Even two years after the enforcement of the GDPR, a lot of misconception and speculation surrounds the EU privacy regulation still. While most of us know one thing or the other about the GDPR, only a few have extensive knowledge on it, and what it means exactly in practice. In this blog post, we take a look at five common myths of the GDPR and set the record straight.
Myth 1: The GDPR is an extra burden for organisations
The GDPR is often viewed by organisations as an extra burden, a set of obstacles that would eventually put an end to various practices by data-driven organisations. However, by now it has become clear just how much opportunities this regulation holds for organisations. For instance, 92% of GDPR ready companies reported a substantial rise in consumer interaction and trust, while 97% of organisations that took on GDPR compliance initiatives experienced competitive advantage, attractiveness to investors, and significant increase in operational efficiency.
To add to that, data management processes of GDPR-compliant companies have become more efficient, as identifying and deleting redundant data is part of the compliance process as well. Marketing databases are now filled with the email addresses of only those individuals with a relevant genuine interest thanks to the requirement of consent and opt-in of the GDPR. In fact, studies have revealed that compliant email marketing practices have increased in overall efficiency thanks to the GDPR - by opening up on more appropriate targeting, the open and click through rates of marketing emails have increased.
Myth 2: Every organisation should have an appointed DPO
According to the GDPR, organisations are encouraged to have a DPO to oversee and guide the company’s GDPR compliance efforts.
As per Article 37 of the GDPR, the appointment of a DPO is mandatory, for public authorities and public bodies, for businesses that’s core activities require large scale, systematic monitoring of individuals, and for organisations that process special categories of personal data on a large scale. If your organisatoins doesn’t meet the listed criteria, you are still encouraged to voluntarily appoint a DPO to assist demonstrating compliance with the accountability principle. Contrary to common misconception, this isn’t just applicable for larger organisations. Smaller businesses or SMEs that process personal data may also appoint a DPO to further ensure their compliance with the GDPR.
As DPOs hold a decisive role in an organisation’s GDPR compliance efforts, it’s important that organisations find the right DPO - click here to see how to do that step-by-step.
Myth 3: Personal Data breaches only happen to big organisations
Another common misconception is that the GDPR primarily applies only to larger multinational corporations, or those with over 250 employees. This myth also adds on to the idea that personal data breaches only happen to big organisations.
However, since the enforcement of the GDPR, there were over 160,000 data breaches reported to supervisory authorities across the EU and EEA, and of that number, there were a large number of security incidents reported by smaller enterprises.
In 2019 for example, a housing agent in the Netherlands experienced a data leak that saw more than 49,000 customer data exposed through an unsecure website. Personal information such as names, addresses, emails, and phone numbers are amongst the information leaked. Also in 2019, it was confirmed that due to an email being sent to the wrong party, an eCommerce website was also hit with a data breach that left 21,000 customer details in the hands of an unauthorised third party.
Myth 4: GDPR is all about data subject consent
Consent is the most well-known legal ground for processing personal data, but the GDPR is about much more. The regulation is aimed to protect the rights of individuals, and one way it achieves that, is by ensuring a level of control over personal data.
When it comes to collecting personal data, there are six legal grounds based on which data can be processed, and consent is one of them. The GDPR points out that no single legal ground holds advantages/disadvantages over one another.
A legal ground an organisation chooses to adopt should be based on how appropriate it is to the organisation’s purpose and relationship with the data subject(s). Article 4(11) GDPR states that consent, amongst other factors, should be obvious, requires a freely given positive action to opt in, and should be clearly recorded.
Myth 5: GDPR only concerns the data protection officer and infosecurity professionals
While it may seem that only the DPO and CISO are responsible for the compliance and data privacy of an organisation, that’s a misconception. The DPO and CISO are in the frontline of data protection, but compliance is a company-wide team effort.
Not only does it mean everyone within the organisation should practice adequate data protection habits, but it also means that everyone within the organisation should understand their responsibilities in regard to data protection, and why everybody within an organisation has an important role to play in the protection of client, customer, and employee data.
The GDPR is complex
As the GDPR continues to be adapted and changed through time, setting things straight and being aware of the basic concepts of compliance is therefore key for organisations to succeed in the long run. Keeping track of your company’s efforts and making sure that they are aligned with the GDPR is not a one time task. Nor is it a task of the DPO alone. Investing in compliance solutions can therefore have a significant impact on making your processes quicker and more efficient, and making sure that collaboration for data protection is a company-wide effort.