The GDPR is a very dense and complicated piece of legislation. A lot of people are worried ahead of it going live, and with everyone throwing their voices into the mix, how do you cut through the noise and figure out what's correct? Here, we bust common misconceptions so you can learn GDPR.
So unless you’ve been living under a rock, you’ll have heard something about the General Data Protection Regulation (GDPR) by now. Talk around the most comprehensive overhaul of data protection law across the EU is becoming feverish, especially now that its 25th May enforcement date is just around the corner.
But with all this talk, how much do you really know about the GDPR? In today’s article, we’re busting the biggest myths we’ve heard about the GDPR. Remember, if you’re struggling with GDPR implementation for your data processes before the 25th May, we can help your organisation with our GDPR Audit.
There seems to be some confusion surrounding GDPR, with a lot of people asking the question, who does the GDPR apply to? There’s a rumour going around that companies with less than 250 employees (small to medium-sized enterprises) won’t be affected by the GDPR. Sadly, this isn’t the case. If you handle personal data, the GDPR will apply to your business. Personal data can include any HR data you hold, customer details or tracking information, and even genetic information. You can find out more about what data is affected at the Information Commissioner’s Office website.
If you’re part of an SME that handles personal data, you’ll need to review your data processes to ensure you are GDPR compliant. But the steps you have to take should be straight forward - you must ensure you take appropriate measures to secure data and seek consent to use personal data when it isn’t clear how your data will be used. Seeking consent doesn’t have to be hard though - see how other organisations seek consent from their customers.
Whether you’re Leave or Remain, Brexit doesn’t matter when it comes to the GDPR! Although the UK will leave the EU in March 2019 or after a transition period, until then it is still a full EU member and the laws of the Union still apply.
With GDPR, the onus is on each member state to incorporate the standards of the GDPR into their own data protection legislation. As a minimum, they must meet the standards of the GDPR, but that doesn’t mean member states can’t go further towards enshrining the privacy rights of individuals.
In the UK, we are enshrining the GDPR by reforming the Data Protection Act. That means the GDPR will apply in UK law, regardless of Brexit.
Wrong. It doesn’t matter if you merely process personal data on behalf of your clients, the GDPR will also apply to you. That’s because the GDPR includes both data controllers and data processors.
A data controller is whoever sets the purpose for collecting personal data and the manner in which it is collected.
A data processor is anyone who obtains, records or holds the personal data or carries out any type of operation using said data.
We can bust our current myth by looking at the second term. Although you might think that responsibility rests with the data controller, as they set the purpose for gathering and using data, under GDPR those who carry out this operation are also liable. It’s also worth noting that the data controller and data processor could be the same person.
To ensure your data processes are GDPR compliant, you need to audit all data within your organisation. Our team of expert GDPR consultants and Digital Transformation specialists are able to help - contact us now.
The GDPR protects the rights of the individual, but it is also geared towards protecting the needs of businesses too. Wherever businesses or organisations have a legitimate need for personal data, they are allowed to keep that data and use it. If a GP surgery, for instance, needs to text patients to remind them of appointments, the surgery wouldn’t really need to seek consent to do that - it is part of the service patients sign up to when they register at the surgery. This is a reasonable expectation a member of the public would hold regarding the surgery’s service.
However, if a large company with a mailing list of thousands doesn’t know where it has acquired most of its email addresses from, they would need to review their data. Granted, you may have a legitimate business need to retain that information, but by reviewing your data you can identify where you acquired data from and whether you still need to keep it. Are you using it how the public might expect you to? In addition, the GDPR is about data minimisation and limitation to avoid data breaches, so it’s best to review all personal data you hold to ensure you adhere to the GDPR’s principles.
If you are marketing to customers who have already bought your goods or services, there is a reasonable expectation there that you will continue to market to them. When the GDPR is enforced from May 25th 2018, you can continue to market to your existing customers.
But, to be on the safe side, it’s best to seek consent from your customers once more. You need positive consent to market to individuals - you can’t assume consent, and customers must opt in to receive your marketing content. Seeking consent is particularly important if you have customers who haven’t used your services in a long time. These users may no longer be interested in your offers, so you would no longer have a legitimate reason to keep their data. Simply ask them to opt in to your marketing campaigns: if they don’t opt in, ensure you have suitable processes in place to delete their information.
Compared to previous data protection laws, the GDPR is much more comprehensive. It tightens the rules on data, namely by updating existing legislation to take account of how the internet allows companies to collect and use data.
When the Data Protection Act 1998 came into force, which enshrined the EU Data Protection Directive in UK law, we didn’t collect nearly as much data as we do now. But recent scandals, like the one at Facebook following the Cambridge Analytica revelations, show why updating data protection laws is absolutely necessary.
But the GDPR makes sweeping changes to current data protection law, and requires you to seek unbundled, granular and positive consent from individuals before you can collect and use their data. You must also collect, use, store and delete personal data in GDPR compliant ways. That means you will more than likely have to change your consent and privacy policies, your contact forms, and your data architecture and processes.
Overall, it isn’t quick to become GDPR compliant, and it will be an ongoing process. A word to the wise: start reviewing your processes now! At Cyber-Duck, we can complete a full data audit on your behalf to help identify where improvements need to be made to become GDPR compliant.
This is another myth we keep seeing. Because the GDPR is geared towards regulating how the tech giants use personal data, some argue that it only affects digital information. This simply isn’t the case.
The truth is that whatever meets the criteria for personal data will be covered by the GDPR. It doesn’t matter if that data is stored digitally or physically. Personal data includes any information that can be directly or indirectly used to identify an individual. These kind of identifiers include names, addresses, dates of birth, location and online identifiers like usernames and passwords. Even if you pseudonymise or anonymise personal data, you must still store it securely.
Furthermore, there is also the matter of ‘sensitive personal data’. Sensitive personal data is things like medical records, genetic or biometric information.
All of these things can be found either digitally or physically, and the GDPR will cover it all.
At Cyber-Duck, we understand the importance of being GDPR compliant. That’s why we’ve created a comprehensive data audit process to ensure all of your data is mapped and the appropriate measures taken to make sure your organisation achieves full GDPR compliance. Similarly, we also offer GDPR training to companies of all sizes.