The adoption of the General Data Protection Regulation (GDPR) by the European Council and Parliament in April 2016 had wide-ranging impacts. These affect all organisations processing personal data and have been a hot topic in the computer press and technology blogs around the globe for the last few years.
In the two-year countdown to enforcement of the GDPR in May 2018, myths started to emerge as businesses sought to understand what impact the GDPR would have on them and what they needed to be doing to prepare. Here, URM aims to provide some clarity around the GDPR by dispelling 5 of the myths associated with it.
Myth 1
I have to appoint a qualified, independent data protection officer (DPO).
This is not the case (although the appointment of a DPO is mandatory for certain organisations). The GDPR states that DPOs are to be appointed if:
- You are a public body
- You are a private sector controller whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large* scale"
- You are a private sector controller whose core activities consist of processing special categories of personal data, e.g., previously sensitive personal data categories under the UK DPA with the addition of genetic and biometric data.
*It’s worth noting that the definition of 'large' is open to interpretation.
The DPO, where appointed, must be independent. This does not mean you have to appoint somebody externally; they can be an existing employee. The role can be part-time or combined with other duties, but in performing the role the DPO must have an independent reporting line. As with most compliance officers, the DPO must be empowered and must report directly to the board without interference.
What is important here is that the appointed person must be a data protection professional with 'expert' knowledge of data protection law and practices in order to perform their duties and ensure your organisation achieves and maintains compliance.
Myth 2
I am considered to be a small to medium enterprise (SME) so the GDPR doesn’t apply to me.
This is incorrect. Whilst there are some very restricted concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations 'engaged in economic activities' involving the processing of personal data. The applicability of GDPR depends upon the nature of the processing being performed, not the quantity of records or size of the organisation. You also need to recognise that your customers may be dealing with significant levels of personal data and you need to prepare for the obligations placed on data processors.
Myth 3
I'm only acting as a data processor, so I don’t have to worry about the GDPR – my customers are the data controllers and so they manage the responsibility.
Unfortunately not. Data processors have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Equally, data controllers need to review all of their supplier (controller to processor) contracts. This is to ensure that their suppliers are compliant with the Regulation. If, however, you are a data processor, you have direct responsibilities under the GDPR. One of which is a requirement that the data processor (or their representatives) must maintain a record of processing activities that includes:
- The name and contact details of the controller or, where applicable, the controller or processor’s representative
- The name and contact details of each controller (or the representative) the processor is acting for and their DPO
- The categories of processing carried out on behalf of each controller
- Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of appropriate safeguards. For example, the contractual clauses within inter-company data transfer and sharing agreements based on risk assessments, etc.
Where possible, a general description of the technical and organisational security measures the recipient of the transfer has implemented.
The records need to be in writing, including in electronic form and made available to a supervisory authority on request.
Myth 4
My personal data is all encrypted, so I don’t need to worry about fines.
Whilst security measures are vital, fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches. The level of potential fines is extensive and 'headline grabbing', as the supervisory authorities have the power to impose fines of between 2 to 4% of global annual turnover (in the previous financial year). The levying of fines is based upon the seriousness of the infringement and the circumstances of the case, including:
- The nature, gravity and duration of the infringement
- The purpose of the processing concerned
- The number of data subjects affected
- The level of damage suffered by data subjects (including infringement of their rights)
- Whether the infringement was intentional or negligent
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects
- The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented
- Any relevant previous infringements
- The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects
- The categories of personal data affected by the infringement
- The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what extent
- Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with
- Whether approved codes of conduct or approved certification mechanisms were in place
- Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement.
Encryption, as such, is not a panacea to all ills and you still need to consider the 'organisational and technical' measures that are in place. These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure personal data is protected, but potentially in documented privacy impact assessments (PIAs). These data protection impact assessments (DPIAs) are mandatory where new processing operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and maintained.
* The controller will need to define 'high risk' and, in the event of doubt, seek prior approval for the processing from the supervisory authority.
Myth 5
When we left the EU, the GDPR became irrelevant.
That is not the case. In fact, post-Brexit there are now two versions of the GDPR which British organisations may have to comply with, depending on the circumstances of their processing. In preparation for the UK completely leaving the European Union on 31 December 2020, the UK’s Data Protection Act 2018 (the DPA) incorporated the whole of the GDPR into UK law so that it would remain the law in this country after we left the EU. A few months after the DPA, in 2019, the UK parliament passed some EU exit amendment regulations which made many technical changes to the language of the DPA, including introducing the terms ‘UK GDPR’ and ‘EU GDPR’. The UK GDPR is the UK-amended version of the GDPR which applies to the processing of the personal data of people in the UK; while the EU GDPR is the original, unamended GDPR which applies to UK organisations’ processing of EU people’s data. But either way, you have to comply with one or other version (or both), regardless of Brexit.
Next Steps
It is clear that the GDPR has had a significant impact on all organisations which process personal data. It is important that you develop your data protection capabilities, understand your current position, map any changes that you need to make, and plan and manage those changes in a timely fashion.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM answers key questions around data transfer impact assessments (DTIAs), providing detailed guidance on the best practice approach to conducting them.
This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations.
The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.