The ICO has established clear guidelines, as well as some helpful myth-busting facts to help you navigate GDPR.
Myths and Facts
MYTH#1 Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations on processors.
FACT#1 Data processing agreements are vital to the controller and processor relationship as it binds both parties to specific terms. The Controller is ultimately responsible.
MYTH#2 GDPR only applies to PII (Personally Identifiable Information)
FACT #2 Personal data under GDPR applies to IP addresses and cookie tracking, too. It’s important people treat non-PII (non-personally identifiable information) as personal data, too as any data that can be used to distinguish one person from another and can be used for de-anonymising anonymous data can be considered PII
MYTH #3 Everyone needs a Data Protection Officer
FACT #3 DPOs must only be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data. If you don’t fall into one of these categories, then you don’t have to appoint a DPO though appointing one is, of course, still to be encouraged in the interests of good practice!
MYTH #4 Information on a business card is not in scope for GDPR.
FACT #4 This raises other questions, like Is a business email address, such as info@, sales@, admin@, a personal identifier? Whilst the answer to this question is NO, the answer to the former is a resounding YES! Information on a business card is all identifiable (PII) and therefore in scope of the GDPR – it is all identifiable information (PII)
MYTH #5 It only affects companies based in the EU.
FACT #5 Although GDPR is an EU law, it doesn’t just affect EU based companies. It affects any company that stores and uses information relating to any EU citizen regardless of where the company is based. It’s the first global data protection law. Therefore, if your customer is based in an EU country or you hold any personal data of any EU citizen it will affect you and your business. The fact that the UK is in the process of leaving the EU also has no impact on our need to comply with this law. The only way you don’t need to comply is if you can 100% prove that you do not hold or use any information about any citizens of any EU country.
MYTH #6 It only affects big companies.
FACT #6 The size of the company is irrelevant, it affects everyone. Whilst larger companies will of course be more visible to the regulating authorities, size doesn’t matter, a smaller company could be just as at risk of a data breach as a larger company. Therefore, GDPR applies to all companies worldwide that process the personal data of European Union (EU) citizens.
MYTH #7 It will only affect my marketing department
FACT #7 You are correct that it will have a major impact on your marketing department (mainly due to the changes in gaining consent and the use of personal) but it will affect your whole business not just your marketing. At the very least all staff should undergo training on the best practices regarding safe storage and use of data, identifying and notifying the right person within the company in case of a data breach and how your company’s systems and processes will be affected and updated to comply.
MYTH #8 It won’t be enforced anyway so I don’t need to worry about it.
FACT #8 In the UK, compliance with the new regulations will be monitored and enforced by the ICO (Information Commissioner’s Office) and the fines for non-compliance and data breaches are massive – up to €20 million or 4% of group annual global turnover, whichever is the greatest! Is it really worth taking that risk? That level of fine could quite easily destroy even a large business.
MYTH #9 It doesn’t come in till May 2018 so we don’t need to think about it yet.
FACT #9 This is a huge overhaul to the way in which data is obtained, recorded, stored and used – it will likely affect your entire business and all of your internal processes will at least need documenting and checking for compliance if not updating. Therefore, leaving this to the last minute really isn’t a good idea, especially considering the huge fines that are possible.