GDPR is right around the corner in May, so let's defrag some of the myths associated with the General Data Protection Regulation (GDPR).
Understanding the GDPR is a huge step towards data protection and processing, and we are here to help with some doubts, myths and questions.
Myth #1 - Do businesses need explicit consent to process personal data?
Those are people’s expectations of GDPR, any type of processing needs explicit consent, but there are six different ways of getting that consent.
- Legitimate Interest
- Public interest
- Vital Interest
You can dive into more of what these types of consent mean at Article 7 of the GDPR.
Consent doesn’t have to be a consent pop-up or notification on your website, but can be translated in different ways. Elizabeth Denham, Information Commissioner for the UK said “If you have the consent of your customers, you are going to have a much richer interaction with them.” Meaning that your customer will actually give good information and data since it is what they actually want and not “fooled” into anything.
Myth #2 - Do businesses need a data protection officer?
There is a vast majority of companies that will not need a data protection officer (DPO). With that being said, there is a need to have someone regulate and be responsible for employees of a business to process data properly. That person doesn’t have to be in IT, but can be legal, senior management, or anyone that can have influence with the board.
The job of the DPO is to make sure that the company is working within the GDPR guidelines and is only required in three scenarios:
- The company is a public organization.
- The core of the business is to process personal data.
- The company processes data on a large scale.
Myth #3 - Does the GDPR include marketing and sales data?
This may fall under legitimate interest as consent, as long as the data is necessary. Data subjects must be kept informed of what a business is doing with the information they collect. For example, before they sign up for a blog subscription or blog, there must be consent and a way to opt out. This could be a checkbox on a form.
Myth 4: Is cookie tracking part of the GDPR?
Cookie tracking is actually covered under a separate regulation known as the Privacy and Electronic Communication Regulation (PECR), informally known as the cookie law. Businesses profiling website visitors from the EU need to have a pop-up asking for consent to drop a cookie to watch the behavior when on the site, allowing for a better experience. The PECR is going to be superseded by another bill called the ePrivacy Regulation where in order to have access to a website, you need to give consent before loading it.
The PECR is different from the GDPR, but linked through purpose. The GDPR is non-specific in what processing data is. If you comply with the GDPR, you then have to comply with the PECR to do anything with the data.
Myth 5 - Do people have the right of erasure of their personal data?
Under the GDPR, EU citizens have the right to be forgotten but it is not an explicit right, you cannot ask someone to enact your right to be forgotten. The only way it can happen is if the company that stored the data gets shut down.
Myth #6 - I’ll get less spam after the GDPR
It's not true that you'll get less spam after the GDPR is enacted. There have been rules and regulations enacted for years to stop spam already, and it still happens. The fact of the matter is that although spam is a serious issue, there is really no way to control it. There is just far too much spam and bots out there sending it that tracking down every entity that sends spam is unrealistic.
Myth #7 - Does your business still have time to prepare for the GDPR?
Unfortunately, if you haven’t looked at the GDPR yet, there is no way you will be ready for May. However, you are not alone. Begin the process now and start taking steps to prepare and you will be in a vastly better position than if you ignore it.
As for data breaches, they are a common occurrence. It’s how you respond to them that counts. If you try to hide it, it’ll look bad on you. The major key to the GDPR is how your business owns up to any data breach. Be transparent.