There has been a lot of information shared from many different sources. Unfortunately, not all of that information is relevant or completely accurate. In fact some if it is wrong and could prove costly for those that listen to it. As a result, we have compiled 6 GDPR myths that you should know about.
MYTH 1: GDPR is a single point project with a defined end date like Y2K
Some firms are tackling GDPR with the same hysteria prevalent during the Y2K millennium bug, approaching GDPR as a “box” they need to check by May 25, 2018, and then they’re done. This is definitely not the case. GDPR will require businesses to work differently. It’s like running a series of marathons. You will need to take the time to prepare, then run your first race by May 2018, and then continue to be prepared to run the next marathon whenever you need to do so. In other words it’s an ongoing process.
MYTH 2: No one will really get fined
The fines for noncompliance are quite large. They can be up to €20 million or 4% of a company’s total global revenue whichever is larger. Some think that these fines are exaggerated and no businesses will ever have to pay such fines. But think again. Granted, the EU will not have the resources to investigate every incident, but many will be reviewed. There will be companies that knowingly choose not to comply, and the supervisory authorities may choose to make examples of them. The biggest fines will possibly be levied against larger businesses to get the attention of other large businesses. But smaller businesses that don’t comply will also see some fines. Any fine for a smaller business could have dire consequences.
MYTH 3: All data breaches have to be reported within 72 Hours
While this is not a straight-up myth, this is only partly true. The 72 hour time frame is also somewhat flexible as the regulations state that obligation is ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it’. In fact, only personal data breaches need to be reported to the supervisory authorities. A personal data breach may result in loss of control over personal data, identity theft or fraud, financial loss, or many other forms of personal damage. Personal data breaches are generally a sub-component of security breaches. Breach notification obligations also depend on whether a firm is a data controller or data processor. A data controller is an entity that determines the purpose, conditions and means of the processing of personal data, while the data processor is an entity which processes personal data on behalf of the controller. As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the authorities within 72 hours. However, if the controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, then it is not required to report the breach. If the controller cannot produce this type of proof and fails to report the breach within 72 hours, the controller is required to submit a notification explaining the reasons for the delay. The notification and information may be provided in phases. If the controller determines that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected persons. A data processor must notify the controller after becoming aware of a personal data breach. No specific time limit is given for the processor. The GDPR article simply states “without undue delay.”
MYTH 4: GDPR is all about the data hacking
GDPR is not all about the data hacking. It’s a holistic approach to data management. This is where the best practices come in. Ask if you are collecting the right kind of data. Are you collecting more than you need to? Does everybody really have to have every piece of information, or are there ways in which you can separate out that information? Excel spreadsheets are no longer going to be acceptable. We are going to have find different ways to be able to do that.
MYTH 5: Data protection is an IT issue
There is no technology available that will make you GDPR compliant. Data protection is a boardroom issue, and while IT is involved, so is operations, HR, sales and marketing. It’s about the people and processes first. Though tech can of course help with particular issues, such as data discovery, record keeping and security.
MYTH 6: A product can make the GDPR compliant
There is no product on the market that can make any organization GDPR compliant. The tools provided are meant to make the implementation of GDPR simpler by recording all information about customers in a single database. GDPR laws state that consumer permissions must be validly obtained, and that data collections and storage must be transparent. Customers in the EU will be able to demand a right to be forgotten, which means that they can request organizations to erase all data that is held about them. Having this information in one location will greatly increase the assurance that your company is GDPR compliant. Other important facets of GDPR include the fact that consumers must be notified within 72 hours of a data breach, and that safeguards need to be put in place for protection of customer data, such as data protection risk assessments (DPIA). One of the most important and overlooked aspects about GDPR is that the best system in the world won’t work if employees are not properly trained. All organizations will be required to appoint key positions to ensure that GDPR compliance is being met: Data controller, data processor, and data protection officer (DPO). The DPO is responsible for driving the GDPR strategy, including security measures and overall compliance. The data controller oversees how personal data is collected and processed, as well as insures that outside contractors are complying with GDPR. Data processors can include members from your organization as well as partners like cloud providers. GDPR maintains that processors are liable for data breaches or non-compliance.
MYTH 7: GDPR is limited to personally identifiable information
GDPR won’t be restricted to collecting sensitive data relating to individuals. Personal data under GDPR applies to IP addresses and cookie tracking, too. “Traditionally, the digital ad sector treated cookies and IP addresses as anonymous, but now, that’s no longer the case,” said Stringer. “People are using language they’re used to, like PII and non-PII, which is confusing things. It’s important people treat non-PII as personal data, too.”
MYTH 8: Everyone needs a Data Protection Officer (DPO)
The DPO is meant to be the data protection expert in an organisation. Although many organisations will need a DPO, including small businesses, everyone doesn’t need to appoint one. Under GDPR, an organisation must appoint a data protection officer (DPO) in the case of : (a) a public authority (except for courts acting in their judicial capacity), (b) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or (c) carry out large scale processing of special categories of data, or data relating to criminal convictions and offences. It is important to understand the role of a DPO before appointing one because the position needs to meet particular requirements laid out in the law. For example, the DPO needs to be independent and the business must provide them with the resources to complete their work.
MYTH 9: Biometric data is sensitive data under the GDPR
Biometric data can be sensitive data under the GDPR - but only if used for the purpose of “uniquely identifying” someone (Art. 9(1)). A bunch of photographs uploaded onto a cloud service would not be considered sensitive data, for example, unless used for identification purposes - think, for instance, of airport security barriers that recognize you from your passport photograph.
MYTH 10: All data must be encrypted in order to be in compliance with the GDPR
This is false for several reasons. The GDPR requires that measures be implemented to provide an appropriate level of security, based on an assessment of the risk involved in any action that requires, for example, the processing or storage of personal data. Although encryption is a recommended measure, it is not a must. Everything depends on the risks associated with not encrypting said personal data. Thus, in the case of sensitive data, such as patient medical information, the GDPR recommends encryption and other robust security measures, such as secure algorithms.