Compliance 101: Nine Common Misconceptions About GDPR
We all understand the importance of the General Data Protection Regulation (GDPR) and its purpose to improve the protection of individuals’ personal information yet is also a topic that can come to be very confusing, which is why there are so many myths and misconceptions out there of the dos and don’ts of its -proper- implementation.
Every business that holds EU personal data is affected by this, regardless of its location, that’s why it’s crucial to clarify any doubts you might have in regards of how it truly works, and why we want to share with you nine of the most common misconceptions there are about GDPR:
1. It Only Applies to Large Businesses
This has been a common myth since before the GDPR implementation back on May 25th, 2018, so we consider it’s important to start this list by highlighting the fact that there’s no exclusion under current GDPR for small businesses. Your organisation’s size doesn’t matter. No business is exempt. Period.
2. Marketing Uses of Personal Data Without User Consent Are Allowed Under ‘Legitimate Interest’
This is utterly false. ‘Legitimate Interest’ may be among the most confusing concepts written into the GDPR, which is why this misconception was born in the first place. While there is a ‘legitimate interest’ exception in GDPR, it’s always weighed against personal data rights. What this means is that, for example, an organisation could utilise data without consent under legitimate interest only if it’s required under court order, if the data is needed to protect a vital interest like human rights, or if you SSN is needed after you’d already agreed to purchase a car. Otherwise, consent is always required.
It’s important to stress the fact that although a user agrees to receive marketing info from an organisation, it does not mean that their personal data can be used without their consent. Every organisation, regardless of its size, is required to let the individuals whose data is being collected know what the legitimate interests are and that they have the right to object.
3. All Personal Data is the Same Under GDPR
This is a question that’s asked more often than not. There’s a crucial GDPR distinction between personal data that is private data and that which is sensitive data.
Private data includes:
- Street Address
- IP Address
Sensitive data includes:
- Union Membership
- Education Level
These two types of personal data hold many differences that determine how each can be stored and what can be done with them. Just to give you a quick example, sensitive data cannot be used for making business decisions like approving a loan, or a mortgage.
4. Organisations Outside the EU Can’t be Sued Under GDPR
This, of course, is inaccurate. The law applies to EU citizens’ data, wherever it resides. Simple as that. This means that if you’re a British citizen, you can easily file the equivalent of a class action suit in the U.K. against a California company if they have misused your personal data in any way.
5. GDPR Only Applies to Data Provided by Users
Wrong. It's crucial to understand that GDPR applies to all data generated, collected, or related to a user, regardless of if they provided it or not.
6. I Should Only Worry About GDPR If I Get Breached
Not true. Privacy and GDPR related questions are now very common on a daily basis, and poor responses to those questions will be a commercial inhibitor. It’s important to understand that citizens have new rights that until this day, they’re still trying to exercise, and poor or no preparedness to deliver against those rights will incur considerable overheads.
It’s also essential to remember that European authorities have the right to audit any organisation at their discretion, not only before or after an attack.
7. Compliance Can Be Achieved Easily & Quickly
Not quite. What GDPR does is that it alters how businesses and public sector organisations can handle the information of their customers. It obliges these organisations to take another look at how they process personal data, such as their customer database, which requires significant organisational work, involving departments like sales and marketing, finance, IT, HR, and legal.
8. There Is No Real Risk of GDPR Non-Compliance
If this common misconception has crossed your mind, you’re in for a treat. This is not correct. Actually, the European Union is extremely serious about proper regulation of the way businesses process and manage all personal data of EU individuals, that’s why since day one, they determined significant GDPR penalties for non-compliance, which go as follows:
- Up to EUR 20 million or 4% of your company’s global turnover for serious infringements, and
- Up to EUR 10 million or 2% of your company’s global turnover for lesser infringements.
These thresholds are calculated based on several factors according to Article 58 of the GDPR, including the nature, gravity, and duration of the infringement, whether the infringement was intentional or negligent, and several other factors.
9. After GDPR Compliance Is achieved, I Can Sit Back & Relax
Not as simple as that. GDPR compliance is a mindset, an ongoing risk model, much like other compliance or data privacy regulatory frameworks.
Keep in mind that the risk model behind the GDPR focuses on identifying which processes have the highest risk for the entity’s business, the data subjects’ rights and which ones might have the tendency of leading to high fines in case of data breaches. This is an ongoing, constantly changing regulation, meaning that your organisation may achieve GDPR compliance today, but that might not be the case two weeks from now.
Although this regulation went into effect over a year ago, it can still be difficult to fully understand and being such a delicate matter, it can be extremely easy to get off the right road. That’s why is so important for every organisation, big or small, to always stay on top of the latest updates and how they continuously process and manage all data.