GDPR may have been announced over two years ago, but somewhat worryingly, a lot of businesses are still unprepared. In fact, research from law firm Paul Hastings found that just 10% of UK companies have designated a budget for compliance with the new regulations, and a rather disappointing 15% of businesses surveyed by Deloitte on the topic say that they will be completely compliant by the time GDPR comes into force on 25 May 2018.
One of the biggest challenges for businesses looking to prepare for GDPR is the large amounts of misinformation being spread online. In this concluding part of our myth-busting series, we fact-check more of the most common topics around the EU general data protection regulation 2018.
While the new regulations do mean stricter terms for the collection and use of personal data; particularly when it comes to gaining consent, they are definitely not a complete departure from the previous laws. In fact, the GDPR principles should be viewed more as building on and expanding from current privacy regulations, so businesses who are already compliant with these should find themselves on good footing when it comes to complying with GDPR.
The official GDPR website refers to personal data as:
'Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.'
While this includes more traditional forms such as names, banking details, and medical information, it also now means that data forms not relating to an individual, such as IP addresses and tracked cookies, are now protected.
This topic has become a little bit confused, but the quick answer is no. Explicit consent - which can take the form of nothing less than an opt-in - is only required in the cases of data that has been deemed 'sensitive'. For all other data, the consent must be 'unambiguous'; easy to understand (with no legal speak) and simple to withdraw should the data subject request it.
There may have been a large number of articles written about this, the reality is likely to be rather different. Think about it - both those companies have a lot to lose when it comes to tighter data protection laws, so the GDPR could actually see an adverse effect on their revenue as a result.
Well... this definitely isn't true. The current data privacy laws were put in place over two decades ago, and we all know that the impact data has on our lives has grown immensely since then, as well as the technology surrounding it. Consumers are much more savvy to data breaches now, as the images below from RSA show.
The same report also found that young people (aged 18-24) are now more worried about their personal data (photos and messages) being stolen and used against them than they are more traditional forms of data. This point alone demonstrates the need to bring current legislation up to date.
As for the new EU data protection regulation being a hassle, provided your company is compliant with the current data privacy laws, you shouldn't find it too much of a burden to extend your data protection strategy to cover the new principles.
The GDPR guidelines lists biometric data as:
'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person'
This means that things like fingerprints and facial recognition will be classed as sensitive data and require consent, whereas things like photos that aren't being used to identify individuals, will not.
As is shown in the image below taken from Veritas' GDPR report, most businesses are worried about the fines that will be issued for data breaches under GDPR. However, while there's been a lot of scaremongering on the topic, the reality is that the ICO will use fines as a last resort, and in any case, they will be proportionate to the level of infringement committed.
Still, it will be important for companies to report breaches and to do so in a timely manner; as not doing so can result in fines as well. Ultimately, it is best to work on a system of complete transparency and to give as much information as possible when reporting, in order to demonstrate your commitment to becoming totally compliant and protecting your customers' personal data as fully as possible.
Regulators aren't trying to catch businesses out, instead, they're focused on making you and your team more able to deal with potential threats to your data security. At the end of the day, it's important that consumers believe that regulators have their best interests at heart, and are doing everything in their power to monitor companies and prevent breaches.
As Elizabeth Denham, Information Commissioner, stated last year:
'We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.'
Surprisingly, there are still businesses out there that believe this one to be true. It certainly isn't, though. The GDPR has been set by the European Union, but it affects every single organisation that collects and/or uses personal data belonging to individuals based in EU countries. This is regardless of whether or not they actually gather the data themselves.
So, if you're US-based but operate within any country within the EU, you still need to ensure that your business is fully compliant with the new regulations.
While businesses will need to ensure they are prepared by the time the GDPR comes into effect in May, remaining compliant will be an ongoing process; things shouldn't just come to a halt after the initial implementation. However, the ICO has stated that there'll be no 'grace period' here - given that businesses have already had two years for preparation since the GDPR was announced, the regulation will begin in full from the day the new laws come in.
Even if you're using a third party to store or process your data, it is still your responsibility to ensure the provider is fully compliant with GDPR and that the personal information your business uses is protected. GDPR principles set strict guidelines for data controllers ensuring they select reputable data processors, and making excuses or trying to pass the blame just isn't going to work.
While both are a good way of helping to protect the personal data you hold from potential breaches, using them alone doesn't mean you don't have to do anything else to comply to the new laws.
With the GDPR implementation date drawing ever closer, it's vital that businesses know exactly what it means for them in order to take the right steps to be fully compliant. At Global Database we hope you found this myth-busting two-part series helpful, and are now clearer on what the new principles being introduced are, and how they'll impact your company.