While the General Data Protection Regulation (GDPR) goes into effect May 25th, many companies are still struggling to make sense of the regulation and prepare for ongoing compliance. In this post, I hope to clear up some frequent questions by debunking popular GDPR myths. Below are my top seven GDPR myths debunked along with their reference within the regulation. Please share any additional myths you’d like me to debunk in the comment section.
It’s all about fines
As UK Information Commissioner Elizabeth Denham said in a blog post, “It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm”. She also mentions in the post that “like the DPA, the GDPR gives us a suite of sanctions to help organizations comply – warnings, reprimands, corrective orders. While these will not hit organizations in the pocket – their reputations will suffer a significant blow.” Other sanctions the ICO will use to get companies to comply: warnings, reprimands, corrective orders. “These may not hit organizations’ pockets, but they won’t do the companies’ reputations and public perception any good”, she added.
For the regulation’s outlines of warnings and other corrective orders, see Article 58 as well as mentions in: Article 47, Article 83, Recital 129, Recital 143, Recital 148, Recital 150.
It’s only for organizations in the E.U.
If you’ve been following our blogs, you know this by now, but anyone new needs to know that GDPR applies to any organization, anywhere in the world, that collects, processes, and/or stores E.U. citizen data- whether employees, customers, etc. Countries outside the United Nations are often referred to as “third countries” in the GDPR.
For outlining of countries outside the E.U. and international organizations, see: Chapter 5, Article 4, Article 15, Article 30, Article 40, Article 42, Article 45, Article 47, Article 50, Article 70, Article 71, Article 85, Article 96, Article 97, Recital 6, Recital 101, Recital 102, Recital 105, Recital 107, Recital 108, Recital 115, Recital 116, Recital 139, Recital 153
My data is stored with my cloud service provider so it’s their responsibility to remain compliant with the GDPR, not mine
As your cloud service provider is not directly collecting user information and cannot vouch for your justifications of collecting, processing and storing such information, they cannot be held wholly responsible for the governance of the personal data your organization collects. There is a litany of reasons your organization still needs to be proactive about compliant data handling procedures. To start, see Recital 21: liability rules of intermediary service providers shall remain unaffected:
“This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council¹, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. 2That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.”
It’s not limited to personally identifiable information
The General Data Protection Regulation does not limit “personal data” to PII (personally identifiable information), but also includes IP addresses and information collected via cookies.
Recital 30 goes into this in depth:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Personal data that is already in our database isn’t subject to the GDPR
After May 25th, 2018, any E.U. citizen’s personal data being used for marketing or other purposes will be required to adhere to the General Data Protection Regulation. To brush up on consent and some of those obligations, see Articles 7 and 14.
Everyone needs a Data Protection Officer (DPO)
Article 37 of the GDPR outlines the designation of a data protection officer. Below are three scenarios where a controller and processer will be required to appoint a data protection officer. To see all the scenarios where a DPO will be appointed, see Article 37.
“1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9and personal data relating to criminal convictions and offences referred to in Article 10.“
Obligations on processors outlined in GDPR means controllers don’t need contracts with processors
Everything you need to know about debunking this myth is outlined in Article 28, here’s piece from the article:
“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
Not only does the GDPR suggest a contract between controller and processor, but even outlines some of the items that should be outlined in such a contract.
Again, please include any other myths you’d like to see debunked before GDPR goes into effect, please leave them in a comment below. And, if you or your organization are looking for a GDPR compliance training solution, see all our courses at cybertraining365.com/m365. You’ll see GDPR courses from awareness and foundations, to practitioners, all targeting various technical abilities and responsibilities under GDPR.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge GDPR and cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cybersecurity experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.