There’s much talk and debate around the implications of the EU’s newly established law, General Data Protection Regulation (GDPR). The regulations, which go into effect May 2018, are essentially designed to harmonize data privacy laws across the European Union, reshaping how organizations across the region approach data privacy in order to protect and empower all EU citizens and residents.
Most organizations are already feeling the pinch and the real challenge – a tight deadline for compliance – has hit them hard. The repercussions are serious, with hefty penalties imposed on those who are out of compliance.
As the industry continues to get their GDPR bearings, this blog will discuss five common GDPR misconceptions and explore the realities around each.
Myth 1: GDPR Only Affects EU-Based Businesses
We’re all on the same page, right? GDPR is a new law in the EU and mainly centers around the protection of personal data and individuals’ rights when processing their own data by another party. GDPR appears to only focus on individuals within the EU. This is not the case.
GDPR is applicable to any organization that processes personal data belonging to individuals living in the EU, regardless of whether the particular organization is established within the EU, or whether the actual personal data processing occurs within the EU. The regulation casts a wider net to include organizations that do business with the EU; it doesn’t matter if the particular organization offers services directly to individuals, or acts on behalf of another organization.
For example, a public cloud storage service is required to be compliant with GDPR; otherwise its users cannot leverage this storage service to store any kind of personal data collected from the EU.
Moreover, the world at-large is following suit, making headway to introduce privacy standards similar to GDPR. The UK and Australia are among other countries in the process of formalizing similar privacy laws.
Myth 2: GDPR Restricts Freedom in E-Commerce
At a glance it would seem that GDPR is an attempt to restrict businesses’ freedom related to personal data processing and progressive profiling of individual behaviors — this is also incorrect.
Current privacy laws appear inadequate when considering the latest technology trends. This inadequacy results in organizations having to evaluate the risks of facing legal action in light of the ambiguous nature of current laws. In this context, GDPR provides a sense of certainty for organizations to carry out personal data processing in a lawful manner.
GDPR recommends businesses conduct Data Protection Impact Assessments (DPIA) and seek advice from authorities to ensure they follow compliance guidelines. When compliant, organizations can properly evaluate privacy laws to mitigate legal risk when planning new business offerings.
Myth 3: GDPR Is Only Concerned With Personal Data
The term personal data is regularly used in context with GDPR. However the more accurate and legally correct term is Personally Identifiable Information (PII). “PII is any information that can be used to distinguish or trace an individual’s identity (such as name, social security number, date and place of birth, mother’s maiden name, or biometric records) or any other information that is linked or linkable to an individual (medical, educational, financial, and employment information).”
In fact, the definition of “personal data” within GDPR greatly broadens the traditional definition.
Myth 4: You Must Always Obtain User Consent
User consent surrounding E-Commerce offerings is the most common methodology that enables businesses to process personal data.
With GDPR, there are a number of methodologies that can be used to legitimize personal data processing. It’s expected that an organization evaluates all of these legitimized methodologies of processing, and selects the most suitable methodology according to the nature of the business and legal background.
These are the 6 legitimized data processing methodologies defined in GDPR.
For example, an employer may need to keep details of previous employees for a certain period. In such cases, employment contracts are a more suitable means of processing than user consent. Likewise, monetary policies of certain countries may require the need to keep records of individuals involved with financial institutions. In both cases, ‘to be in compliance with a legal obligation’ is the more suitable option.
Myth 5: An Organization Can Buy GDPR Compliance From a Vendor As a Tool or Solution
It’s misleading to think that an organization can achieve GDPR compliance by purchasing a tool or system from a vendor. Yes, a tool or a system can help them achieve GDPR compliance in a timely and cost-effective manner. However, each organization has to carry out its own measures to be fully compliant. These efforts may include other things: staff training, revisions of privacy, and network policies, to name a few.
A Clear Path
Through navigating common misperceptions surrounding GDPR, organizations will continue to address doubts on their journey to become fully compliant in the coming months. The new regulations are a part of a greater scope. GDPR shouldn’t be viewed as a deterrent, but rather a stepping stone to realizing the opportunity for a new level of business growth through digital transformation.
The key is for each organization to adopt early, and use the right technologies to get in compliance fast… i.e., by May 25, 2018.