EU GDPR privacy legislation UK

Mythbusting the GDPR

The GDPR comes into effect on May 25th 2018. Despite the reasonable notice period and efforts to advise and inform, there’s still a lot of misunderstanding about requirements.

UK managed hosting and co-location provider UKFast has put together a guide to the Regulation, what it means and how companies can prepare – including some handy ‘mythbuster’ tips to workaround the more common misunderstandings. Here are our Top 6 followed by UKFast’s tips for compliance.

Myth #1: “After Brexit, this won’t affect our UK business.”

Fact: Businesses trading in the EU or using EU citizen data will still need to demonstrate compliance with GDPR when handling personal data.

Myth # 2: “Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations on processors.”

Fact: Data processing agreements are vital to the controller and processor relationship as it binds both parties to specific terms. (Article 28)

Myth #3: “When relying on consent to process personal data, consent must be explicit.”

Fact: Consent must be ‘unambiguous’ rather than explicit, except when processing sensitive personal data, when ‘opt-in’ is mandatory.’ (Articles 4(11) and 9 (2))

Myth #4: “Everyone needs a data protection officer.”

Fact: Data protection officers are only essential for:
-Organisations with 250+ employees
-Public authorities
-Organisations that engage in large scale processing of sensitive personal data. (Article 37)

Myth #5: “Controllers and processors will only have to answer to a single data protection authority.”

Fact: Organisations will report to a ‘lead’ supervisory authority, but be subject to the intervention of others. I.e. if a data subject from another member state to the controller’s own is affected by a data breach, the relevant supervisory authority can step in. (Article 56)

Myth #6: “Profiling activities always require consent.”
Fact: Consent is only required in the profiling activities produce ‘legal effects’ or ‘significantly affects’ the data subject. Therefore in most instances, targeted advertising can continue regardless of the GDPR as the processing of data for this purpose is unlikely to do so.

Got it. Now what?

When it comes to the preparation side of compliance, UKFast suggests a clear 5 Step plan:

1. Keep a record of data operations and activities – make sure you know the type of data your business processes, how it’s used and where.
2. Carry out a data Privacy Impact Assessment (PIA) for high-risk projects – a PIA is carried out by the controller to identify non-compliance risks and improve protective measures as needed.
3. Designate a data protection officer – this is obligatory if your company has more than 250 employees, is a public authority, regularly monitors data subjects or processes sensitive data or criminal records or is required to have a DPO by their local authorities.
4. Notify the supervisory authority of a data breach – data breaches increase the threat of identity theft, fraud, financial loss, reputational damage and loss of confidentiality. To reduce the risk, data controllers must notify the supervisory authority within 72 hours of becoming aware of the breach or face a hefty fine.
5. Implement ‘privacy by design’ and ‘privacy by default’ – ‘Privacy by design means taking privacy risk into account when designing a new product or service, rather than treating it as an afterthought. ‘Privacy be default’ ensures that only as much personal data is collected, used and kept for each task as needed.

To access UKFast’s full GDPR Explained: An Essential Overview of the Facts and Myths report visit here.