Here are some more misconceptions about GDPR
There’s certainly no shortage of them for the upcoming General Data Protection Regulation.
There is one thing we know for certain that the upcoming General Data Protection Regulation (GDPR) is creating: misconceptions.
It’s hard to keep up with them. But, after noting nine common GDPR misconceptions a few weeks ago, we now offer a new batch gleaned from a chat with Clive Boonzaaier, director of governance, risk and compliance at security firm Cipher:
- Contrary to the inclusion of the word “compliance” in his title, and the widespread use of that term to describe companies that are abiding by GDPR’s requirements, Boonzaaier says too much emphasis on that term misses the appropriate way to view the new regulations. In his view, “compliance” is most properly used to describe obeying a clearly defined legal regulation, like a speed limit. But much of GDPR is left unspecified, allowing a wide range of approaches to implementation, as long as the end result is protecting the personal data of consumers. He told me that adherence to GDPR is like saying, “You should deploy security measures.” The aim is to keep hackers and other data thieves away, but many of the specific ways to accomplish that goal are left up to you and your company. It’s better to think of adherence to GDPR as “risk management 101,” he said, since your company is adopting new policies, software and attitudes to minimize the risk of leakage or misuse of personal data.
- An IT person might assure you they have GDPR covered because they adhere to an industry-standard set of practices for security, such as ISO27K certification. But that doesn’t cover what GDPR does, Boonzaaier noted, because it “doesn’t address the issue of individual [data] rights.”
- Similarly, some companies are wondering if they are GDPR-ready because they comply with Privacy Shield. Sorry, but nope. The EU-US Privacy Shield Framework governs security measures for transferring personal data between the EU and the US. It’s a good foundation for GDPR, but, again, it doesn’t specifically address the protection of individual rights.
- “If you need a Data Protection Impact Assessment (DPIA), you clearly need a DPO (Data Protection Officer).” Boonzaaier: Not always. He added that, under GDPR, you need a DPIA because you are developing or launching some new product or system that handles personal data, and you need to assess the impact of the new endeavor. You don’t always need to hire a DPO to do that, he noted, if you can handle it without one. But, if any of the following conditions are met, you do need a DPO, even if you’re not conducting a DPIA:
- If you’re a public authority, such as a governmental body.
- If you handle sensitive info, such as personal medical info.
- If you have more than 250 employees.
- Or if you monitor on a large scale the activities of people, such as a provider of closed circuit TV.
- A number of companies are citing “a prior relationship” with a consumer to avoid getting consent. GDPR does specify prior relationships as one kind of “legitimate interest,” Boonzaaier pointed out, but not as a way to avoid consent. An existing relationship can be utilized if the consumer has an existing purchase record, and the company employs that purchase record to support further purchases, such as having your home address on file from previous purchases, for instance, so it can ship purchases in the future. But, he said, if the company wants to employ that purchase record for another purpose — such as email marketing or ads — a separate consent is needed. “Don’t confuse consent with data retention,” he told me. A company might keep its millions of existing customer purchase records because there is a court order to do so, or because of some local regulation (such as the requirement in the UK that financial records be kept for seven years), or because of a “legitimate interest” in having purchase records for future purchases. “But ‘legitimate interest’ refers to data retention, not data collection,” Boonzaaier said, and it does not include using the existing data for a different purpose from the one for which it was collected.