The General Data Protection Regulation has been in place for just over six months. Most businesses have had time to come to terms with the new legislation and make all of the changes required for GDPR compliance. Even though these businesses have had the time to learn about and implement the necessary changes, there are still many misconceptions out there that are causing businesses to overwork or even underwork themselves in terms of GDPR.
In this short article, we have investigated 6 GDPR myths and taken a look to see if they really are just myths or important aspects of data legislation that you need to be aware of.
Myth #1 - GDPR Doesn't Apply to Businesses Outside of the EU – FALSE
This is something that quite a lot of business outside of the EU are still oblivious to. Many people see GDPR as a way to restrict a business’ use of customer data, which of course is true, but what many businesses are forgetting is that the main purpose of the GDPR is to protect personal data belonging to EU citizens. This means if you operate outside of the EU, but you still have both current and prospective clients that live in the EU, you must comply with the GDPR when contacting these clients. Just because you aren't in the EU, does not mean you are safe from fines under GDPR.
Myth #2 - Having a Data Protection Officer is Mandatory - FALSE
With GDPR, comes the misconception that every business must appoint a Data Protection Officer. This is not true. Appointing a Data Protection Officer (DPO) is only mandatory under the following grounds:
- You are a public authority.
- Your activities consist of large-scale, methodical observation and online behavioural tracking etc.
- Your activities involve large-scale processing of special data categories e.g. criminal conviction data.
Myth #3 - Consent Given For The Processing of Personal Data Must be Clear-Cut - TRUE
This is absolutely true. When depending on consent to collect, store and process personal or sensitive information, the consent given must be explicit. There are many ways to obtain this consent, such as email confirmations, written consent or even simple 'I agree' or 'I do not agree' options. However, always ensure that any consent and the format in which it is given is suitable for any and all requirements.
Myth #4 - Fines Can Reach €20,000,000 - TRUE
Despite the fact that no one has been given the maximum penalty at the time of writing, the Information Commissioner's Office has the power to impose fines of up to €20,000,000 or 4% of the company's annual turnover, whichever is more. To date, the largest fine given by the ICO. was £500,000 to Facebook for 'serious breaches of data protection law'. The full details are here: https://ico.org.uk/action-weve-taken/enforcement/facebook-ireland-ltd/
Myth #5 - Biometric Data Comes Under 'Sensitive Data' - TRUE
Biometric data such as fingerprints, retinal scans even ID images are all classed as 'sensitive data' under GDPR. However, not all biometric data falls under this category. Biometric data that cannot be used for identification purposes, is not classed as 'sensitive data'.
Biometric data that is considered as 'Sensitive Information' include:
- Retinal Scans
- Images Used For Identification
- Facial Recognition Data
- Written Signatures
- Voice Recognition Data
Myth #6 - You Can Only Collect Data If Consent is Given - FALSE
Even though GDPR has brought stricter rules regarding data collection and consent, in some cases, you will not need consent to collect or process personal data.
There are six grounds on which you can collect personal data, some require consent, some do not. The six grounds for data collection are:
1. To protect the vital interest of the individual - (In order to protect someone's life)
2. Public Interest - (Necessary for the running of a public task e.g. teaching)
3. Contractual Necessity - (Required for contractual agreements)
4. Compliance with legal obligations - (Collecting or processing is required for the compliance of UK or EU legislation)
5. Unambiguous consent (Clear, easy to interpret consent from the individual)
6. Legitimate interest of the data controller - (Your own interest whether commercial or individual, must be balanced with the data subject's interests)
Please Note: Despite having a lot of experience with GDPR and being a GDPR compliant company, the information contained within this article should not be taken as legal advice. We have made every effort to ensure that the information in the article is accurate, however, always do your own research and verification before making any changes concerning GDPR compliance.
Since our last article on GDPR in March, all of the new regulations have been put in place and are now in full effect as of May. Despite this, some businesses have not taken the time to look into these new regulations and as a result are facing heavy fines reaching into the hundreds of thousands of pounds or even up to twenty million euros.
What Is GDPR?
The General Data Protection Regulation was put into effect on 25th May 2018 and was made as an extension of the updated 2018 Data Protection Act. It also replaces the 1995 Data Protection Directive. The GDPR has introduced a range of new regulations which have changed the ways in which a business can carry out marketing campaigns and how they can collect user data. These new regulations include:
What Actions Can Warrant Fines & How Much Can They Be?
Over the past few months, many companies have become subject to penalties under the GDPR. The maximum penalty for infractions against the GDPR can reach up to €20,000,000 or 4% of the business' annual turnover, whichever is greater. Although the maximum fine has not been given yet, many companies large and small have been receiving penalties.
Some of the fines that have been given are:
How Can You Protect Yourself?
It is highly advisable that you familiarise yourself and others in your business or organisation, with the new laws and legislations that are part of the GDPR and other data protection laws. By doing this you can begin to understand what you should avoid doing in order to keep your business operating within the lines of the law. You can also start to put in place measures that will prevent any breaches of data protection laws from happening inside your firm.
You may need to dedicate a member of staff or hire additional staff that can focus their efforts on ensuring that your business is compliant with the new data protection laws. Their responsibilities could include maintaining security both physical and digital to prevent any unauthorised/unlawful access to user data. Keeping up to date with user preferences whether they are only allowing certain means of contact or none at all, this must be put onto a file so that their privacy is respected. Another responsibility could be creating meetings that inform all staff of the GDPR regulations and the severity of the penalties that can be given if breaches are made.
We are assisting companies to help them ensure that their data is accurate, up to date and opted in, in accordance with the new data legislation. If you hold a database of customers it will need to be brought into line with this new legislation. If you would like to speak to us about the work we are currently doing with other businesses, then do get in touch us.
The General Data Protection Regulation is set to build on what is already in place in terms of the Data Protection Directive.
1. An increase in fines of up to £20,000,000.
2. Breaches must be reported within 72 hours
3. No charge for subject access requests, and the response time has been reduced to 28 days
4. Robust documentation will be needed within companies to explain how they process their data. Process mapping: what, where, who.
5. Where companies process a large amount of data, a data protection officer will be required.
What is a Breach?
A breach is described as an accidental or unlawful destruction, loss, altercation or unauthorised disclosure or access to data.
Examples of Breaches:
1. Unauthorised access by a third party
2. Deliberate action/inaction by controller
3. Sending data to an incorrect recipient
4. Computing devices lost or stolen
5. Alteration of data
6. Data availability (archive)
For more information on the Information Commissioners Office (ico.) data security breach trends:
All breaches need to be reported to the ICO within 72 hours, or for larger companies, your data protection officer in the first instance. This does not reduce the 72 hour window if a data protection officer is in place, so time must be allowed for this individual to process the information, and send to the ICO within this 72 hour time frame. You must report ALL data protection breaches.
Reduce the Risk
Reception area’s: What is on display?
Visitors to your offices:
· Challenge the purpose of the visit and ensure their access to company data is restricted to the purpose they are there.
· Ask all visitors to sign into the office and ask for professional identification.
· All team members should be empowered to challenge visitors.
· What is on display?
· Are confidential files such as personnel files in a locked cabinet.
· Operate a ‘clear desk policy’.
· Are offices locked when unattended.
Computer screens: Ensure your staff know the importance of locking computer screens when they leave their desks unattended.
· Ensure security and monitoring systems prevent information being sent to home email address.
· Implement a secure central access point or hyperlink that will reduce the need to duplicate documentation as attachments.
· Password protect documents to ensure security if sent to the wrong recipient.
· Remove any personal identifiable data that is not required.
Mobile technology devices:
· Ensure these are password protected and report any loss immediately.
· Ensure regular password changes, at least 6 weekly.
· Save confidential information on a secure shared location, and not on the device itself.
· Owners of mobile technology must ensure that when not on their person, they are locked away.
Electronic storage: Paper information poses the biggest risk in terms of data protection breaches. Cleanse your paper data and look at secure digital storage solutions.
· Is data available?
· Is there an adequate tracking system?
· Observe retention periods and securely destroy anything older.
Confidential waste: Are adequate shredding facilities available, or is confidential waste outsourced to a reputable external provider.
· Check that all equipment is access locked.
· Ensure there are no fax machines, or photocopiers with fax facility in public access areas.
· Reduce the data, if it cannot be accessed it is better to destroy it. Large amounts of stored paper form data that cannot be accessed will be considered a breach.
Training: Ensure key staff have access to Information Governance training.
Verbal transfer of data: Ensure there is a system or process in place to document conversations that data share, including those conducted by telephone or on conference facilities.
On this page you will find all of our informative mini-articles written by our expert telemarketers and other members of our team.