also works to ensure that businesses become more transparent and clear with their data subjects.
4) All organisations are required to carry out a DPIA
Data protection impact assessments (DPIAs) help organisations identify potential risks and adopt measures to prevent these. Despite information to the contrary, it is important to understand that DPIAs are only reserved for specific cases, mainly when the organisation’s processing presents a high risk to the rights and freedoms of individuals.
5) Organisations can be compliant simply by installing the right software
Think of any compliance software as merely a tool, it can make life a lot easier for companies, especially if they deal with a vast amount of data points across a large and complex organisation. But, if misunderstood, or not used in the way that was intended, it can still expose the company to breaches in the law, for that reason whether an organisation needs the tool or not, depends greatly upon on its budget and scope.
6) Individual organisations are not responsible for the data outsourced to vendors
Accountability is one of the founding principles of GDPR. It ensures that companies remain responsible even after the data is outsourced or shared externally. Organisations should have systems in place to know exactly what data is being shared and with what purpose. In doing this, organisations can ensure that they are operating in a manner that is compliant with GDPR.
7) You need consent to process personal data
Many believe that in order to process someone’s personal data, the person in question must give their consent to it. Consent is however only necessary in certain situations, and there are other legal grounds for processing that are more appropriate in many cases. For example, you don’t need consent to use personal data as necessary to provide a product or service someone ordered.
Misconceptions are bound to arise when huge shifts in legislation occur, particularly when it impacts everyone from the average consumer, to social media giants, and all those in between. Hopefully this has helped in combating some of the misinformation surrounding GDPR.
If today, at the onset of GDPR, you find that your organisation does not comply in some areas, don’t panic as the first step has already been taken. The most important thing to do is to first identify the gaps in your organisation, and document any findings. Then you can begin planning how to improve.
Egil Bergenlind, founder and CEO, DPOrganizer
Image source: Shutterstock/Wright Studio