I have been evangelising about GDPR for almost two years, professionally and personally. It’s a powerful piece of legislation designed to empower citizens of Europe and to deter the inappropriate information management practices of the past. It aims to rebalance a data subject’s control over information with the organisation’s need to maximise use and profit from that information.
During the various communication sessions which I have been privileged to run as a member of the BH team, I have been asked many questions. Some have been easy: the yes and no kind with reference to the article in GDPR. Others have been really challenging. You know the kind…the type of questions that make you dig deep inside you and go rooting for the answer.
For example, one wonders if, in fact, GDPR will negatively affect customer service, given the onerous challenges now facing organisations in continuing to provide excellent customer service that complies with the regulation. Only time will tell. I foresee a big problem with misinformation, where customer service personnel, afraid they might process data in a way that results in damage to the data subject, will incorrectly cite ‘data protection legislation’ and refuse to provide a certain service that they used to.
In listening to organisations like these and discussing their challenges, I have repeatedly heard ‘things-GDPR’ that are mythical and inaccurate. The formation of these myths reminds me of the old joke of Chinese whispers in World War I trenches, where the commander of the troop sends a message to be communicated, man to man verbally, to the communications officer at the far end of the trench. The message starts as ‘send reinforcements we are going to advance’ and finally reaches the communications officer as ‘send three and fourpence we are going to a dance’. These GDPR myths too seem to form like Chinese whispers and end up as ‘facts’ communicated to the organisation or the data subject. So, I decided to pool these myths together and communicate them so that we can address them in business and as a society.
This is untrue. It doesn’t matter whether your organisation is based in an EU state or not. If it processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
There is no ‘all-out’ clause in the GDPR for small companies. The GDPR applies to natural entities – which can range from individuals all the way up to governments and multinational corporations.
Again, another frequently cited myth. The GDPR does indeed mention exemptions for entities with fewer than 250 employees, but it does not state that these organisations are completely exempt. The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees. The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
Virtually all public sector bodies will be required to designate a DPO under the GDPR. When it comes to the private sector, the GDPR introduces a limited mandatory DPO requirement. Controllers and processors will only be required to designate a DPO if their core activities consist of either of the following:
Each Member State is free to introduce broader national DPO requirements. Larger organisations operating across the EU would be well advised to consider appointing a DPO on a voluntary basis as this might be the most effective and efficient way to discharge their comprehensive GDPR compliance obligations.
This myth is a frequent one. To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in “economic activity”. Economic activity essentially translates into ‘not personal’ e.g. people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
The GDPR requires that where consent is the legal instrument for processing data, consent must be “unambiguous” (Art 4(11)). “Explicit” consent is required only for processing sensitive personal data – in this context, nothing short of explicitly expressed “opt in” will suffice (Art 9(2)). But for non-sensitive data, “unambiguous” consent suffices.
GDPR is in fact a ‘technology neutral’ piece of legislation that advocates reviewing data in light of the six key principles of data protection. Only one of these principles addresses securing data. Although the regulation advises that there are some compliance advantages to encrypting personal information (such as possibly not having to inform data subjects in the event that there is a breach), the GDPR focuses equally on all six data protection principles:
The GDPR is a serious piece of legislation, and organisations need to have certainty about their obligations and responsibilities as outlined in it. Certainty can only be achieved by reading the legislation (it is very well written) and reading interpretations – or paying someone to do it for you.
In my view, we can lend organisations some slack if they genuinely misunderstood this new legislation, but service providers engaged by clients to understand and advise on GDPR cannot be forgiven for misleading clients. And many of the myths I have encountered originated from professionals operating in the GDPR space. Just like when we need to find a person to service a gas boiler, we go to a registered operator. The same applies for GDPR advisors: organisations should determine the privacy and data protection qualifications of those they engage for GDPR advice.