Having helped 000’s of businesses and hosted multiple events, we put the question to our team … what are some typical assumptions being made about GDPR compliance … As we’re 9 days away from D-Day … we’ve selected 9 common mistakes made about GDPR compliance ….
Non EU Companies Assume GDPR Compliance Is Not Relevant To Them
This legislation is about the handling of EU citizens data so, even if you’re based outside the EU, if you’re handling data from EU citizens then you could be subject to GDPR. Article 3 of the GDPR says that “if you collect personal data or behavioural information from someone in an EU country, your company is subject to the requirements of the GDPR”. Some further clarification …
- The law only applies if the data subjects are in the EU when the data is collected
- For EU citizens outside the EU when the data is collected, the GDPR would not apply.
Allocating GDPR Compliance to An Individual or Department
This should not be a task that is farmed out to an individual and viewed as nothing less than a nuisance. GDPR will affect most aspects of your business and requires a co-ordinated audit across every department and within every team.
It’s a brilliant opportunity to re-train everyone on data management processes and adopting a new approach about how data should be handled and the value these changes can bring. Most people and certainly all departments in your company, should be hands on in understanding what is happening, why it’s happening and how it can bring improvements.
- Assuming Past Data Management Processes Remain Valid
Some companies have approached us to say they’ve managed their data sensitively to date and don’t require major improvements. GDPR is the biggest legislative change in data management for a generation.
New elements like “right to be forgotten” and “right to know when my data is hacked” will transform the traditional culture of data management, and there will soon become a new norm whereby the citizen does start to re-gain some control.
- Misunderstanding What Data Needs To Be Complied With?
The range of data that falls within the GDPR remit is significant and includes everything from social media posts to profiles to metadata to geographic location. Historic data records, collected during another era and probably laying low in some dusty corner, are also included within the protection and management of GDPR
- Not Adequately Recording Processing Activities
GDPR compliance is not just about meeting the 25th May 2018 deadline, it’s about ongoing data management and monitoring. It’s about putting in place appropriate controls for recording all future processing activities.
- Covering Every Area of Data Collection
Make sure you assess and cover every data touchpoint within your company.
Chris Olson, CEO of The Media Trust, is quoted as saying “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”
- Does my IT provider being compliant, save me the trouble?
There have been some misunderstandings from business owners about who is ultimately responsible for compliance and in particular, if their IT provider is compliant then does the business also have to be? All areas of your business needs to ensure it has standalone compliance. internal data audits that you and/or your advisors conduct must cover all parts of the business and not just IT.
You will need to keep records of all future processing activities and be able to maintain control over the flow of information throughout your business.
- Anti-Virus Software Is All I Need
This has been another regular misconception when it comes to data security. Antivirus software tends to rely on known viruses and is also very reactive, some of the major data breaches in recent times (think Yahoo for one) have emerged many weeks and months after the breach.
You will need to up your game on data breaches and part of this process will be more emphasis on training staff to better spot and react to data breaches, so they can nip problems in the bud and before they become significant.
- Every company has to allocate a Data Protection Office (“DPO”)
Designation of a DPO is mandatory in these specific cases,
- if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- if the primary activities consist of processing operations that require regular and systematic large-scale monitoring of data subjects, e.g., businesses that engage in profiling or tracking of online behaviour; and
- If core activities consist of processing on a large scale “sensitive” categories of personal data, such as health data, biometric data, data revealing ethnic origin or religious beliefs, and information relating to criminal convictions.