Top 5 GDPR Myths: Get the Facts

The General Data Protection Regulation

(GDPR) has been garnering much attention
since its formal adoption in April 2016.
With the effective date of May 25, 2018 fast
approaching, some popular myths have
emerged surrounding the regulation.

In this blog post, we’ll examine and

debunk a few of the most notable ones.

Myth #1: “We’re a US-based company so the GDPR

doesn’t apply to us.”
In short, the GDPR will apply to US-based companies that offer goods or services to
individuals in the European Union (EU) or monitor the behavior of individuals if the
behavior occurs in the EU. Even US-based companies that have no physical presence in
the EU will be subject to the GDPR if they process an EU resident or visitor’s personal
data in connection with goods or services offered to those individuals or if those
companies monitor the behavior of EU residents or visitors while those individuals are
within the EU. The GDPR could apply, for example, if a US citizen visits a US-based
website while vacationing in Spain and that website monitors that citizen’s behavior
while in Spain.

Given the cross-border nature of the modern-day economy, it’s also not unusual to
see US-based companies with offices overseas, including in the EU. Personal data
processed, whether the processing occurs in the EU or not, in the context of the
activities of a US-based company’s EU establishment will be subject to the GDPR.

Myth #2: “Since the UK is leaving the EU, we don’t need

to worry about GDPR compliance.”
According to this Information Age article, about 25% of UK businesses have stopped
preparing for GDPR compliance as they feel it won’t apply to them given the upcoming
UK departure from the EU in 2019.

The reality is that GDPR enforcement will begin a good ten months before Brexit
occurs. And, even after the UK leaves the EU, there is still a very high probability UK
businesses will be subject to GDPR compliance requirements because the GDPR applies
to the personal data of all EU residents. Given there are many EU residents living in the
UK and UK businesses will continue to do business with residents of EU countries, the
GDPR requirements will still apply to UK businesses long after Brexit is completed.

Myth #3: “Personal data that is already in our database

isn’t subject to the GDPR.”
The GDPR applies to personal data, regardless of when that data was collected. In
other words, if the data was collected before the GDPR goes into effect (May 25, 2018),
the company and relevant data will still be subject to GDPR requirements.

As long as the data can be traced back or associated with an individual who was in the
EU at the time the data was collected (a “data subject”) via a name, ID number, or some
other physiological, genetic, or similar factor, then that data will be considered within
the scope of GDPR protection. As an example, contact information gathered from
prospective customers must have been gathered in compliance with the GDPR notice
and consent requirements to be used for marketing purposes after May 25th, 2018.

Myth #4: “My data is stored with my cloud service

provider so it’s their responsibility to remain compliant
with the GDPR, not mine.”
The GDPR imposes a high duty of care upon data controllers in selecting their personal
data processing service providers. Similar duties are imposed if a service provider
contracts with a sub-processor. Businesses utilizing personal data for business purposes
cannot “pass the buck” to their cloud or security service providers that are processing or
storing personal data on their behalf.

So, even if a data controller is not storing personal data (i.e., it uses a third party to
store such data), the data controller will still be held responsible for compliance with
the GDPR. Both controllers and processors share responsibility for meeting GDPR
requirements.

Myth #5: “Our company uses pseudonymization and

encryption to protect personal data, so that should be
enough for GDPR purposes.”
Given the rapid pace of innovation, simply pseudonymizing (aka data masking) or
encrypting the data, while useful, may not be enough to fully secure the data and meet
the requirements of the GDPR.

Specifically, Article 32 of the regulation requires companies to implement appropriate

technical and organizational measures to ensure a level of security appropriate to the
risks that are presented by a company’s data processing activities. In assessing the
appropriate level of security, companies are required to pay particular attention to the
risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to personal data that is transmitted, stored or otherwise processed.

In determining what technical and organizational measures would be appropriate,

companies must take into account the current state of the art, costs of implementation,
and the nature, scope, context and purposes of the processing as well as the risk of
varying likelihood and severity to the rights and freedoms of the individuals whose data
is being processed.

Under this article, businesses must do what is appropriate, including but not limited
to and likely more than, just pseudonymization and encryption to ensure data security.
Information governance technologies that address data retention and defensible
disposition issues are examples of additional measures that enhance data security.

Next steps
The issues discussed above are currently top-of-mind for many security, compliance, and
IT professionals tasked with meeting GDPR requirements. To assess your organization’s
readiness, review this blog post for a planning timeline and identify the next steps that
make the most sense for you.

Wondering how your organization compares to others when it comes to GDPR

readiness? Read the results of our GDPR survey.