Generally, there are 2 main reasons why misconceptions take hold:
- Our ability to be susceptible to what we consume online. The media easily capture our attention and influence our decisions. This has lead many people to read opinions as truth and believe facts to be replaceable.
- Scepticism. With the vast amount of false information circulating the internet nowadays, we learn to mistrust what we read. We question sources and assume there is an ulterior motive. This leads to confusion and misconceptions.
Given how important data is for businesses, fears and doubts have been cast over the impact of GDPR.
We have heard many of these misconceptions, and feel compelled to debunk the 7 most common GDPR misconceptions.
1) GDPR will hurt businesses
Compliance of any kind often requires businesses to incur some costs.
Many companies operating in the EU are no stranger to data protection laws. Adapting to GDPR will be a matter of adapting and changing existing business processes. On the other hand, there are businesses that are only now realising the importance of privacy.
This second group has work to do.
GDPR was created with economic growth in mind. It was designed to promote responsible handling of personal data within a regulated Digital Single Market. In doing so, the European Commission believes that GDPR will promote trust in the digital economy.
A trustworthy economy is a driver for long term growth and stability. In other words, GDPR was created as a vehicle for driving long term growth for the digital economy.
2) In order to use personal data, consent must be obtained
GDPR is praised for giving individuals back control of their data. While this is true in principle, in practice, obtaining consent is not always required. GDPR recognizes a series of situations where data processing can legally take place. Consent is just one of the several alternatives.
This is not to downplay the role of consent. It’s important and companies should understand when it is required.
3) All businesses need to hire a Data Protection Officer (DPO)
Hiring a DPO is not always required.
The European Commission lists some specific cases where organizations must appoint a designated DPO. Outside these cases, it is recommended that your organization assigns a person to be responsible for GDPR compliance.
4) GDPR is all about preventing data breaches
Data security is an important part of GDPR, but there is so much more.
For example, GDPR covers the risks of minors extensively and sets limits to ensure their rights are protected. There are many rights attributed to individuals that don’t necessarily fall under data security. The most notable example is the right to be forgotten. GDPR also expects businesses to be more transparent and clear with their data subjects.
5) Organizations are required to carry out a DPIA
Data protection impact assessments (DPIAs) help organisations identify potential risks and adopt measures to prevent these.
It is important to understand that DPIAs are reserved for specific cases mainly when the organization’s processing presents a high risk to the rights and freedoms of individuals.
6) My organization will be compliant by installing the right software
Think of any compliance software as merely a tool.
It would be the equivalent of an accounting software. If used incorrectly, it can still expose the company to breaches in the law. A software can make life a lot easier for companies, especially if they deal with a vast amount of data points across a large and complex organization.
Whether your organisation needs one or not, depends on your processes and organisation.
7) My organization is not responsible for data outsourced to vendors
Accountability is one of the founding principles of GDPR.
It ensures that companies remain responsible even after data is outsourced or shared externally. Organizations should have systems in place to know exactly what data is being shared and why. GDPR has been designed with these particularities in mind. Businesses should always make sure the data they hold and share with other businesses, is done in a manner compliant with GDPR.
Unfortunately, the appearance of misconceptions is just one of the side effects whenever a topic of such magnitude as GDPR goes “viral”.
We hope this article has helped in combating some of the misinformation surrounding GDPR.