DEBUNKING 7 COMMON GDPR MISCONCEPTIONS

Generally, there are 2 main reasons why misconceptions take hold:

The first is our ability to be susceptible to what we consume online. The media is notorious for using psychological triggers to capture our attention and influence our decisions. This has lead many people to read opinions as truth and consider facts to be replaceable.

The second reason can be attributed to scepticism. With the vast amount of false information circulating the internet nowadays, we learn to mistrust what we read. We learn to question sources and assume that there usually is an ulterior motive. This leads to confusion and to misconceptions taking hold.

The General Data Protection Regulation (GDPR) is no stranger to misconceptions. Given how important data has been to recent economic development, many fears and doubts have been casted over the impact of GDPR.

As a company that has been dealing with GDPR for years, we have heard many of the misconceptions that are quite common in business circles. We feel compelled to debunk the 7 most common GDPR misconceptions.

1) GDPR will hurt businesses

Compliance of any kind often requires businesses to incur some costs. Many companies operating in the EU are no stranger to data protection laws. Adapting to GDPR, for these companies, will be a matter of adapting and changing existing business processes. On the other hand, there are businesses that are only now realising the importance of privacy and GDPR. This second group has an important task ahead of them, especially given the imminent May 25 deadline fast approaching.

It is also important to understand that GDPR was created with economic growth in mind. It was designed to promote responsible handling of personal data within a regulated Digital Single Market. In doing so, the European Commission believes that GDPR will promote trust in the digital economy. A trustworthy economy is a driver for long term growth and stability. In other words, GDPR was created as a vehicle for driving long term grown for the digital economy.

2) In order to use personal data, consent must be obtained

GDPR is praised for giving individuals back control of their data. While this is true in principle, in practice, obtaining consent is not always required. GDPR recognizes a series of situations where data processing can legally take place, with consent as just one of the several scenarios. This is not to downplay the role of consent. It is important and companies should understand when it is required.

3) All businesses need to hire a Data Protection Officer (DPO)

Hiring a DPO is not always required. The European Commission lists some specific cases where organizations must appoint a designated DPO. Outside these cases, it is recommended that your organization assigns a person to be responsible for GDPR compliance.

4) GDPR is all about preventing data breaches

Data security is an important part of GDPR, but there is so much more! For example, GDPR covers the risks of minors extensively and sets limits to ensure their rights are protected. There are many rights attributed to individuals that don’t necessarily fall under data security. The most notable example is the right to be forgotten. GDPR also expects businesses to be more transparent and clear with their data subjects.

5) Organizations are required to carry out a DPIA

Data protection impact assessments (DPIAs) help organisations identify potential risks and adopt measures to prevent these. It is important to understand that DPIAs are reserved for specific cases mainly when the organization’s processing presents a high risk to the rights and freedoms of individuals.

6) My organization can be compliant by installing the right software

Think of any compliance software as merely a tool. It would be the equivalent of an accounting software: It is a tool that if misused or if not used correctly can still expose the company to breaches in the law. A compliance tool can make life a lot easier for companies, especially if they deal with a vast amount of data points across a large and complex organization. Whether your organisation needs one or not, depends on your budget and scope.

7) My organization is not responsible for data outsourced to vendors

Accountability is one of the founding principles of GDPR. It ensures that companies remain responsible even after the data is outsourced or shared externally. Organizations should have systems in place to know exactly what data is being shared and with what purpose. GDPR has been designed with these particularities in mind and businesses should always ensure that the data they hold and share with other businesses, is done in a manner compliant with GDPR.

Unfortunately, the appearance of misconceptions is just one of the side effects whenever a topic of such magnitude as GDPR goes “viral”. We hope this article has helped in combating some of the misinformation surrounding GDPR.