Mere weeks away from the implementation of the General Data Protection Regulation (GDPR), and there are still many misconceptions about what it entails and what you, as a business, must do.
In this article, we look at five of common misconceptions but many more circulate;
1 It specifies how a company should be GDPR compliant
The true message of GDPR has been lost, to a certain extent, in the hype and horror stories, especially those around the whopping fines for not towing the GDPR line.
The confusion probably arises from the over-egging of the word ‘compliance’. To be compliant is to obey a certain rule or set of rules, e.g. the speed limit through a town is 30 miles per hour, therefore, you slow your car down by applying the brake.
With GDPR, the message is that as a business, you need to make sure you do everything possible to keep customers personal data safe from hackers and thieves, and that you don’t misuse it. How to reach these issues is NOT specified but in the majority of cases, to come up to standard, you need new policies, processes and software – or a combination thereof.
In other words, being GDPR compliant is an individual process and activity.
2 You’re covered if you have ISO 27001
No, you are not GDPR compliant with this security standard alone because it does not address the issue of individual data rights. However, if you have this certification under your belt, then you have already taken a big step in showing GDPR compliance.
3 You are compliant with Privacy Shield
The EU-US Privacy Shield Framework governs the transferring of data between the EU and US. It is, like ISO 27001, a step in the right direction but no, on its own, this is not enough to become GDPR compliant. Again, it is the addressing of individual data that is missing.
4 You must employ a Data Protection Officer
There was some confusion about whether a company needed to employ a Data Protection Officer (DPO) or not. With the small print open to different interpretations, it seems that finally, the basis for employing a DPO is whether you are;
- A public body such as a government department, local authority etc.
- Handling sensitive information, such as personal medical information
- Employing 250 employees or more
- Involved in large-scale monitoring of the activities of people, such as a provider of CCTV
5 ‘Prior relationship’ means you can avoid consent
In the rulebook, ‘prior relationship’ is seen as one kind of ‘legitimate interest’. In other words, you and your customer are aware what data you hold, they are happy for you to do so and so on.
But, says the GDPR, this does not mean you can automatically circumnavigate gaining consent for using their data, or for continuing to do so.
Many companies have a prior relationship with customers. For example, you return to buy a product from the same company and because you have bought from them previously, they ship to the address they hold on file. It cuts down paperwork and streamlines the purchase system.
This is acceptable but, says GDPR, if you want to use this address for another purpose – send out information on a new product for example – then you need the consent of the customer to do this.
‘Legitimate interest’ refers to data retention, not data collection and that means only using the data for the purpose that it was collected.
How can we help you?
If you’re in need of assistance with any aspect of ISO or GDPR compliance, here at Synergos we’d be delighted to help. Whether you have questions about the path to compliance or are looking for advice and support to maintain compliance, call 01484 817 444 or Email firstname.lastname@example.org and we’ll be happy to talk it over with you.