Top 5 GDPR Myths: Get the Facts

GDPR-myths

The General Data Protection Regulation (GDPR) has been garnering much attention since its formal adoption in April 2016.  With the effective date of May 25, 2018 fast approaching, some popular myths have emerged surrounding the regulation.

In this blog post, we’ll examine and debunk a few of the most notable ones.

Myth #1: “We’re a US-based company so the GDPR doesn’t apply to us.”

In short, the GDPR will apply to US-based companies that offer goods or services to individuals in the European Union (EU) or monitor the behavior of individuals if the behavior occurs in the EU.  Even US-based companies that have no physical presence in the EU will be subject to the GDPR if they process an EU resident or visitor’s personal data in connection with goods or services offered to those individuals or if those companies monitor the behavior of EU residents or visitors while those individuals are within the EU. The GDPR could apply, for example, if a US citizen visits a US-based website while vacationing in Spain and that website monitors that citizen’s behavior while in Spain.

Given the cross-border nature of the modern-day economy, it’s also not unusual to see US-based companies with offices overseas, including in the EU.  Personal data processed, whether the processing occurs in the EU or not, in the context of the activities of a US-based company’s EU establishment will be subject to the GDPR.

Myth #2: “Since the UK is leaving the EU, we don’t need to worry about GDPR compliance.”

According to this Information Age article, about 25% of UK businesses have stopped preparing for GDPR compliance as they feel it won’t apply to them given the upcoming UK departure from the EU in 2019.

The reality is that GDPR enforcement will begin a good ten months before Brexit occurs.  And, even after the UK leaves the EU, there is still a very high probability UK businesses will be subject to GDPR compliance requirements because the GDPR applies to the personal data of all EU residents.  Given there are many EU residents living in the UK and UK businesses will continue to do business with residents of EU countries, the GDPR requirements will still apply to UK businesses long after Brexit is completed.

Myth #3: “Personal data that is already in our database isn’t subject to the GDPR.”

The GDPR applies to personal data, regardless of when that data was collected.  In other words, if the data was collected before the GDPR goes into effect (May 25, 2018), the company and relevant data will still be subject to GDPR requirements.

As long as the data can be traced back or associated with an individual who was in the EU at the time the data was collected (a “data subject”) via a name, ID number, or some other physiological, genetic, or similar factor, then that data will be considered within the scope of GDPR protection.  As an example, contact information gathered from prospective customers must have been gathered in compliance with the GDPR notice and consent requirements to be used for marketing purposes after May 25th, 2018.

Myth #4: “My data is stored with my cloud service provider so it’s their responsibility to remain compliant with the GDPR, not mine.”

The GDPR imposes a high duty of care upon data controllers in selecting their personal data processing service providers. Similar duties are imposed if a service provider contracts with a sub-processor. Businesses utilizing personal data for business purposes cannot “pass the buck” to their cloud or security service providers that are processing or storing personal data on their behalf.

So, even if a data controller is not storing personal data (i.e., it uses a third party to store such data), the data controller will still be held responsible for compliance with the GDPR.  Both controllers and processors share responsibility for meeting GDPR requirements.

Myth #5: “Our company uses pseudonymization and encryption to protect personal data, so that should be enough for GDPR purposes.”

Given the rapid pace of innovation, simply pseudonymizing (aka data masking) or encrypting the data, while useful, may not be enough to fully secure the data and meet the requirements of the GDPR.

Specifically, Article 32 of the regulation requires companies to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by a company’s data processing activities.  In assessing the appropriate level of security, companies are required to pay particular attention to the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that is transmitted, stored or otherwise processed.

In determining what technical and organizational measures would be appropriate, companies must take into account the current state of the art, costs of implementation, and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity to the rights and freedoms of the individuals whose data is being processed.

Under this article, businesses must do what is appropriate, including but not limited to and likely more than, just pseudonymization and encryption to ensure data security.  Information governance technologies that address data retention and defensible disposition issues are examples of additional measures that enhance data security.

Next steps

The issues discussed above are currently top-of-mind for many security, compliance, and IT professionals tasked with meeting GDPR requirements. To assess your organization’s readiness, review this blog post for a planning timeline and identify the next steps that make the most sense for you.

Wondering how your organization compares to others when it comes to GDPR readiness? Read the results of our GDPR survey.