The General Data Protection Regulation (GDPR) comes into force on the 25th May and will completely overhaul how businesses process and handle data and give individuals a greater control over who collects and processes their data, what it is used for, and how it is being protected.
Despite the May deadline edging ever closer, there are still a number of myths surrounding the GDPR that need dispelled.
Myth 1: Every company needs to appoint a DPO
This is false. Only certain organisations will need to appoint a Data Protection Officer (DPO) under the GDPR.
You must appoint a DPO if:
- you are a public authority
- your core activities require large scale, regular and systematic monitoring of individuals
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences
The DPO should be an expert in GDPR and privacy practices, as they are responsible for the monitoring and reporting of GDPR compliance.
DPO’s are expected to help guide Data Controllers and Data Processors by auditing internal compliance and suggesting suitable corrective recommendations where necessary. DPO’s are also expected to act in an independent manner within the organisation.
Myth 2: GDPR only affects European companies
This is false. Although the GDPR is a European regulation, it has wider implications. It doesn’t matter where in the world you are located, if your company is based outside the EU but engages in business transactions with an individual based in Europe, then the GDPR will apply.
Similarly, if a business is headquartered outside the EU but has European operations, it must also comply. GDPR is about personal data and the locality of the person when their data is collected. This is what determines the applicability of the regulation.
Myth 3: GDPR won’t apply to the UK because of Brexit
This is false. The GDPR will still apply after Brexit. The GDPR is designed to regulate how organisations process and control the personal data of EU citizens, regardless of where they are located. The UK will not leave the European Union until April 2019 so European law will continue to apply within the UK.
Myth 4: Fines are the biggest threat to your business
This is False. Although organisations in breach of the GDPR can be faced with fines of up to 4% of annual global turnover or 20 Million Euros, there are a range of other problems non-compliant businesses face.
The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection. If the breach results in a high risk of affecting an individual’s rights and freedoms, then the individual must also be notified with immediate effect.
This uncertainty and loss of data could result in customers leaving and switching to competitors. The loss of consumer confidence could in turn damage the reputation of a business and result in a loss of revenue.
Myth 5: Consent is the only way to process data
This is false. A large number of organisations are under the assumption that consent is the only legal basis for processing personal data. Consent is just one of six legitimate purposes that are required for all processing of personal data.
Under the GDPR, ‘lawful processing’ is only possible when:
- There is consent from the data subject
- Processing is necessary for the performance of a contract with the data subject
- Processing is necessary to comply with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where interests are overridden by the interests, rights or freedoms of the data subject
If you are unsure if your business is on the right track to GDPR compliance, contact us to find out how we can help. MetaPrivacy has been specifically designed to provide the best practice approach to data privacy compliance.