5 Common GDPR Myths Debunked

There are less than 6 months remaining until the EU's new data regulations come into effect. Organisations around the country are scrambling to find accurate sources of guidance on this issue to help them assess their own data management procedures and make sure they are fully compliant.

Unfortunately, the internet remains awash with myths and untruths; many of which originate from so-called 'GDPR experts'.

Robert Streeter, News UK’s data protection and privacy officer, emphasises the importance of separating fact from fiction regarding the regulations at Rubicon Project’s Automation event in London on Sept. 6. “When you read about ‘expert’ comment on GDPR, I’d advise taking that with caution and examining your own approach to it,” he said. “There’s a lot of misinformation circulating.”

This blog will debunk five of the most high-profile myths that you may encounter:

Myth 1

"I am considered to be a small to medium enterprise (SME) so the GDPR doesn’t apply to me."

This is incorrect. Whilst there are some concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations 'engaged in economic activities' involving the processing of personal data. The applicability of GDPR depends upon the nature of the processing being performed, not the quantity of records or size of the organisation. You will also need to recognise that your customers may be dealing with significant levels of personal data and you may need to prepare for the obligations placed on data processors.

Myth 2

"Individuals have an absolute right to be forgotten."

The GDPR refers to the ‘right to be forgotten’ as the ‘right of erasure’ (Art. 17). However, unlike the right to opt-out of direct marketing, it’s not an absolute right. Organisations may continue to process data if the data remains necessary for the purposes for which it was originally collected, and the organization still has a legal ground for processing the data under Art. 6 (and, if sensitive data is concerned, Art. 9 too).

Myth 3

"I'm only acting as a data processor so I don’t have to worry about the GDPR – my customers are the data controllers and so they manage the responsibility."

Unfortunately not, data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Equally, data controllers will need to review all of their supplier (controller to processor) contracts over the next two years. This is to ensure that their suppliers are compliant with the new Regulation. If, however, you are a data processor you will for the first time have direct responsibilities under the GDPR. One of which is a requirement that the data processor (or their representatives) must maintain a record of processing activities that includes:
  • The name and contact details of the controller, or where applicable, the controller or processor’s representative
  • The name and contact details of each controller (or the representative) the processor is acting for and their DPO
  • The categories of processing carried out on behalf of each controller
  • Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of appropriate safeguards. For example, the contractual clauses within inter-company data transfer and sharing agreements based on risk assessments, etc.
Myth 4

"Parental consent is always required when collecting personal data from children."

Parental consent is required only if the processing itself is legitimised on the basis of consent. If the processing is based on another lawful processing ground (for example, compliance with a legal obligation, vital interests, or possibly even legitimate interests), then parental consent is not required. See Art. 8(1) for more information on this subject.

Myth 5

"I have to appoint a qualified, independent data protection officer."

This is not the case. Early draft versions of the Regulation did stipulate that all organisations with over 250 employees or processing more than 5,000 personal data records would need to formally appoint a DPO. This requirement however has been diluted as GDPR has gone through its various amendments and iterations, although the appointment of a DPO is mandatory for certain organisations. Currently within the GDPR Section 4, it states that DPOs "are to be appointed if:
  • You are a public body
  • You are a private sector controller whose core activities consist of processing operations that require "regular and systematic monitoring of data subjects on a large scale".
  • You are a private sector controller whose core activities consist of processing special categories of personal data, e.g. previously sensitive personal data categories under the UK DPA with the addition of genetic and biometric data.
Hopefully this blog has dispelled some of the myths surrounding GDPR and given you a clearer idea of your responsibilities as a data processor. Keep an eye on our social media channels and our blog as we will be producing further updates in the countdown to the 25th May deadline.