How to determine whether you need to hire, promote or assign a Data Protection Officer;…
Common Myths and Misconceptions about GDPR
Disclaimer: This blog article was written for general information and does not claim to provide legal advice. To understand the full impact of the General Data Protection Regulation for your organization, please consult with a privacy compliance and/or legal expert.
GDPR compliance is causing quite a stir for businesses as they struggle to implement measures to comply with GDPR regulations and maintain their reputation as responsible data administrators.
We’ve observed an overabundance of content circulating the web lately in the form of easy-to-do checklists, guides and quick fixes that are supposed to help organizations achieve GDPR compliance quickly, easily and once and for all. Unfortunately, this overly simplistic approach to data protection is far from capturing the true essence of GDPR compliance. It often misleads organizations into believing that they can meet their compliance requirements by filling out a checklist – an activity that will take 5 minutes of their time.
“You cannot learn to fly by flying. First you must learn to walk, to run, to climb, to dance.” – Friedrich Nietzsche
When our team decided to develop a GDPR Compliance Program, we realized quickly that it is our responsibility as security professionals to educate our audiences about the many misconceptions about GDPR compliance. In this article, we’ll outline some of these false beliefs to help organizations understand what GDPR compliance is really about, why ticking a checkbox is not enough, and how you can approach your GDPR compliance efforts for lasting success.
- GDPR compliance only affects European businesses.
No. According to the European Commission (2018), the GDPR applies if:
- your company processes personal data and is based in the EU, regardless of where the actual data processing takes place; or
- your company is established outside the EU but offers goods or services to, or monitors the behavior of, individuals within the EU.
A poignant explanation of GDPR applicability comes from Brad Smith, Chief Legal Officer and President of Microsoft Corp: “If you have customers in the EU, this matters to you. If you have employees in the EU, this matters to you. If you’ve even heard of the EU, this matters to you.”
- A checklist will help me become GDPR compliant.
No. A checklist approach is simply not enough.
While checklists and “how to guides” can be useful starting points, they are by no means a guaranteed remedy for achieving GDPR compliance requirements. Depending on your regulatory environment, your business context, your industry, and your available resources, any GDPR compliance program that you’re undertaking will have to be adapted to your specific legal and regulatory context.
Instead of following a “one-size-fits-all” approach, it is important to first establish your privacy obligations and develop a GDPR compliance program that will be tailored to your business needs and various regulatory requirements.
- I need to hire a Data Protection Officer (DPO).
Related post: GDPR 101: How to Choose a Data Protection Officer
Maybe. Before you start drafting a job description for a Data Protection Officer, make sure to look into whether your organization is actually required to designate a DPO in the first place. According to Art. 37 GDPR, DPOs are mandatory for:
- public authorities,
- organizations that engage in large-scale systematic monitoring, or
- organizations that engage in large-scale processing of sensitive personal data.
If you do need to designate a DPO, make sure to include his or her contact details on your website.
If you don’t need to designate a DPO, think about whether doing so may benefit your organization. After all, it’s good practice to have a formal compliance function established within the organization to inform on data protection best practices and guidelines, monitor data processing activities, asses the applicable risk levels and cooperate with the respective supervisory authority. However, be mindful that if you do decide to hire a voluntary DPO, this person will be subject to the GDPR, including statutory liabilities. Otherwise, you may consider a different job title such as Chief Privacy Officer.
- If I process data of E.U. citizens, the only relevant compliance regulation is GDPR.
No. Depending on where your business operates and what kind of data it stores or processes, it may be subject to a whole set of compliance regulations other than the GDPR legislation. The GDPR leaves a considerable margin for national legislation to specify the rules on data protection. Thus, it is likely that different EU Member States will introduce additional data protection requirements that entities must fulfill. If organizations carry out data processing in different EU Member States or that is affecting multiple EU Member States, they must identify whether they will be affected by national data protection legislation. In this regard, the rules on employee data protection merit specific attention.
To add to the complexity, office locations outside of the EU are also subject to their own national privacy legislation which are often completed by applicable regulations in different sectors. This can include privacy and data protection laws and regulations across nearly 100 jurisdictions, including the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, or the hundreds of different privacy and data security laws of the 50 states in the United States.
- There is no real risk of non-compliance with GDPR.
Not true. The European Union is serious about regulating the way businesses process and manage personal data of EU individuals, and has determined significant GDPR penalties for non-compliance:
- up to EUR 20 million or 4% of your company’s global turnover for serious infringements, and
- up to EUR 10 million or 2% of your company’s global turnover for lesser infringements.
These thresholds are calculated based on several factors according to Article 58 of the GDPR, including the nature, gravity and duration of the infringement, whether the infringement was intentional or negligent, how well the data controller or processor cooperated with the regulatory body, or what types of organizational measures or security controls have been implemented. In addition to reputational damage, your national Data Protection Authority (DPA) may also impose additional corrective measures. Note that there will be no additional delay after May 25th, 2018 for the enforcement of the GDPR.
The Risks of Non-Compliance (Source: European Commission, 2018)
- Once I achieve GDPR compliance, I can sit back and relax.
No. Much like other compliance or data privacy regulatory frameworks, GDPR compliance is a mindset, an ongoing risk model.
The risk model behind the GDPR focuses on identifying which processing activities have the highest risk for the entity’s business, the data subjects’ rights and which ones will most likely lead to high fines in case of data breaches. While there are numerous definitions and concepts of “risk” in the privacy and data security arena, the GDPR clearly focuses on one type of risk: adverse risk to the individual. Therefore, this has to be the silver lining behind any type of GDPR project.
For starters, your organization may achieve GDPR compliance today, but may not be compliant in a few weeks. If you suffer from a data breach that poses a risk to individual rights and freedoms, you are obliged to notify your national DPA within 72 hours after you’ve become aware of the breach.
Related post: Data Breach Notification Laws: Canada, U.S. & Europe
In some cases, you may even be required to alert the individuals affected by the data breach. What is most important, however, is to always keep accountability in mind, maintain adequate and up-to-date records, or conduct processing annually to demonstrate GDPR compliance.
Unfortunately, organizations still have too many misconceptions when it comes to whether and how to become GDPR compliant. The assumption that GDPR is either easy to implement, a one-time project or only applicable to EU businesses can be risky, and lead to reputational damage, financial losses or legal repercussions.
Instead, organizations are best advised to see GDPR as a strategic mindset that is meant to guide their data protection activities over the long term – not a quick-fix approach that only serves regulatory bodies.
First, organizations should evaluate whether and to what extent they are subject to GDPR. Once this is defined, a GDPR compliance program can help organizations identify their gaps, propose actionable recommendations and outline a defined path towards continued compliance.
For more information about how to implement a lasting and comprehensive GDPR compliance strategy, check out our free webinar “Beyond GDPR: Implementing a Comprehensive Privacy Compliance Program”.