Debunking Five Crucial GDPR Misconceptions

Image

With GDPR coming into force on the 25th May 2018, businesses that haven’t got to grips with the reality of the regulations risk massive financial penalties, together with possible reputational damage and detrimental effects on shares, according to Barristers-at-Law, Quentin Hunt and Dean Armstrong QC – co-author of Cyber Security- Law and Practice.

There’s now less than a month to go until the European Union’s (EU) General Data Protection Regulation (GDPR) comes into force, and yet research shows that many businesses are still struggling to understand what they need to do. Worse still, many remain unaware of the full extent of the legal implications of non-compliance – whether deliberate or accidental. A YouGov poll in March found that 72% of British adults hadn’t even heard of the regulation, whilst a study by Crowd Research Partners carried out in April found that just 7% of companies worldwide were ‘fully prepared’ for GDPR’s arrival.

These figures should be cause for concern, since GDPR represents a huge change in the way in which every business uses, manages and protects personal data. It enshrines the sanctity of personal data ownership with the individual, with businesses merely the custodians. And as Jan Phillip Albrecht LL.M, Member of the European Parliament and Vice Chair of its Civil Liberties, Home Affairs and Justice Committee wrote in 2016: “It is paramount to understand how GDPR will change not only the European data protection laws but nothing less than the whole world as we know it.”

With this in mind, here are the five most common myths about GDPR, and some steps you can take to ensure you’re on the way to being geared up for the change.

This isn’t just about the EU

One of the biggest misconceptions about GDPR seems to be that it’s only an issue for companies physically based in the EU. This is not the case. GDPR essentially applies to any business anywhere in the world wanting to sell products and services to EU customers, or monitor their behaviour using personal data. In other words, if you’re based in Dubai wanting to do business with a customer in Germany, then GDPR – or equivalent standards – still apply.

It's not as simple as following the rules

One of the reasons why GDPR is causing a certain amount of angst – amongst those who have, in fact, heard of it – is that it is principle-based regulation, which means that judgement will be based on whether data has been processed in accordance with designated principles, rather than hard and fast rules. If a company is investigated by the Information Commissioner’s Office (ICO), then the ICO will look at whether ‘effective’ consent has been obtained by the data’s owner and whether that data is deemed ‘current’. This leaves the door open for interpretation, which would be entirely at the ICO’s discretion and involve a legal-based assessment. This means there’s a big job for the legal profession in helping businesses understand and act on their responsibilities.

It’s about more than just compliance

The other source of confusion in all of this is that many companies have assumed that this is a compliance, or even a technical issue, which can simply be left to the relevant team to deal with. The problem is that GDPR is so all-encompassing that any individual handling data in an organisation will undoubtedly require training to understand the regulatory demands and what to do in order to comply. It also means assessing processes for handling a serious data breach and examining every contract – with employees and subcontractors – to ensure that they are GDPR compliant. For some companies, it may also mean hiring a dedicated data protection officer or at the least gaining specialist legal advice on their current practice and system.

Technology is no panacea

Likewise, GDPR is not something that can be ‘fixed’ with technology. A lot of people have mistakenly assumed that GDPR is only concerned with extreme data hacking cases, but the regulation imposes draconian sanctions for a range of other breaches, too. For example, if consent of use has not been properly obtained, or the data is not processed as set out in the regulations, then serious penalties, including hefty fines, could be on the cards. There are also some data breach risks that simply cannot be fixed by technology, for example a staff indiscretion or mistake such as leaving confidential information in a public place. What’s more, GDPR forbids reliance on automated decision making, as typically seen when loan companies refuse customers based purely on an automated credit score. The point is that this regulation demands that companies take a holistic and intelligent approach to the treatment of personal data – it’s not a question of picking and choosing the bits you want to adopt or relying on your systems to do the job for you.

This isn’t just another overhead

It’s hard to overstate the risk of getting this wrong – the potential fines are on a level we’ve never seen before in data protection. Certain infringements are subject to fines of up to €20 million or 4% of worldwide annual turnover – whichever is higher. Severe breaches also run the risk of class actions. But the fines only tell part of the story. The Facebook/Cambridge Analytica privacy scandal wiped around £25 billion off the social media platform’s value in the first 24 hours after the story broke and the reputational fallout continues. Businesses simply cannot afford the reputational damage that could be wrought by such a significant change.

Not sure if you’re in breach of GDPR regulations? Take the GDPR quiz to test your resilience.

Four things you should do straight away:

1. Review your processes for data breach notification, security and risk assessment.
2. Ask yourself whether the data you handle could be anonymised.
3. Review your contracts for GDPR compliance.
4. Consider hiring a data protection officer or seeking specialist legal advice.

http://www.bestcriminaldefencebarrister.co.uk/  

Share this page:

In this section

Clinical Research Global Compliance Just Got Easier

Schulman Associates IRB and Falcon Consulting Group have announced a new Joint Venture, Provision Research Compliance Services.

READ MORE →

Crossroads Systems Regains NASDAQ Compliance

Crossroads Systems has announced that it has received notice from The NASDAQ Stock Market that it had regained compliance with Listing Rule 5550(b)(1).

READ MORE →

Reducing Red Tape in Business Would Boost Greek Productivity – OECD

Greece could save its businesses hundreds of millions of euros a year and improve their competitiveness by reducing administrative burdens, according to a new Organisation for Economic Co-operation and Development (OECD) report.

READ MORE →

Financial Services Industry “Out of Step With FCA Phone Regulations”

UK Financial Services companies are still struggling to comply with The Financial Conduct Authority regulations which require them to record mobile phone conversations, a new report from analyst firm Ovum has found.

READ MORE →

FCA to Give Firms Regulatory Help

Innovative firms, particularly smaller start-ups, will be offered the chance to work with the Financial Conduct Authority (FCA) whilst they develop new technologies and approaches to ensure they are compliant with regulations from the moment they go live, says FCA chief-executive Martin Wheatley.

READ MORE →

CSI and YBS Fined for Unclear Promotions

The Financial Conduct Authority has fined Credit Suisse and Yorkshire Building Society a total of £3.8m for the “misleading” promotion of a structured product to thousands of risk-averse investors.

READ MORE →

News Stand

View more → Sign up to receive new issues →