Eight common misconceptions concerning the GDPR

By Edwin Jacobs (Time.lex)

With the General Data Protection Regulation (GDPR) applying from May 2018 onwards, many undertakings have come to realize that they must start their own readiness assessment and compliance exercise. Indeed, for undertakings doing business in Europe, it is crucial to align business operations with the GPDR. Despite widespread and continously growing awareness of the GDPR, some stubborn misconceptions persist. In what follows we adress eight of the most important ones.


Misconception 1: The GDPR does not apply to small companies


Although the GDPR admittedly makes some concessions for small entrepreneurs and SMEs, this does not alter its field of applicaiton. The GDPR applies to all organisations processing personal data, indiscriminate of the size of organization concerned. The impact of the GDPR on your company and the impact of the changes that will be necessary therefore depends on the manner in which data is currently processed, and not on the number of data records or the size of the organisation.


Misconception 2: every company must appoint a Data Protection Officer (DPO) 


Many companies tend to equate the GDPR’s application to them with the need to appoint a DPO. However, under article 37 of the GDPR, only certain companies must appoint a Data Protection Officer (DPO). This is true for public institutions that process data, companies that systematically process personal data on a large scale and organisations that process data relating to specific data categories (such as health data).


Nontheless, even if your business does not fall in any of these categories, it could still be wise to appoint a DPO. This provides additional supervision and more certainty in case of disputes. Moreover, the appointment of a DPO can have reputational value and highlight your company’s engagement regarding data protection compliance. Note however, that the obligation to be GDPR compliant always remains with the company itself and can never be transfered to the person of the DPO.


Misconception 3: appointing a DPO is just a formality


The GDPR requires a Data Protection Officer to have demonstrable expert knowledge of privacy and data security. Simply appointing one of your current employees as a DPO without extensive additional training will not be enough. In addition, the appointed DPO must be adequately informed of the company-specific data processes and must be given adequate means (financial, organizational,…) to perform its rather comprehensive tasks under the GDPR. The appointment of an appropriate DPO should therefore be well thought-through. 
Misconception 4: if we encrypt our data we are GDPR compliant


It is a common misconception that by merely encrypting personal data, the GDPR requirements are met. Data encryption should rather be interpreted as the minimum standard, and as just one of many measures used to adress data protection risks. To ensure full compliance undertakings will have to take additional measures to protect personal data, such as using a two-step verification procedure and permanently deleting data that is no longer used. The GDPR’s requirements truely ask for an operational and organizational change from all undertakings processing personal data. 


Misconception 5: our data sets are stored in the cloud, so therefore the responsibility for the security of that data lies with the cloud provider and/or security provider


The GDPR has a broad field of application and does not only apply to companies that store data, but also to companies that process the data. This means that the GDPR also applies if a company uses third party providers for data storage in the processing of data. In more legal-technical terms, the GDPR applies to any kind of processing of personal data, which is a very broad concept, encompassing even mere display and consulation of data. Depending on your function in the data chain you will be either a processory or a controller, each with distinct obligations. Just as appointing a DPO does not transfer a company’s obligations under the GDPR, neither can any contract with a third party do so. Such contracts could (and should) however address the manner in which the respective obligations of the contracting parties under the GDPR will be fulfilled.


Misconception 6: my company is compliant under the national Privacy Act, so therefore we will be compliant with the GDPR as well


The GDPR replaces the Data Protection Directive, which was transposed into national legislation by all member states of the European Union. The GDPR and the Data Protection Directive are different in many ways and therfore, necessarily, so is the current national privacy legislation. There are, for example, important differences between the current system and the GDPR when looking at the manner in which a data subject can grant permission (consent) for the processing of his or her data, or when looking at the manner in which the user needs to be informed in the event of data leaks.


It is true, however, that full compliance with applicable national privacy law will allow for an easier transition to fulfil the GDPR requirements.


Misconception 7: my company is compliant with the Privacy Shield, therefore we comply with the GDPR


Although there are many similarities between the rules of the Privacy Shield and the GDPR, it is not true that these systems are the same. The Privacy Shield relates only to one specific GDPR topic, namely the international transfer of personal data. The Privacy Shield does not mention user permissions, data protection officers, etc. Therefore, being compliant with the Privacy Shield does not equate compliance with the GDPR. Moreover, subscribing to the Privacy Shield regime is only one of several ways to ensure the legality of international data transfers.


Misconception 8: The GDPR is an all-in-one solution that regulates all possible issues relating to the processing of personal data within the EU


It is largely true that the GDPR aims to be an universal regulation that simplifies and unifies legislation in Europe. In practice, however, this will not always be the case. First of all, the GDPR itself leaves certain issues up to national legislation by the Member States. National privacy/data protection law within the EU will therefore continue to differ. Secondly, issues that are not addressed specifically by the GDPR will also be treated in different manners within the EU.


Because national rules on the protection of personal data and the interpretations thereof within the EU will continue to be different under the GDPR, complications might arise when the GDPR appears to be inconsistent with such national or industry-specific guidelines. Therefore, for many multinationals, the GDPR will just be one more regulation, adding to a number of existing rules and not the all-encompassing instrument that supersedes all other regulation on the topic within the EU.

-------------------------------------

We  would like to announce that Time.Lex will be present at our B-Hive HUB on the 18th of April, from 16:00 until 18:00, to give you legal advice about GDPR, big data in finance and software agents and automated decision-making. Check our here for more information. 

About the author

Edwin Jacobs is a member of the Brussels bar and partner at time.lex, former affiliated researcher at the Interdisciplinary Centre for Law and ICT (now Centre for IT & IP law, CITIP) at the University of Leuven, and lecturer of a practical course in negotiation and mediation at the University of Antwerp. Time.lex is a law firm specialized in technology, intellectual property, media and e-business