Alice O’Donovan is a Lawyer with international law firm, McGuireWoods. Alice delves into the nitty-gritty of GDPR, highlights the common misconceptions associated with it, and explains the truth of the matter to put these fallacies to rest.
The General Data Protection Regulation (“GDPR”) came into force across the EU on 25 May 2018. It is a complex piece of legislation with broad applicability and significant potential sanctions for non-compliance. Myths and misconceptions have arisen about it as a result. Below are the five most common misconceptions we encounter when advising on GDPR compliance.
- “We don’t use personal data.”
Businesses frequently think GDPR does not apply to them because they “don’t use personal data” in their business operations. The question isn’t whether you “use” it in your business operations, it’s whether you process it at all – and “processing” personal data means virtually any operation that can be carried out on personal data, from transmission to storage.
Does your business have customers? Employees? Suppliers? If so, your business processes personal data. Virtually every business with an establishment in the EU is within the scope of GDPR – even if that’s just by virtue of having employees.
- “We’re sub-contracting with the data controller, so we’re a data processor.”
People often assume “data processor” means “vendor” or “sub-contractor.”
This isn’t correct. Whether an entity is a controller or a processor is a question of fact in each case, and it’s common for a sub-contractor to be a data controller in its own right.
For example, professional service providers, such as law firms, accountancy firms, management consultants and recruitment agencies will generally be data controllers, because they normally have a significant degree of discretion over what personal data they receive and how they use it to produce their work product.
Common examples of data processors are mail fulfilment companies and cloud service providers. This is because they process personal data purely on behalf of the data controller and have no say in the purpose for which the data is processed.
- “You need the data subject’s consent to everything.”
The GDPR does not mean you always need consent to process personal data. Consent is only one of six alternative bases for processing personal data under the GDPR. There are five other possible bases for processing, including where it is necessary for the controller’s legitimate interests, and where the processing is necessary to perform a contract with the data subject. Consent is one of the most nuanced bases to rely on, because if you are going to rely on it, it has to be freely given, specific, informed and unambiguous.
Businesses must be particularly careful not to present consent to processing personal data as a pre-condition of receiving goods or services if the processing is not genuinely necessary for the transaction – for example, leading the data subject to believe they need to consent to receive marketing in order to purchase goods or services is not acceptable and in breach of the GDPR.
Organisations should not rely on consent where it is inappropriate to do so, because if you don’t have GDPR-standard consent, it is not valid.
- “I don’t do business in the EU, but I have some EU citizens’ data – I’m caught by the GDPR”
The extra-territoriality provisions of the GDPR have, understandably, caused many non-EU businesses to panic. But non-EU businesses are only caught by the GDPR if they:
- offer goods or services to data subjects in the EU; or
- monitor the behaviour of data subjects in the EU.
To date, we have very little guidance on how these tests will be applied in practice, but it is clear for an organisation to be to be “offering goods and services” to EU data subjects, there must be evidence that it intends to do so – not just that EU citizens purchase their goods or use their services.
An Argentinian hotel will not be caught simply because an EU citizen checks in for the night. It will, however, be caught if it advertises in the EU and actively seeks EU bookings.
- “You just need to get a privacy notice and a few policies in place, then you can forget about GDPR.”
There are two separate misconceptions here: one, you can comply with GDPR by completing a few standard documents, and two, you can forget about GDPR once you have completed a few standard documents.
First, there is more to GDPR compliance than putting a privacy notice on your website. Your notices and policies must accurately reflect your processing activities – they are worthless if they are not accurate. You should therefore first conduct a data audit to determine what your processing activities are before you consider notices and policies. As part of your data audit, you should consider:
- What personal data do you hold?
- Where do you receive it from?
- What do you do with it and why?
Any regulator will expect to see that you have given proper consideration to these questions.
Second, GDPR compliance is a continuing duty. You need to maintain accurate registers of all your business’ processing activities. You also need to foster an ongoing culture of accountability towards personal data throughout your entire organisation via training, management, and regular reviews.