Sorting GDPR Facts from Fiction: More Myths Busted!

by Nicolae Buldumac
Sorting GDPR Facts from Fiction: More Myths Busted!

GDPR may have been announced over two years ago, but somewhat worryingly, a lot of businesses are still unprepared. In fact, research from law firm Paul Hastings found that just 10% of UK companies have designated a budget for compliance with the new regulations, and a rather disappointing 15% of businesses surveyed by Deloitte on the topic say that they will be completely compliant by the time GDPR comes into force on 25 May 2018.

One of the biggest challenges for businesses looking to prepare for GDPR is the large amounts of misinformation being spread online. In this concluding part of our myth-busting series, we fact-check more of the most common topics around the EU general data protection regulation 2018.

The New Regulations Are a Complete Overhaul of the Previous Rules

While the new regulations do mean stricter terms for the collection and use of personal data; particularly when it comes to gaining consent, they are definitely not a complete departure from the previous laws. In fact, the GDPR principles should be viewed more as building on and expanding from current privacy regulations, so businesses who are already compliant with these should find themselves on good footing when it comes to complying with GDPR.

GDPR Only Covers Data that is Personally Identifiable

The official GDPR website refers to personal data as:

'Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.'

While this includes more traditional forms such as names, banking details, and medical information, it also now means that data forms not relating to an individual, such as IP addresses and tracked cookies, are now protected.

The Use of all Personal Data Will Require 'Explicit' Consent

This topic has become a little bit confused, but the quick answer is no. Explicit consent - which can take the form of nothing less than an opt-in - is only required in the cases of data that has been deemed 'sensitive'. For all other data, the consent must be 'unambiguous'; easy to understand (with no legal speak) and simple to withdraw should the data subject request it.

Facebook and Google are Going to Gain from GDPR

There may have been a large number of articles written about this, the reality is likely to be rather different. Think about it - both those companies have a lot to lose when it comes to tighter data protection laws, so the GDPR could actually see an adverse effect on their revenue as a result.

The New Legislation Isn't Actually Needed, it's Just More Hassle for Businesses

Well... this definitely isn't true. The current data privacy laws were put in place over two decades ago, and we all know that the impact data has on our lives has grown immensely since then, as well as the technology surrounding it. Consumers are much more savvy to data breaches now, as the images below from RSA show.

The same report also found that young people (aged 18-24) are now more worried about their personal data (photos and messages) being stolen and used against them than they are more traditional forms of data. This point alone demonstrates the need to bring current legislation up to date.

As for the new EU data protection regulation being a hassle, provided your company is compliant with the current data privacy laws, you shouldn't find it too much of a burden to extend your data protection strategy to cover the new principles.

Biometric Data Cannot be Used Under EU GDPR Rules

The GDPR guidelines lists biometric data as:

'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person'

This means that things like fingerprints and facial recognition will be classed as sensitive data and require consent, whereas things like photos that aren't being used to identify individuals, will not.

If Your Business Fails to Report Quick Enough You Will be Given a Hefty Fine

As is shown in the image below taken from Veritas' GDPR report, most businesses are worried about the fines that will be issued for data breaches under GDPR. However, while there's been a lot of scaremongering on the topic, the reality is that the ICO will use fines as a last resort, and in any case, they will be proportionate to the level of infringement committed.

Still, it will be important for companies to report breaches and to do so in a timely manner; as not doing so can result in fines as well. Ultimately, it is best to work on a system of complete transparency and to give as much information as possible when reporting, in order to demonstrate your commitment to becoming totally compliant and protecting your customers' personal data as fully as possible.

The Main Purpose of Data Breach Reports is to Punish Companies

Regulators aren't trying to catch businesses out, instead, they're focused on making you and your team more able to deal with potential threats to your data security. At the end of the day, it's important that consumers believe that regulators have their best interests at heart, and are doing everything in their power to monitor companies and prevent breaches.

As Elizabeth Denham, Information Commissioner, stated last year:

'We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.'

My Company is Located in the US, and is Therefore Unaffected by GDPR

Surprisingly, there are still businesses out there that believe this one to be true. It certainly isn't, though. The GDPR has been set by the European Union, but it affects every single organisation that collects and/or uses personal data belonging to individuals based in EU countries. This is regardless of whether or not they actually gather the data themselves.

So, if you're US-based but operate within any country within the EU, you still need to ensure that your business is fully compliant with the new regulations.

GDPR has a Single Fixed Deadline

While businesses will need to ensure they are prepared by the time the GDPR comes into effect in May, remaining compliant will be an ongoing process; things shouldn't just come to a halt after the initial implementation. However, the ICO has stated that there'll be no 'grace period' here - given that businesses have already had two years for preparation since the GDPR was announced, the regulation will begin in full from the day the new laws come in.

If You Use a Cloud Service, It's up to the Provider to Comply with GDPR

Even if you're using a third party to store or process your data, it is still your responsibility to ensure the provider is fully compliant with GDPR and that the personal information your business uses is protected. GDPR principles set strict guidelines for data controllers ensuring they select reputable data processors, and making excuses or trying to pass the blame just isn't going to work.

Using Pseudonymisation and Encryption Means My Business is Compliant with GDPR

While both are a good way of helping to protect the personal data you hold from potential breaches, using them alone doesn't mean you don't have to do anything else to comply to the new laws.

With the GDPR implementation date drawing ever closer, it's vital that businesses know exactly what it means for them in order to take the right steps to be fully compliant. At Global Database we hope you found this myth-busting two-part series helpful, and are now clearer on what the new principles being introduced are, and how they'll impact your company.


Related posts

What are SIC Codes and NAICS Codes?
What are SIC Codes and NAICS Codes?
Understanding both the Standard Industrial Classification (SIC) and Northern American Industry Classification System (NAIC) can help you get the most from these databases, which represent an extensive survey of the economic landscape of North America, from larger market trends to company specific information about business activities.
Why Does B2B Lead Generation Matter?
Why Does B2B Lead Generation Matter?
In this basic B2B lead generation guide, you’ll learn about B2B lead generation marketing and digital strategies, effective tools and tactics, and B2B lead generation platforms that can put you on the path to sustainable business growth.
Top 10 features of  B2B data providers
Due diligence
Top 10 features of B2B data providers
Information has always been a critical success factor of any business, be that knowledge about prospects, the market or competitors. But today, with the digital boom and the B2B data sector moving with an extremely fast pace, data has become the indispensable fuel of any business’ engine.