Myth busting common GDPR misconceptions

null

Rapid technological advancements have resulted in the exponential growth of data in recent years. While this growth is creating new opportunities, it can also be challenging for organisations to understand what data they hold, where it is, and how it can be used. With high-profile data breaches making headlines on a regular basis, it’s more important than ever to ensure your businesses’ data is safely stored and protected.

Many of us are aware that the General Data Protection Regulation (GDPR) will be entering the statute books on 25 May 2018. It is a regulation that will seek to unify data protection law across all EU countries. What’s more, it has a broad territorial scope that applies to any and all businesses and organisations that handle, process or manage the personal data of individuals in the EU.

Failure to comply with GDPR may amount to a maximum fine of up to €20,000,000, or 4 per cent of global annual turnover. Therefore, it is imperative that your business understands its responsibilities in terms of complying.

During the build-up and preparation, businesses have asked many questions about the regulations and how they will work in practice. However, many still struggle to ascertain exactly what this legislation means for them, and continue to fall foul of some GDPR myths and common misconceptions.

Location, location, location: does where you store your data make a difference?

It’s not just about what, but also where, data is stored. Interestingly, when it comes to GDPR many businesses believe it only effects data that is stored online. However, it’s important to note that while the main focus for many businesses will be on the auditing and storing of personal information in digital form, the new regulations also apply to data stored on paper. 

The inherent problems with storing personal data on paper is that under the new rules, the processor needs to know not only where it is stored and how many copies of the information are available, but also how easily this information can be accessed if a user asks to view their data. Businesses need to put in place transparency rules that allow individuals to view and amend the data held on them.

For many, the best way to comply with the new GDPR rulings will be to move away from paper and digitise all data. This can be done by scanning, capturing and storing either locally or to the cloud using a system that adheres to the new regulations.

However, this leads us to another common misconception. Many companies believe that by placing their data into the cloud, it will be the responsibility of the cloud provider to be GDPR compliant and not the individual company. This is not the case and confusion could easily end in your business being fined under the terms of the regulations. Anywhere your company stores personal data is covered by the regulations and therefore needs to be GDPR compliant, including storing data in the cloud.

If you do store data online, encryption should already be in place and seen as a first step to protecting information. However, in and of itself, encryption is not enough to meet the needs of GDPR and could result in your business being fined.

What type of businesses can be affected?

This is an important question that needs to be understood. GDPR applies to any business that trades with any EU country and stores the personal data of any EU national within that country. Regardless of where the source business is trading from, if it has dealings in the EU then it must comply with GDPR or face heavy fines.

When it comes to GDPR, size doesn’t matter. If your business stores the personal data of an EU citizen then it must comply, regardless of the size of your operations. In some instances, concessions have been made to smaller operators but the regulation states ‘the processing of data or monitoring of individuals’ must be part of the core business of the company as a condition. Therefore, it is best to assume no matter what size, your business needs to comply with the regulations.

Is GDPR the only regulation concerning data processing?

While GDPR supersedes much legislation across Europe and makes data processing a simplified process, it isn’t the sole directive that businesses of all sizes must adhere to. No matter the size of your business, you will also need to comply with individual national privacy rules that typically vary country by country.

While GDPR aims to simplify many of the data processing rules across Europe, it does not interfere with the National Privacy Acts of individual countries. Therefore, while you may be GDPR compliant you will also need your business to meet the personal data regulations of the National Privacy Act in each country in which you operate.

The bottom line is that businesses need to take GDPR and other privacy legislation seriously. After a string of public data leaks and cyber-attacks, users are waking up to the fact that data security matters. Businesses need to ensure they are following suit. 

Stuart Sykes, UK Managing Director, Sharp Business Systems 
Image source: Shutterstock/Wright Studio