Only 2 weeks left before the enforcement of the General Data Protection Regulations (GDPR) and there is FEAR! And fuelled by it there is paranoia surrounding what needs to be done.  Rumours. Assertions. And crazy ideas. In this blog: we will bust all the ridiculous myths that we have heard so far.

Myth 1: GDPR is a European Union (EU)  law and only applies to European companies

This particular myth challenges the parameters of the application of the GDPR. It certainly does not apply to only European companies. It applies to ALL companies who in any way collect, receive and process data of people residing in the EU. Moreover, any company that offers goods or services to EU Data Subjects or monitors their behavior in any way has to comply, regardless of the company’s location. It is in fact possible that a European company only processes data of American residents. In that case, the GDPR does not actually apply to the company. Essentially, it does not matter where the company is based or originated from, the criteria that should be used to assess whether the GDPR applies or not is “whose data do you touch?”

Myth 2: GDPR was made to punish companies by imposing fines

The principles around which the GDPR is based is not to punish companies but rather to empower people with more control over their data and to ensure responsible collection and processing of data. The potential fines that could be imposed have just been stated over and over again to reiterate the importance of compliance for companies. However, at this point no one can predict how strictly the authorities will impose these fines, if at all. They will most likely allow companies extension and a lot of leeway if they see efforts being made to comply. Fines will not imposed for every little non-compliance issue. This is because in essence the nature of GDPR is empowering rather than punitive.

Myth 3: GDPR is only for the IT departments and senior management

Everytime people think of Data Protection they usually immediately jump to the conclusion that it is something for the IT department. However, in the case of the GDPR this is not the case at all. The GDPR is to reform the way companies handle data which is why it applies to and add responsibilities to every department and every person within a company. Processes need to be created but also employees need to be educated about the GDPR. For instance, recording all processing activities will entail the involvement of representatives from all departments of a company.

Myth 4: All breaches not matter how little need to be reported to the Data Protection Authorities

Breaches need to be reported to the relevant Authorities however, this only applies to those breaches where it’s likely to result in a risk to people’s rights and freedoms. So not every breach needs to be reported.

Myth 5: All details need to be provided the minute a breach occurs within a company

If there is a breach within a company, details of it are sometimes not available immediately. Companies themselves need to investigate before they can collect all the necessary information. The GDPR takes this into account and allows 72 hours to report such instances when feasible. Once reported details can also be provided after the allotted 72 hours if needed.

Myth 6: Consent needs to be taken for every activity

The general perception among companies is that consent is at the centre of the GDPR. Without consent, no data processing activity can be carried out. This perception is extremely misleading. The GDPR allows for several different ways of justifying a processing activity of which consent is ONLY ONE. Some others can be seen below from the ECOMPLY app where you can just pick one to form the legal basis for an activity:

Myth 7: Under the GDPR, you need to get consent again from all stakeholders!

So having busted the first myth about consent under the GDPR, the second one is specifically about asking for consent under the GDPR. Most companies think this needs to be done from scratch to be GDPR compliant. However, consent obtained under the Data Protection Directive suffices under GDPR standards. Just review the consent and the standard that GDPR sets for it.

Myth 8: New data portability rules apply to all businesses

Data portability requirements apply only when the legal basis of a processing activity is based on consent or contractual necessity.  When the legal basis is legitimate interest or public interest or another provision allowed under the GDPR the requirements don’t apply.

Myth 9: Data centre needs to be in the EU!

This is another common misconception. A company’s data centre doesn’t have to be in the EU. It can also be in one of the third countries that GDPR allows for. Basically, it cannot be in a country that doesn’t have regulations on data protection. Here’s what we found helpful on this topic.

Myth 10: Biometric data is sensitive data under the GDPR

This is the most understandable misconception that has developed regarding the GDPR. Biometric data that a company collects just like any other data is sensitive only if it is actively used for identification purposes. It is predominantly collected for purposes of identification but if that is not the case then Biometric data doesn’t have to be treated as sensitive data.