6 GDPR Myths - True or False?

The General Data Protection Regulation has been in place for just over six months. Most businesses have had time to come to terms with the new legislation and make all of the changes required for GDPR compliance. Even though these businesses have had the time to learn about and implement the necessary changes, there are still many misconceptions out there that are causing businesses to overwork or even underwork themselves in terms of GDPR.

In this short article, we have investigated 6 GDPR myths and taken a look to see if they really are just myths or important aspects of data legislation that you need to be aware of.
 
Myth #1 - GDPR Doesn't Apply to Businesses Outside of the EU – FALSE

This is something that quite a lot of business outside of the EU are still oblivious to. Many people see GDPR as a way to restrict a business’ use of customer data, which of course is true, but what many businesses are forgetting is that the main purpose of the GDPR is to protect personal data belonging to EU citizens. This means if you operate outside of the EU, but you still have both current and prospective clients that live in the EU, you must comply with the GDPR when contacting these clients. Just because you aren't in the EU, does not mean you are safe from fines under GDPR.
 
Myth #2 - Having a Data Protection Officer is Mandatory - FALSE

With GDPR, comes the misconception that every business must appoint a Data Protection Officer. This is not true. Appointing a Data Protection Officer (DPO) is only mandatory under the following grounds:
 
- You are a public authority.
- Your activities consist of large-scale, methodical observation and online behavioural tracking etc.
- Your activities involve large-scale processing of special data categories e.g. criminal conviction data.
 
Myth #3 - Consent Given For The Processing of Personal Data Must be Clear-Cut - TRUE

This is absolutely true. When depending on consent to collect, store and process personal or sensitive information, the consent given must be explicit. There are many ways to obtain this consent, such as email confirmations, written consent or even simple 'I agree' or 'I do not agree' options. However, always ensure that any consent and the format in which it is given is suitable for any and all requirements.
 
Myth #4 - Fines Can Reach €20,000,000 - TRUE

Despite the fact that no one has been given the maximum penalty at the time of writing, the Information Commissioner's Office has the power to impose fines of up to €20,000,000 or 4% of the company's annual turnover, whichever is more. To date, the largest fine given by the ICO. was £500,000 to Facebook for 'serious breaches of data protection law'. The full details are here: https://ico.org.uk/action-weve-taken/enforcement/facebook-ireland-ltd/
 
Myth #5 - Biometric Data Comes Under 'Sensitive Data' - TRUE

Biometric data such as fingerprints, retinal scans even ID images are all classed as 'sensitive data' under GDPR. However, not all biometric data falls under this category. Biometric data that cannot be used for identification purposes, is not classed as 'sensitive data'.
 
Biometric data that is considered as 'Sensitive Information' include:

- Fingerprints
- Retinal Scans
- Images Used For Identification
- Facial Recognition Data
- Written Signatures
- Voice Recognition Data

and more...
 
Myth #6 - You Can Only Collect Data If Consent is Given - FALSE

Even though GDPR has brought stricter rules regarding data collection and consent, in some cases, you will not need consent to collect or process personal data.
There are six grounds on which you can collect personal data, some require consent, some do not. The six grounds for data collection are:
 
1. To protect the vital interest of the individual - (In order to protect someone's life)
2. Public Interest - (Necessary for the running of a public task e.g. teaching)
3. Contractual Necessity - (Required for contractual agreements)
4. Compliance with legal obligations - (Collecting or processing is required for the compliance of UK or EU legislation)
5. Unambiguous consent (Clear, easy to interpret consent from the individual)
6. Legitimate interest of the data controller - (Your own interest whether commercial or individual, must be balanced with the data subject's interests)
 
Please Note: Despite having a lot of experience with GDPR and being a GDPR compliant company, the information contained within this article should not be taken as legal advice. We have made every effort to ensure that the information in the article is accurate, however, always do your own research and verification before making any changes concerning GDPR compliance.