THE EU GDPR – 5 Myths Dispelled

The adoption of the General Data Protection Regulation (GDPR) by the European Council and Parliament last week (14 April 2016) will have wide ranging impacts. These will affect all organisations processing personal data and is a hot topic in the computer press and technology blogs around the globe.

As the countdown begins to the two-year compliance deadline (where the GDPR is expected to replace the UK Data Protection Act 1988), what we do know is that there will undoubtedly be a huge amount of speculation, misunderstanding, confusion and probably denial surrounding the Regulation. Already, myths are starting to emerge as businesses seek to digest the announcement and understand what impact the GDPR will have on them and what they need to be doing to prepare. Here, URM aims to provide some clarity around the GDPR by dispelling five of the myths associated with it.

Myth 1

I have to appoint a qualified, independent data protection officer (DPO)

This is not the case. Early draft versions of the Regulation did stipulate that all organisations with over 250 employees or processing more than 5,000 personal data records would need to formally appoint a DPO. This requirement however has been diluted as GDPR has gone through its various amendments and iterations, although the appointment of a DPO is mandatory for certain organisations. Currently within the GDPR Section 4, it states that DPOs "are to be appointed if:

  1. You are a public body
  2. You are a private sector controller whose core activities consist of processing operations that require "regular and systematic monitoring of data subjects on a large* scale".
  3. You are a private sector controller whose core activities consist of processing special categories of personal data, e.g. previously sensitive personal data categories under the UK DPA with the addition of genetic and biometric data".

*The definition of 'large' is open to interpretation.

The DPO, where appointed, must be independent. This does not mean you have to appoint somebody externally, they can be an existing employee. The role can be part-time or combined with other duties, but in performing the role the DPO must have an independent reporting line. As with most compliance officers, the DPO must be empowered and must report directly to the Board without interference.

What is important here is that the appointed person must be a data protection professional with 'expert' knowledge of data protection law and practices in order to perform their duties and ensure your organisation achieves and maintains compliance.

Myth 2

I am considered to be a small to medium enterprise (SME) so the GDPR doesn’t apply to me.

This is incorrect. Whilst there are some concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations 'engaged in economic activities' involving the processing of personal data. The applicability of GDPR depends upon the nature of the processing being performed, not the quantity of records or size of the organisation. You will also need to recognise that your customers may be dealing with significant levels of personal data and you may need to prepare for the obligations placed on data processors.

Myth 3

I'm only acting as a data processor so I don’t have to worry about the GDPR – my customers are the data controllers and so they manage the responsibility.

Unfortunately not, data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Equally, data controllers will need to review all of their supplier (controller to processor) contracts over the next two years. This is to ensure that their suppliers are compliant with the new Regulation. If, however, you are a data processor you will for the first time have direct responsibilities under the GDPR. One of which is a requirement that the data processor (or their representatives) must maintain a record of processing activities that includes:

  • The name and contact details of the controller, or where applicable, the controller or processor’s representative
  • The name and contact details of each controller (or the representative) the processor is acting for and their DPO
  • The categories of processing carried out on behalf of each controller
  • Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of appropriate safeguards. For example, the contractual clauses within inter-company data transfer and sharing agreements based on risk assessments, etc.

Where possible, a general description of the technical and organisational security measures the recipient of the transfer has implemented.
The records need to be in writing, including in electronic form and made available to a supervisory authority on request.

Myth 4

My personal data is all encrypted so I don’t need to worry about fines.

Whilst security measures are vital, fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches. The level of potential fines is extensive and 'headline grabbing', as the supervisory authorities will have the power to impose fines of between 2 to 4% of global annual turnover (in the previous financial year). The levying of fines will be based upon the seriousness of the infringement and the circumstances of the case, including:

  • The nature, gravity and duration of the infringement
  • The purpose of the processing concerned
  • The number of data subjects affected
  • The level of damage suffered by data subjects (including infringement of their rights)
  • Whether the infringement was intentional or negligent
  • Any action taken by the controller or processor to mitigate the damage suffered by data subjects
  • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented
  • Any relevant previous infringements
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what extent
  • Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with
  • Whether approved codes of conduct or approved certification mechanisms were in place
  • Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement.

Encryption, as such, is not a panacea to all ills and you will still need to consider the 'organisational and technical' measures that are in place. These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure personal data is protected, but potentially in documented privacy impact assessments. These are now mandatory where new processing operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and maintained.

* The controller will need to define 'high risk' and in the event of doubt, seek prior approval for the processing from the supervisory authority.

Myth 5

If we leave the EU, the GDPR will not be relevant so it is better to wait and see

That would not be an advisable approach. Either way, UK businesses will still have to meet the rights and freedoms of citizens of EU member states when the GDPR comes into effect, after the final release date has been announced (this is to be confirmed but you can keep a close eye on announcements on the PCI website, more detail can be found here). If the UK stays in Europe, the GDPR will automatically supersede the UK Data Protection Act. If we leave, due to complex withdrawal agreements, it will potentially be after the GDPR is already in effect and the UK Government would need to consider harmonisation and legislate accordingly. As such, it is highly unlikely that the GDPR requirements will be changed however, there is a period of up to two years in which the UK has to ratify the Regulation before full adoption. Given the continuing need to ensure the free flow of information and remove barriers to trade across international boundaries, the UK is more likely to phase in the GDPR soon after the final date has been announced by the EU Parliament.

Next Steps

It is clear that the EU GDPR is likely to have a significant impact on all organisations which process personal data. The clock is already ticking for you to get your house in order and it is important that you develop your data protection capabilities, understand your current position, map any changes that you will need to make and plan and manage those changes in a timely fashion. To do that effectively, you need to start now. URM can offer a number of consultancy and training services which will help you assess where you are now and what you need to do in order to be fully prepared when the Regulation comes into effect.

A first step is to undertake an Adequacy Assessment with URM where one of our senior DP practitioners will go through your current arrangements. This will determine whether you are meeting existing requirements under the UK DPA, highlight any shortfalls identified and provide recommendations for improvement required to satisfy the increased governance and accountability obligations within the GDPR.

We also have a certificate training course in data protection that provides clear, unambiguous guidance on key DPA topics such as the interrelationship with other legislation and regulations, interpreting the eight principles, gaining consent, disclosing personal data and ensuring the use of data processors is legal. In addition, you will also be provided with the latest update on the GDPR and its likely impact.

The ICO has published a useful 12-step guide on what organisations should do now and launched a new micro-site where it will publish future guidance One thing we can be sure of, there will be a plethora of information to digest over the next two years and you need to use information sources and specialist partners you can trust.

If you would like to learn more about URM's DP Adequacy Assessment or URM's data protection certificate training, or if you have any other queries regarding the GDPR please complete the form below: