There’s now less than a month to go until the European Union’s (EU) General Data Protection Regulation (GDPR) comes into force, and yet research shows that many businesses are still struggling to understand what they need to do. Worse still, many remain unaware of the full extent of the legal implications of non-compliance – whether deliberate or accidental. A YouGov poll in March found that 72% of British adults hadn’t even heard of the regulation, whilst a study by Crowd Research Partners carried out in April found that just 7% of companies worldwide were ‘fully prepared’ for GDPR’s arrival.
These figures should be cause for concern, since GDPR represents a huge change in the way in which every business uses, manages and protects personal data. It enshrines the sanctity of personal data ownership with the individual, with businesses merely the custodians. And as Jan Phillip Albrecht LL.M, Member of the European Parliament and Vice Chair of its Civil Liberties, Home Affairs and Justice Committee wrote in 2016: “It is paramount to understand how GDPR will change not only the European data protection laws but nothing less than the whole world as we know it.”
With this in mind, here are the five most common myths about GDPR, and some steps you can take to ensure you’re on the way to being geared up for the change.
This isn’t just about the EU
One of the biggest misconceptions about GDPR seems to be that it’s only an issue for companies physically based in the EU. This is not the case. GDPR essentially applies to any business anywhere in the world wanting to sell products and services to EU customers, or monitor their behaviour using personal data. In other words, if you’re based in Dubai wanting to do business with a customer in Germany, then GDPR – or equivalent standards – still apply.
It’s not as simple as following the rules
One of the reasons why GDPR is causing a certain amount of angst – amongst those who have, in fact, heard of it – is that it is principle-based regulation, which means that judgement will be based on whether data has been processed in accordance with designated principles, rather than hard and fast rules. If a company is investigated by the Information Commissioner’s Office (ICO), then the ICO will look at whether ‘effective’ consent has been obtained by the data’s owner and whether that data is deemed ‘current’. This leaves the door open for interpretation, which would be entirely at the ICO’s discretion and involve a legal-based assessment. This means there’s a big job for the legal profession in helping businesses understand and act on their responsibilities.
It’s about more than just compliance
The other source of confusion in all of this is that many companies have assumed that this is a compliance, or even a technical issue, which can simply be left to the relevant team to deal with. The problem is that GDPR is so all-encompassing that any individual handling data in an organisation will undoubtedly require training to understand the regulatory demands and what to do in order to comply. It also means assessing processes for handling a serious data breach and examining every contract – with employees and subcontractors – to ensure that they are GDPR compliant. For some companies, it may also mean hiring a dedicated data protection officer or at the least gaining specialist legal advice on their current practice and system.
Technology is no panacea
Likewise, GDPR is not something that can be ‘fixed’ with technology. A lot of people have mistakenly assumed that GDPR is only concerned with extreme data hacking cases, but the regulation imposes draconian sanctions for a range of other breaches, too. For example, if consent of use has not been properly obtained, or the data is not processed as set out in the regulations, then serious penalties, including hefty fines, could be on the cards. There are also some data breach risks that simply cannot be fixed by technology, for example a staff indiscretion or mistake such as leaving confidential information in a public place. What’s more, GDPR forbids reliance on automated decision making, as typically seen when loan companies refuse customers based purely on an automated credit score. The point is that this regulation demands that companies take a holistic and intelligent approach to the treatment of personal data – it’s not a question of picking and choosing the bits you want to adopt or relying on your systems to do the job for you.
This isn’t just another overhead
It’s hard to overstate the risk of getting this wrong – the potential fines are on a level we’ve never seen before in data protection. Certain infringements are subject to fines of up to €20 million or 4% of worldwide annual turnover – whichever is higher. Severe breaches also run the risk of class actions. But the fines only tell part of the story. The Facebook/Cambridge Analytica privacy scandal wiped around £25 billion off the social media platform’s value in the first 24 hours after the story broke and the reputational fallout continues. Businesses simply cannot afford the reputational damage that could be wrought by such a significant change.
Not sure if you’re in breach of GDPR regulations? Take the GDPR quiz to test your resilience.
Four things you should do straight away:
1. Review your processes for data breach notification, security and risk assessment.
2. Ask yourself whether the data you handle could be anonymised.
3. Review your contracts for GDPR compliance.
4. Consider hiring a data protection officer or seeking specialist legal advice.