Set to go into effect on May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) places strict new requirements on the data handling and security practices of any organization processing the personal data of EU residents. Hailed as “the most important data privacy regulation in 20 years,” affected organizations have plenty of incentive to heed the new law: non-compliance can result in fines of up to €20 million or 4% of an organization’s total worldwide revenue (whichever is higher).
However, even with the stakes for achieving compliance so high and the enforcement date drawing nearer, many businesses are still confused as to their obligations under GDPR—or are acting on incorrect notions as to what the law actually requires. While some nuances of GDPR will not be completely defined until enforcement begins, there is still a great deal of clarity as to the law’s impact and how organizations ought to be preparing.
The following are seven common misconceptions about GDPR, and the correct information that organizations need to know:
Only EU companies need to comply with GDPR.
In fact, GDPR is designed to protect the personal data and privacy rights of EU citizens no matter where the processing of that data takes place. This means that any organizations that collect, record or otherwise utilize EU citizens’ data—even businesses physically located outside the EU—must do so in compliance with GDPR.
The law also impacts organizations that process EU personal data in relation to the offering of goods or services, or that monitor the behavior of EU citizens within the EU. Again, this is regardless of the company’s location. Taken generally, GDPR continues to protect citizens’ data no matter where that data ends up.
GDPR applies narrowly to only the most sensitive and private personal data.
GDPR defines the personal data it regulates rather broadly. Organizations must certainly apply robust data security and privacy-by-design measures when storing and processing what would traditionally be considered sensitive data: government ID numbers, date of birth, home address, etc. GDPR goes beyond this, however, to cover location data and any factors pertaining to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. GDPR also protects data that reveals a person’s racial or ethnic origin, political opinions, philosophical beliefs or trade union membership, as well as all health-related information. Given this vast increase in the scope of data an organization may possess that must be safeguarded under GDPR, it is critical that businesses fully understand the nature of the data they are responsible for, and ensure its security.
If and when a data breach occurs, meeting the GDPR notification requirement is simple.
GDPR requires organizations to notify supervisory authorities within 72 hours after becoming aware that a data breach has occurred. That said, complying with this requirement is actually rather involved, and necessitates complex and coordinated action. Organizations must have already developed the capability to deliver timely notifications as part of their data breach incident response preparedness. Doing so after-the-fact will be too late.
Individuals whose information is exposed by a data breach must always be informed.
GDPR does include a requirement to notify individuals after a data breach, but only if the circumstances are such that the breach presents a high risk to those individuals’ rights and freedoms. GDPR does not mandate notification of individuals in situations where the breached data is protected by encryption, where risk to the data was successfully eliminated post-breach, or where delivering the notification would take “disproportionate effort”—such as if only information for contacting an affected individual was lost during the breach incident. Supervisory authorities have final say as to whether individual notifications are required for a given data breach.
Non-compliance with GDPR can mean substantial fines, but that is it.
GDPR gives supervisory authorities the power to go beyond fines where appropriate, pursuing corrective measures that can also include sanctions, lawsuits, corrective actions and more. This means authorities might prescribe specific actions an organization must complete and a timeframe for doing so, all on top of hefty fines. Furthermore, a business could be banned from processing personal data or continuing with specific data handling practices. Where a disallowed practice is essential to an organization’s revenue, such sanctions can end up being easily more expensive than the maximum fines under GDPR.
GDPR introduces a single new individual privacy right—the right to be forgotten.
GDPR actually introduces a number of privacy rights that may not be present in existing regulatory frameworks, and that organizations outside the EU may be unfamiliar with. These rights include:
- Right of access. An organization must allow individuals information about—and access to—any personal data belonging to them.
- Right of rectification. Individuals can have incorrect or incomplete data on them fixed.
- Right to be forgotten. Businesses must erase the personal data they store if an individual asks.
- Right to restriction of processing. Given certain conditions, an individual can restrict an organization from processing their personal data.
- Right to data portability. Individuals can request their personal data from one organization and transfer it to another with no obstacles.
- Right to object. Individuals can object to their personal data being processed. For example, a person could disallow direct marketers from utilizing their information.
- Right to not be subject to automated decision making and profiling. Individuals must provide explicit consent to be subjected to decisions made by automatic processing.
Privacy rights under GDPR apply to all sensitive information.
GDPR makes some exceptions for system log files containing personal data, though the nuances of this may come down to how GDPR is enforced. That said, it should be acceptable under GDPR for organizations to make use of certain information that is less burdensome from a privacy perspective, such as non-personal data, anonymous data, pseudonymous data, data used solely for statistical purposes, and data used to fulfill legal obligations.
By understanding the reality of organizations’ responsibilities under GDPR, company leaders across departments can best prepare the data security and privacy capabilities that will be legally required of them in just a few months’ time.