Hands using a phone with a blue GDPR overlay

6 Myths About the General Data Protection Regulation Debunked

19 Mar 2018 by Emily Allender

On May 25, 2018, the General Data Protection Regulation (GDPR) will become enforceable, and many businesses are still scrambling to understand the law’s finer points. This regulation aims to increase the protection of European Union (EU) citizens’ personal data by making the businesses that collect it more accountable for its security.

With the deadline rapidly looming, a shocking number of misleading facts still abound. Here are some of the more popular myths surrounding the GDPR and the truth about each.

Myth 1: The GDPR doesn’t apply to businesses outside the EU.

Yes, it does. It’s true the GDPR concerns the personal data of people living in the EU; however, what it actually regulates is the gathering and processing of this data, no matter where that takes place. If you decide not to comply, the fact that your business is based in Asia Pacific. will not be enough to keep you from a fine of approximately $24 million USD (€20 million), or 4% of your company’s global annual revenue.

Myth 2: All personal data is the same.

Article 9 of the GDPR outlines several types of sensitive data that are prohibited to process. These are considered separate from the general data referred to in the rest of the text and include “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership … genetic data, biometric data … [and] data concerning a natural person’s sex life or sexual orientation.” If your organisation collects or processes any of this type of particularly sensitive information, you face additional requirements for doing so.

Myth 3: The GDPR doesn’t apply to data already collected.

As long as the information collected qualifies as personal data pertaining to an EU citizen, it falls under this regulation — regardless of when it was collected. For example, let’s say a handful of French citizens signed up for your company’s email newsletter back in 2014, and those addresses are still in the company database. As of May 25, 2018, you will have to provide proof those data subjects gave their consent as outlined in Article 7 of the GDPR. Plus, those citizens will have the same right to rectification, erasure, restriction of processing and data portability as those whose data is collected post-GDPR.

Myth 4: It’s your cloud service provider’s job to make sure your data is compliant.

The data chain starts with your business, but even if you’re using a third party to store personal data, you’ll still be held responsible for meeting GDPR requirements. In the event of a data breach, both you and your cloud service provider will need to comply with GDPR policy. Because of that, it’s imperative that you have documentation of their data protection policies and processes as they relate to this regulation.

Myth 5: Every company has to appoint a data protection officer.

Your organisation would be required to appoint a Data Protection Officer (DPO) in only three situations:

  • If you're a public authority or body that processes data
  • If your core activities require widespread, regular monitoring of data subjects
  • If you process sensitive information (discussed in myth 4) on a large scale

These are rather vague designations. For example, nothing in the regulation clearly states what constitutes large-scale data processing. But here’s something to keep in mind: If your organisation is audited for compliance and the auditor discovers you’re required to have a DPO but don’t, the fines will be stiff.

Even if your company is on the fence about needing a DPO, or it doesn’t fit any of the above categories, it’s worth appointing a protection officer. The compliance process can be long and confusing — a DPO can be instrumental in helping your company navigate it successfully.

Myth 6: Fines are the biggest threat to your business.

Sure, $24 million USD in fines is enough to get most companies working toward compliance, but there’s another incentive businesses should be focusing on. The GDPR represents a clear change in public opinion regarding the privacy of personal information — consumers and employees want greater control over who has their data and what they’re doing with it.

While the GDPR and its massive fines are making the headlines, businesses would do well to remember public opinion matters just as much. Companies that enthusiastically embrace these new rules for data protection will win major points with their customers. Businesses that don’t risk alienation.

Insight disclaims this as a full review on EU data privacy nor is it intended to be legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand some important legal points. You should not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. Insight suggests you consult an attorney if you’d like advice on your interpretation of this information or its accuracy or its applicability to your business.