5 Common Misconceptions About GDPR And Why They Can Hurt Your Business
From the outset, many misconceptions about the General Data Protection Regulation have arisen; from ‘it is IT’s problem’ right up to ‘it’s the next Y2K’. Although it has only been a few months since the implementation of the regulation, many misconceptions continue to arise on a regular basis. Over the past few weeks, Smarttech247 has seen a rise in GDPR enquiries as some of the misconceptions are being clarified with GDPR fines coming into effect. In this blog, I will detail 5 of the biggest conceptions I have come across working as a Data Protection Specialist and DPOaaS at Smarttech247.
Misconception #1: It only applies to big companies
GDPR doesn’t apply to you depending on the size of your company; what it looks at is the nature of the data you are processing; how sensitive it is and how much it poses a risk to the rights of the data subject. The way that GDPR will affect your organisation depends on what data you are processing, why and how. Not on how many employees are handling it.
Misconception #2: You need consent for everything
Consent is only one of six legal bases for the processing of personal data and chances are that one of the other legal basis may be more suitable for your processing. Even if you are relying on consent as your legal basis, that does not mean you need to ask for consent again but can rely on existing consent once it meets the GDPR requirements and is accurately documented. More often than not, the request for consent when it is not needed is the result of poor GDPR advice or not fully understanding the regulation! If you’re not sure what legal basis you come under, ask, and get it right the first time around!
Misconception #3: All data is sensitive data
The confusion over the definition of personal vs sensitive data is something that has caused a large amount of confusion and controversy over the last few months. Within GDPR there is two types of data; personal data and sensitive (special category) data. With two different data types, comes 2 different definitions. Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly by the data. Sensitive data or special category data is personal data that reveals racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, genetic and biometric data as well as information about health or sexual orientation.
The processing of sensitive data is only allowed if the requirements detailed in Article 9(2) are met which differ from the requirements for the processing of personal data including explicit consent and establishment of necessity.
Misconception #4: It’s all IT’s problem
GDPR is not IT’s problem. GDPR compliance has to be considered organisation-wide in order to be successful. Sure, IT will help with the implementation of the technical measures for protecting the data but that is only part of the job. GDPR requires policies, procedures, training and awareness from all departments. If GDPR compliance has only taken place in your IT department, then chances are you’re not compliant. It’s also extremely important that GDPR awareness comes from the top with the tasks of the board being detailed in Article 70 of the regulation!
Misconception #5: GDPR is bad for business
I have to disagree with this statement and say quite the opposite. GDPR may be tough for organisations but it accompanies may benefits such as cleaner processes, more efficient working, transparency and increased client loyalty and trust. GDPR forces organisations to look at their business practices, ensure they are ethically correct and are done in a way that facilitates an efficient response to a data subject requests and maximum protection of personal data. Yes, the initial stages can be tedious and daunting, but after implementation and a few weeks of getting used to, GDPR practices quickly become the new norm!
Now, here’s a question for our readers? How have you found the GDPR journey so far?
Feel free to write to us on firstname.lastname@example.org
Don’t forget, we also have a special offer at the moment, whereby we offer free GDPR consultations to any businesses looking to either assess their current compliance status or improve it. Click here for request it: https://www.smarttech.ie/gdpr-assessment-free-consultation/