GDPR - Mythbusters
With the EU’s General Data Protection Regulation (GDPR) set to come into force in May 25, 2018, there have notably been widespread misconceptions about what it will mean for businesses within the UK. We debunk some of the most popular GDPR myths making the rounds, and raise awareness about how the regulation is likely to impact employers in the UK.
1. Every company will need to appoint a Data Protection Officer
It’s true that early GDPR proposals specified that all organisations with 250 employees, or processing more than 5,000 personal data records, would need to formally appoint a DPO. However, these specifications have since been amended throughout the draft stages. Section 4 of GDPR states that DPOs must be appointed if your company is:
- A public body
- A private sector controller whose core activities consist of processing operations that require ‘regular and systematic monitoring of data subjects on a large scale’.
- A private sector controller whose core activities consist of processing special categories of personal data – i.e. sensitive personal data under the UK DPA.
The appointed DPO must act independently, and in performing the role, must have an independent reporting line. The DPO must also be empowered to report directly to the board without interference.
2. The law is not applicable to small to medium enterprises
Whilst there are some concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations ‘engaged in economic activities’ involving the processing of personal data. It depends upon the nature of the processing you perform, not the quantity of records or size of the organisation. You will also need to recognise that your customers may be larger enterprises and you may need to prepare for the obligations placed on data processors.
3. Data Processors do not have to worry about GDPR
Data controllers will, over the next two years, need to review all their supplier (controller to processor) contracts to ensure they are compliant with the new regulations. However, data processors will also have direct responsibilities under GDPR, one of which is a requirement that they (or their representatives) must maintain a record of processing activities that includes:
- The name and contact details of the processor or processors, or where applicable, the processor’s representative
- The name and contact details of each controller (or the representative) the processor is acting for and their data protection officer
- The categories of processing carried out on behalf of each controller
- Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of appropriate safeguards (e.g. contractual clauses within inter-company data transfer and sharing agreements based on risk assessments etc.)
- Where possible, a general description of the technical and organisational security measures the recipient of the transfer has implemented
- The records need to be in writing, including in electronic form and made available to a supervisory authority on request
4. Brexit means GDPRexit
There is a widespread misconception throughout the UK that GDPR will not be applicable once the country has left the EU. But according to Matt Hancock, the UK’s Digital Minister, it is likely that GDPR will be maintained. Although He mirrored the Prime Minister’s vagueness regarding the country’s negotiation position, he clearly stated that the government’s objective is to maintain an unhindered flow of data between the UK and the EU. “The approach that we’ve taken in order to maximise the ease with which we can negotiate an uninterrupted and unhindered flow of data is to put GDPR into UK law in full. So in a sense we are matching them rather than asking them to match anything new from the UK,” he continued.
So while there is no clear cut confirmation that the UK will uphold the regulation, it is likely that they will for the purpose of trade and maintaining a free flow of data to and from the EU.
5. Encryption means compliance
Some businesses have made the assumption that by simply encrypting data, it is therefore secure. However, the regulation is not just about data security, but also about explicit consent from the controller pertaining to the retention and distribution of data by the processor. For this reason, encryption alone may not be sufficient because it does not necessarily prevent accidental loss to data caused by human error or system failures.
Businesses need to consider the value of their data as a whole and determine how to treat that data to both enable their own profitability while ensuring its safety for their customers. Encryption should be regarded as one of many standards available with alternative mechanisms also being considered in securing minimising loss or misuse of data.
Are you an IT expert looking for your next role?
At Search IT Digital & Change we recruit for a wide range of jobs with something for everyone. To find out more about our cybersecurity opportunities on offer, contact Charlie Delaume on [email protected] Alternatively, you can find our comprehensive list of vacancies here!
You may also like: