Myth 1: The GDPR doesn’t apply to businesses outside the EU.
Yes, it does. It’s true the GDPR concerns the personal data of people living in the EU; however, what it actually regulates is the gathering and processing of this data, no matter where that takes place. If you decide not to comply, the fact that your business is based in the U.S. will not be enough to keep you from a fine of approximately $24 million (€20 million), or 4% of your company’s global annual revenue.
Myth 2: All personal data is the same.
Article 9 of the GDPR outlines several types of sensitive data that are prohibited to process. These are considered separate from the general data referred to in the rest of the text and include “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership … genetic data, biometric data … [and] data concerning a natural person’s sex life or sexual orientation.” If your organization collects or processes any of this type of particularly sensitive information, you face additional requirements for doing so.
Myth 3: The GDPR doesn’t apply to data already collected.
As long as the information collected qualifies as personal data pertaining to an EU citizen, it falls under this regulation — regardless of when it was collected. For example, let’s say a handful of French citizens signed up for your company’s email newsletter back in 2014, and those addresses are still in the company database. As of May 25, 2018, you will have to provide proof those data subjects gave their consent as outlined in Article 7 of the GDPR. Plus, those citizens will have the same right to rectification, erasure, restriction of processing and data portability as those whose data is collected post-GDPR.
Myth 4: It’s your cloud service provider’s job to make sure your data is compliant.
The data chain starts with your business, but even if you’re using a third party to store personal data, you’ll still be held responsible for meeting GDPR requirements. In the event of a data breach, both you and your cloud service provider will need to comply with GDPR policy. Because of that, it’s imperative that you have documentation of their data protection policies and processes as they relate to this regulation.
Myth 5: Every company has to appoint a data protection officer.
Your organization would be required to appoint a Data Protection Officer (DPO) in only three siutations:
- If you’re a public authority or body that processes data
- If your core activities require widespread, regular monitoring of data subjects
- If you process sensitive information (discussed in myth 4) on a large scale
These are rather vague designations. For example, nothing in the regulation clearly states what constitutes large-scale data processing. But here’s something to keep in mind: If your organization is audited for compliance and the auditor discovers you’re required to have a DPO but don’t, the fines will be stiff.
Even if your company is on the fence about needing a DPO, or it doesn’t fit any of the above categories, it’s worth appointing a protection officer. The compliance process can be long and confusing — a DPO can be instrumental in helping your company navigate it successfully.
Myth 6: Fines are the biggest threat to your business.
Sure, $24 million in fines is enough to get most companies working toward compliance, but there’s another incentive organizations should be focusing on. The GDPR represents a clear change in public opinion regarding the privacy of personal information — consumers and employees want greater control over who has their data and what they’re doing with it.
While the GDPR and its massive fines are making the headlines, businesses would do well to remember public opinion matters just as much. Organizations that enthusiastically embrace these new rules for data protection will win major points with their customers. Businesses that don’t risk alienation.