The European Union's General Data Protection Regulation (GDPR) comes to fruition next month, yet there is still a lot of confusion surrounding it, and exactly what it means for businesses. In fact, slightly worryingly, a HubSpot survey of 363 business leaders and marketers found that just 36% said they'd heard of GDPR.
Clearly, there's still a large gap in knowledge around the topic, and the vast amounts of rumours and mixed messages aren't helping. With this in mind, we decided to put together an EU GDPR summary to bust the most prominent myths, and hopefully shed some light on the most important issues facing business owners and their employees.
Clearly, in today's data-driven world, this has become increasingly important. As the image below from a 2017 Gigya report shows, the majority of consumers are wary of how their personal data is being used by companies, and given that the previous rules were brought in during the mid-nineties, the time was ripe for an upgrade.
Under the GDPR, data that identifies an individual, be it directly or indirectly, will become subject to stricter rules regarding consent and its use. This includes information such as names, photos, contact details, social media posts, and IP addresses. Businesses who fail to comply could face large fines, so it's essential that you have a clear understanding of what is expected of you and your team.
Ready to rid yourself of all that pesky misinformation? Here are 12 myths you’ve probably seen floating around on the subject, all fact-checked and clarified...
Well, actually... no. Whilst it's true that the majority of businesses will have to rely on consent to process data, this isn't the only option. There are actually six ways to achieve a lawful purpose for using an individual's data. Consent will undoubtedly be the toughest to gain, given the strict rules around it (positive opt-ins, no pre-checked boxes etc), but the other options are mainly geared towards organisations such as public authorities or financial institutions, who will have a legal requirement to access such data.
This is a simple one: it's a resounding no. Even if the information was gathered pre-GDPR, it is still subject to the new European data protection law.
Another big no. The new data privacy regulations may have been established by the European Union, but they apply to any company that collects data on individuals resident in the EU, regardless of whether a transaction has even taken place.
If you're still unsure as to whether your business is affected, take a look at this helpful flowchart created by law firm Baker McKenzie.
GDPR regulation will come into force on the 25th May 2018, while the UK won't be out of the EU before April 2019. During this time the new rules will apply to those in the UK, and even after Brexit is complete it's likely that the UK government will adopt a similar approach with new data privacy laws.
It's also important to remember that regardless of what line the UK government do end up taking after Brexit, UK companies that deal in EU countries will still have to comply with GDPR rules anyway.
There's been a lot of talk around this point recently, but it's mainly unhelpful scaremongering. It's correct that the fines for breaking GDPR policies are much, much larger than those previously set out by the previous legislation (DPA had a £500,000 maximum, fines under GDPR could reach €20 million). However, fines that hefty are very unlikely to become commonplace.
In fact, UK Information Commissioner Elizabeth Denham made a point of busting this very myth last year, wherein she also pointed out that only a tiny percentage of offending companies are charged under the current legislation:
'Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.'
This isn't strictly true. The guidelines state that you only need to let the ICO know about a breach of personal data rules if it poses a threat to people's rights and freedoms. If a breach occurs that is likely to result in a high risk to people’s rights and freedoms, for example, harm to their reputation or damage to their finances, the offending business must also let the individual involved know.
While it's true that the GDPR states that businesses must report personal data breaches as soon as possible, there is a 72-hour window to do so. There's also some leeway regarding how much information you're able to provide straight away - the GDPR states that more in-depth information can be given later.
The official guidelines advise that:
'The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.'
Nope, definitely not. In fact, in order to make sure that your business is fully compliant with the new regulations, a number of departments will need to be involved. In any case, it's certainly a very good idea to ensure that your entire team is aware of the GDPR principles, and exactly how they impact your organisation.
This is another one that's absolutely a myth, even if it has been widely circulated. It's imperative that there is a data processing agreement set up between the controller and processor, and there are actually a variety of obligatory terms to be included in order to be fully compliant. While it's the controller who ultimately has the culpability, the agreement means both roles being bound to particular terms.
While this might have been intended when the GDPR guidelines were first being established, this is definitely not the case now. Companies will have a 'lead' supervisory authority, but others will also be able to get involved if there comes a problem relating to a processor or controller residing in their Member State, or if individuals in their State are adversely affected by a personal data breach.
The DPO is simply an expert on data privacy within an organisation. It's their responsibility to keep both employees and members of the public informed about the way in which the company is using personal data, and as a result will usually be the point of contact for all related queries.
Image source: MEGA Community
It's not essential for all organisations to appoint a data protection officer under the GDPR. As the official guidelines state:
‘Under the GDPR, you must appoint a DPO if:
you are a public authority (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to.’
If you do make the decision to appoint a DPO, bear in mind that they have to be independent and an expert in the field. They can be a current employee or an external hire, but either way, they must report to the highest level of management.
Unfortunately, this isn't the case - there's no product out there that can do that. Instead, the tools on the market are intended to make the process of complying with GDPR easier and more efficient by collating all customer data in one database. In any case, regardless of the tools used, the most important thing is to ensure your team are adequately trained to know exactly how to handle the information contained.
Ensuring that your organisation is complying with the new principles set out under the GDPR can seem like a daunting process, as there is seemingly a lot of information to take in. In order to ensure you're adhering to the guidelines you - and your entire team - need to be aware of exactly what's expected, and the first step is knowing fact from fiction.
We hope this article has helped you do just that - stay tuned for the second part of this myth-busting series which we'll be publishing very soon!