8 General Misunderstandings about the EU GDPR
The game-changing EU General Data Protection Regulation (GPDR), effective May 25, 2018, introduces a series of requirements that all companies who control or process privacy data related to EU citizens must comply with.
The overall purpose of the EU GDPR is to protect the individual against misuse of privacy data entrusted to private or public organizations.
While most organizations realize, there is a lot of work to be done related to employees, processes and technologies. Many companies are uncertain what exact steps they need to take to fully comply with the new requirements.
In our dialogue with various organizations, we experience a great deal of misunderstandings in terms of what actions to take and how to initiate them. Therefore, we have gathered the most common misunderstandings about the new regulation here:
Misunderstanding 1: The EU GDPR introduces an entirely new series of regulations for data security
Actually, the EU GDPR includes many existing legal requirements regarding privacy data. The problem with the existing requirements is the limited options to impose economic sanctions on companies in violation. Moreover, the technology investment costs for data protection exceeds by far the fines for non-compliance with the existing regulations. Consequently, actions towards meeting regulation have been downgraded. But this is about to change.
The EU GDPR introduces a series of sanctions on companies and suppliers if they are responsible for a data security breach or for compromising privacy data. The national Data Protection Agencies will be able to issue heavy fines reaching up to 4% or 20 mill. whichever is highest. EUR of a company’s global turnover in case of non-compliance. Additionally, companies must document and can prove the appropriate level of compliance regarding processes for controlling, managing, and auditing access to privacy data.
Misunderstanding 2: My IT supplier is responsible for us being in compliance with the privacy data regulation
EU GPDR distinguishes between the Data Controller and the Data Processor. The Data Controller is the company who initially obtains and therefore controls EU residents’ privacy data to manage customer relations for marketing purposes, for example. As the Data Controller, you are responsible for the actions of everyone, including external parties, who process the privacy data under your control. The Data Controller includes hosting companies, IT contractors, marketing agencies, payroll agencies, etc.
As Data Controller you can’t outsource your responsibility for privacy data. However, both the Data Controller and the Data Processor risk fines or compensation claims from individuals in case of non-compliance.
Misunderstanding 3: Processing privacy data is not a key initiative for our company and therefore we are not affected by the regulation
Any organization that collects, stores, and handles privacy data is included in the regulation. The EU GDPR clarifies that IT technology is an integrated part of all activities within the company and stresses the need to strengthen processes concerning privacy data.
Companies must generate a complete overview of data, determining where privacy data is stored, who has access to the data, who should have access, and who is using the access. As an example, it is not sufficient to encrypt privacy data or store them on a CD and lock the data in a safe. As the Data Controller, you must be able to document how the data is handled and by whom.
In case of a severe data leak, the company is required to make a breach notification to all involved data subjects and authorities within 72 hours.
Misunderstanding 4: The EU GDPR is just another IT project
It may be that your company needs new IT technology to create an overview and establish control of applicable data. First, you need to outline all your data. Next, you’ll have to describe who has access to what data and who is responsible for the data security. Then, you need to determine whether your processes for data management are correct. For example, you should be able to inform any data subject/person about how you use his/her privacy data – and you need explicit consent to use the data. This task involves standardized working processes, beyond IT technology, and gives you the opportunity to optimize processes and working routines.
Misunderstanding 5: We are ISO certified and therefore covered
ISO certification is often a very good initiative regarding information security. However, ISO only covers some of the requirements in the EU GDPR.
As the Data Controller, you are responsible for ensuring that any contractor or external service provider with the access to process privacy data under your control, will do so in compliance with the regulation, including external parties such as IT suppliers. As the Data Controller, you need to document agreements with third parties and ensure that they meet the requirements of the EU GDPR.
Misunderstanding 6: We can simply take out a third-party insurance
As a rule, you can’t take out an insurance against financial losses due to fines for non-compliance with the regulation. In some cases, it is even against the law.
Both the Data Controller and the Data Processor has a financial liability in case of non-compliance. GDPR also involves the mandatory breach notification within 72 hours in case of data leaks, to all involved data subjects – meaning the owners of the related data. The notification requirement implies that the disclosure will go public and may result in severe reputational damage for your organization. You can outsource the data processing, but you cannot outsource the responsibility.
Misunderstanding 7: We are forced to assign a Data Protection Officer (DPO)
A Data Protection Officer (DPO) is an internal and impartial person in the company who should control that processes and documentation for data security, per the requirements outlined in the GDPR, independent of executive management. The DPO is also the contact person for authorities. Yet, not all companies are required to assign a DPO.
Three criteria determine if you are obliged to assign a DPO. First, processing privacy data should be a key activity in your business. The extent of “key activity” is not yet defined in details. Secondly, the processing of privacy data should be performed regularly and systematically – or thirdly, the data should be of confidential character that falls into the category of sensitive data.
If all three criteria apply, your company is required to assign a DPO. Most private companies are not required to assign a DPO - however, you are free to assign a DPO voluntarily to ensure your company is compliant.
All companies are obliged to process EU citizens’ privacy data according to the GDPR requirements and therefore, external consulting on regulations and IT security is recommended; especially when it comes to determining which data types fall into the category of privacy data, and how to ensure correct use and gathering of consent to use said data.
Misunderstanding 8: We don’t process privacy data
Most companies process and store privacy data about customers and partners. Even if this is not the case for your organization, the registration of employee data to process salary, tax, pension, or insurance – is included in the GDPR.
The World’s highest standard of privacy data protection
As a provider of IT security solutions, we at Omada experience that our customers understand there are challenges ahead and they have their work cut out to be compliant in time. They need to define in very pragmatic terms what impact the GDPR will have on employees, processes, collaboration with partners, and technologies required to handle their data assets.
Yet, many companies find it difficult to determine the scope of data, define where to start, and how to ensure on-going compliance. The regulation doesn’t come with a complete to-do list, neither does it provide a complete overview of data types or recommendations of technology to support compliance. Thus, we experience a growing demand for advice on how to get started. It may be advice on what processes and employees the GDPR involves and what technologies to use.
Consequently, Omada has developed a Quick Guide explaining the various steps to take in order to implement efficient processes and get compliant fast.