I have been evangelising about GDPR for almost two years, professionally and personally. It’s a powerful piece of legislation designed to empower citizens of Europe and to deter the inappropriate information management practices of the past. It aims to rebalance a data subject’s control over information with the organisation’s need to maximise use and profit from that information.
During the various communication sessions which I have been privileged to run as a member of the BH team, I have been asked many questions. Some have been easy: the yes and no kind with reference to the article in GDPR. Others have been really challenging. You know the kind…the type of questions that make you dig deep inside you and go rooting for the answer.
For example, one wonders if, in fact, GDPR will negatively affect customer service, given the onerous challenges now facing organisations in continuing to provide excellent customer service that complies with the regulation. Only time will tell. I foresee a big problem with misinformation, where customer service personnel, afraid they might process data in a way that results in damage to the data subject, will incorrectly cite ‘data protection legislation’ and refuse to provide a certain service that they used to.
In listening to organisations like these and discussing their challenges, I have repeatedly heard ‘things-GDPR’ that are mythical and inaccurate. The formation of these myths reminds me of the old joke of Chinese whispers in World War I trenches, where the commander of the troop sends a message to be communicated, man to man verbally, to the communications officer at the far end of the trench. The message starts as ‘send reinforcements we are going to advance’ and finally reaches the communications officer as ‘send three and fourpence we are going to a dance’. These GDPR myths too seem to form like Chinese whispers and end up as ‘facts’ communicated to the organisation or the data subject. So, I decided to pool these myths together and communicate them so that we can address them in business and as a society.
Myth 1: “We are not a European Organisation and therefore don’t have to worry about GDPR compliance and there is no way for the fines to be imposed on us”
This is untrue. It doesn’t matter whether your organisation is based in an EU state or not. If it processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
Myth 2: “We have only four employees and therefore don’t have to worry about GDPR compliance”
There is no ‘all-out’ clause in the GDPR for small companies. The GDPR applies to natural entities – which can range from individuals all the way up to governments and multinational corporations.
Myth 3: “We have less than 250 employees so the GDPR does not apply to us”
Again, another frequently cited myth. The GDPR does indeed mention exemptions for entities with fewer than 250 employees, but it does not state that these organisations are completely exempt. The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees. The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
Myth 4: “We have to appoint a DPO”
Virtually all public sector bodies will be required to designate a DPO under the GDPR. When it comes to the private sector, the GDPR introduces a limited mandatory DPO requirement. Controllers and processors will only be required to designate a DPO if their core activities consist of either of the following:
- Processing and systematic monitoring of data subjects on a large scale
- Processing on a large scale of special categories of data or data relating to criminal convictions and offences.
Each Member State is free to introduce broader national DPO requirements. Larger organisations operating across the EU would be well advised to consider appointing a DPO on a voluntary basis as this might be the most effective and efficient way to discharge their comprehensive GDPR compliance obligations.
Myth 5: “We don’t do transactions or undertake ‘profit’-related activity as we are a charity/club, so the GDPR does not apply”
This myth is a frequent one. To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in “economic activity”. Economic activity essentially translates into ‘not personal’ e.g. people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
Myth 6: “When relying on consent to process personal data, consent must be explicit”
The GDPR requires that where consent is the legal instrument for processing data, consent must be “unambiguous” (Art 4(11)). “Explicit” consent is required only for processing sensitive personal data – in this context, nothing short of explicitly expressed “opt in” will suffice (Art 9(2)). But for non-sensitive data, “unambiguous” consent suffices.
Myth 7: “GDPR is all about encryption, pseudonymisation and privacy enhancing tools”
GDPR is in fact a ‘technology neutral’ piece of legislation that advocates reviewing data in light of the six key principles of data protection. Only one of these principles addresses securing data. Although the regulation advises that there are some compliance advantages to encrypting personal information (such as possibly not having to inform data subjects in the event that there is a breach), the GDPR focuses equally on all six data protection principles:
- 2. Purpose limitation Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
- 3. Data minimisation Organisations must only process the personal data that they need to achieve its processing purposes.
- 4. Accuracy The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
- 5. Storage limitation Similarly, organisations need to delete personal data when it’s no longer necessary.
- 6. Integrity and confidentiality This is the only principle that deals directly with security. The GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing.
The GDPR is a serious piece of legislation, and organisations need to have certainty about their obligations and responsibilities as outlined in it. Certainty can only be achieved by reading the legislation (it is very well written) and reading interpretations – or paying someone to do it for you.
In my view, we can lend organisations some slack if they genuinely misunderstood this new legislation, but service providers engaged by clients to understand and advise on GDPR cannot be forgiven for misleading clients. And many of the myths I have encountered originated from professionals operating in the GDPR space. Just like when we need to find a person to service a gas boiler, we go to a registered operator. The same applies for GDPR advisors: organisations should determine the privacy and data protection qualifications of those they engage for GDPR advice.