With the European Union’s General Data Protection Regulation (GDPR) coming into force in a matter of weeks, many companies are scrambling to adapt their processes to comply with the new data privacy laws.
However, as is to be expected with such large and sweeping legislation, there are a lot of misconceptions about the significant changes GDPR introduces for data security and how this will effect the various actors.
We look at the 5 most common misconceptions about GDPR for businesses and what they really mean…
1. It protects the personal data of EU citizens
This is the first mistake companies often make when looking at GDPR. The Regulation is actually determined by location not by nationality. Hence it applies to any company that is based in the EU or deals with the personal data of an EU resident, rather than an EU citizen.
This means a German working or visiting New York is not not covered by the GDPR unless he or she is interacting with a European based company, while an American visiting Barcelona is covered by GDPR.
2. Somebody will flick a switch on 25 May and everything will change
The GDPR comes into force on the 25 May, and by the way companies are racing to get their data processes in line by the enforcement date, the rhetoric seems to be that everything will just change on that day. Voila. Just like that.
However by giving customers full control of their data, GDPR represents a seismic change to the digital landscape, and not one that can be negotiated with quick fixes and temporary solutions. Complying with GDPR could require everything from a comprehensive personal data inventory and audit to company restructuring, and should be approached with a view of the business well beyond the 25 May start date.
3. It’s an IT issue
While GDPR continues to be reported as a technology story, it’s easy for companies to pass ownership to the IT department - that’s usually where data related matters end up. But GDPR is far from just an IT issue, it touches every aspect of an organisation and renders the whole company responsible.
From human resources managing employee information correctly, to marketing ensuring only people that have positively opted in receive emails, to security deciding how physical data is destroyed. Even staff training will need to change to include material on how data can and cannot be managed, and what to do in case of a breach or data loss.
4. Companies need consent to process personal data
Getting clear consent from the data subject to process their data is of course a big part of GDPR. But it is not the only grounds for which a company can process the personal data of an EU resident.
In fact, GDPR lists six legal basis for which a company can process the personal data of an EU resident. These are:
- Clear consent
- Necessary for the performance of a contract
- Necessary for compliance with a legal obligation
- To protect the vital interests of a data subject
- Carried out in public interest or exercise of official authority
- Necessary for the purposes of the legitimate interest of the controller or a third party
5. Complying is all about avoiding big fines
It is well documented how much businesses can be fined for breaching GDPR - up to EUR 20 million or 4% of global annual revenue, whichever is higher. What is not so documented, however, is the competitive advantage that can be gained from complying with GDPR.
Aside from the fact that the digital economy is based on trust and those that do GDPR well will excel in building trust, the obligation to thoroughly understand data storage and usage also offers companies the opportunity to create a solid foundation for more efficient and productive use of personal data that could give them a competitive edge in the long run.