5 of the biggest myths about GDPR data protection — and why you shouldn’t believe them03.23.18
You may have heard something about GDPR lately and thought "Why should I care? It probably won't affect me or my business.”
In reality, the implications of GDPR are far-reaching. The European Union’s General Data Protection Regulation (GDPR) is a set of regulations strengthening data privacy and protection laws for residents of the EU.
The regulations take effect in just two months: May 25, to be exact. Non-compliance can carry serious financial consequences, with penalties topping out at 4 percent of a company’s global gross annual revenue or 20 million Euros, whichever is higher.
We have encountered a number of widely held myths with respect to GDPR. Here are some of the biggest and the truth behind them.
Myth No. 1: The GDPR does not affect my industry.
The implications of the GDPR will impact U.S.-based businesses of all industries — including healthcare, hospitality and retail — that collect, process and maintain personal data of EU residents regardless of where the business is located. The new regulations will impact most U.S. companies because, in all likelihood, those businesses will process information of residents of the member states of the European Union as well as those in the European Economic Area (i.e., Iceland, Norway, and Liechtenstein) (EEA). The United Kingdom has also adopted the GDPR in its Data Protection Bill, replacing the Data Protection Act.
Myth No. 2: The GDPR does not apply to me because my business is only in the United States.
Previously, the EU’s data protection regulations applied only to organizations that collected or used a personal data where the organization was established in the EU or where the organization (although established outside of the EU) processed such as data in the EU. The GDPR, however, will extend the EU’s regulatory reach to organizations established outside of the European Union that process the personal data of EU residents if the processing relates to (i) offering goods or services to those residents or (ii) monitoring the behavior of those data subjects. This is arguably the biggest change of the GDPR compared to the EU’s existing data protection regulations.
Myth No. 3: The GDPR does not apply to me because I do not collect personal information.
The GDPR broadens the definition of “personal data” and covers “any information relating to an identified or identifiable natural person.” Personal data can include typical identifiers such a data subject’s name, Social Security number, photo or credit card information. It can also include email addresses, cookie strings, computer IP addresses or any other identifying data specific to a data subject’s “physical, physiological, mental, economic, cultural or social identity.” Genetic data and biometric data (e.g., fingerprints, facial recognition, retinal scans) will be treated as sensitive personal data under the GDPR when used to identify a specific individual.
Pseudonymous data differs from anonymous data. If data is anonymized, because it does not — and cannot identify — a person, it is not covered by the GDPR. Pseudonymous data, however, may have certain elements deleted, but the data could be, for example, combined with other information to determine the identity of a person. Pseudonymous data, therefore, is subject to the GDPR.
Myth No. 4: I have an opt-in on my website; I am already compliant.
Under the GDPR, businesses must demonstrate that an individual data subject has consented to the processing of his or her personal data by a clear, affirmative action or agreement. Such consent can no longer be contained within boilerplate terms and conditions of services. It must be presented in a written manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
Myth No. 5: Once data is in the custody of my business, it is the property of my business.
EU residents will have the right to obtain confirmation from the provider as to whether or not their personal data is being processed, where and for what purpose. Further, upon the data subject’s request, the business must provide a copy of the personal data, free of charge, in an electronic format. A business’s policies and procedures must reflect the rights of individuals, which includes the right to erasure, or right to be forgotten, where the data subject has the right to obtain from the provider the erasure of the personal data without undue delay. The GDPR recognizes numerous other rights of individuals, such as the right to object and the right not to be subject to automated decision-making (e.g., profiling).
Policies and procedures must reflect these various rights and internal workflows must reflect the practical implications of these rights. For example, businesses must notify affected parties of a personal data breach without undue delay and, where feasible, no later than 72 hours after the business has become aware of it.