The General Data Protection Regulation (“GDPR”) will affect any business holding EU personal data regardless of where the business is based. It introduces a greater compliance burden on businesses as well as a co-ordinated enforcement strategy from Brussels.
As the 25 May 2018 deadline for GDPR fast approaches, here are the 9 most common myths and misconceptions about the new law – to help your business prepare.
Myth # 1: Everyone is going to get fined!
It is true that data privacy compliance is going to be more challenging under the GDPR. Maximum fines for noncompliance are set at the higher of 4% of annual global turnover or €20m. However, large fines are expected to be reserved for serious abuses and for those making no effort to comply. The key is to do what you can now and to prioritise and document your processes.
Myth # 2: This is just about Google and Facebook
The tech giants have faced high-profile enforcement in the past, but all B2B businesses processing customer (and HR) data will find winning and retaining business tough without a good GDPR story – and remember, personal data is the key to the digital economy. Investors and M&A acquirers will want comfort that businesses are getting data privacy right and it is expected that consumers and privacy groups will be very active if they aren’t.
Myth # 3: You must have consent to use personal data
You do need a lawful basis to use personal data, but consent is not the only one available. In fact, it may be preferable to rely on data processing being necessary for a contract, in your legitimate interests, or in compliance with EU legal obligations (as appropriate). GDPR consent has a high bar and can no longer be used as a ‘fallback’.
Myth # 4: Consent must be ‘explicit’
Consent for the use of data must be “unambiguous” which leaves room for a very clear implied consent but no room for doubt. As such, you may not need a tick box or similar, unless you are dealing with specific categories that do require ‘explicit’ consent: health, sex life, criminal records, race, political opinion and genetic/biometric data. Collecting or using data in these areas requires crystal-clear consent with careful explanation of what data is being collected and why.
Myth # 5: This is only about Personally Identifiable Information (“PII”)
Be careful about this US term as it is limited to name, address, email address, social security number etc. Personal data under the GDPR encompasses a much wider variety of data. As a rule of thumb, it can be any information unique to a living individual, and it explicitly includes where identifiable by reference to an ‘online identifier’.
Myth # 6: You only answer to one national regulator
The one-stop shop did not materialise. Your ‘lead supervisory authority’ will be where you have your main or only establishment in the EU. Other regulators can still get involved where local rules apply e.g. on HR data in France and Germany, among others, if people in their territory are “substantially affected”, or simply if they received the initial complaint.
Myth # 7: Anyone can make you delete all their data
There is a right of erasure, but it is not absolute and you may be able to retain the data where, for example, it is still necessary for a lawful purpose, you are legally obliged to, or, in some circumstances, if you have an overriding legitimate interest in doing so. Where data has been processed on the basis of consent, the consent will not be valid unless it can be withdrawn without detriment to the individual. You need to do the legwork and work out what data you have that is vulnerable to an erasure request and have a retention schedule and policy.
The GDPR is not simply the current Directive with a couple of bells and whistles added; actually, it is the Germanic approach to privacy. For most companies, it is the governance and accountability requirements which are the greatest surprise. It is not enough to comply; you have to be seen to comply. The GDPR requires you to demonstrate compliance, for example, by documenting the decisions you take about a processing activity, security measures, etc. It is like maths homework – show your workings!
Myth # 9: GDPR is really about security
Security is always important but the GDPR does not require any specific new steps (although you may need to conduct a Privacy Impact Assessment around security). Businesses will also need to implement privacy by design and default, and consider data minimisation and pseudonymisation.
Essential next steps:
- Make key stakeholders aware and consider budgets
- Map data and create a data inventory
- Identify your lead supervisory authority
- B2C: review privacy notices and consents
- B2B: review customer/partner contracts and templates and vendor contracts – be ready for EU customers and partners conducting due diligence, reviewing contracts, and imposing onerous GDPR-ready contracts
- Prepare processes for data subjects’ extended rights
- Implement a data breach response plan, handling and reporting procedures
Want to accelerate your business success beyond the Nordics across Europe, the Middle East, Africa, Asia-Pacific and the Americas? Azets and Blick Rothenberg make it easier for you to manage your business globally; offering a unique and powerful combination of technical expertise, global insights, and innovative technology. Together, as part of CogitalGroup, we support companies throughout their business lifecycle.