It’s our favorite spooky time of the year and you know what that means! It’s time to bust some GDPR myths!
You can also follow the series on our Instagram
Myth #1 We’ve never been hacked so data breaches don’t worry us
With the heightened awareness of cyber-criminality, the most obvious type of data breach is online hacking. But that’s only one extreme example. According to the ICO, a data breach covers all ‘unauthorised or unlawful processing…accidental loss, destruction or damage.’
So, just because you’ve never been hacked doesn’t mean you’re not at risk of data breaches. Indeed, most breaches occur when proper processes aren’t put in place and followed by a business. In keeping with increased individual protections, data breaches form a core part of the GDPR. So, if you suffer a breach, you’ll need to take swift action.
- Report it to the relevant authority within 72 hours (in the UK, that’s the Information Commissioner’s Office)
- Maintain and show internal records that demonstrate your GDPR compliance
- In some extreme cases, where a breach directly threatens an individual – for instance, if the breach could lead to identity theft – you’ll have to alert the individual involved too.
Myth #2 Anyone can make you delete all their data
The right to be forgotten is not absolute. You may be able to retain the data where, for example, it is still necessary for a lawful purpose, you are legally obliged to, or, in some circumstances, if you have an overriding legitimate interest in doing so. Where data has been processed on the basis of consent, the consent will not be valid unless it can be withdrawn without detriment to the individual. You need to do the legwork and work out what data you have that is vulnerable to an erasure request and have a retention schedule and policy.
Myth #3 GDPR does not apply if data has been encrypted
Encryption is mentioned in GDPR as being one of the tools that organisations can use to help protect personal data, and it may help reduce the risks to individuals if there is a data breach. However, the processing of that data is still subject to GDPR.
Myth #4 “If I use the cloud then compliance is my service provider’s problem”
One of the changes under GDPR is that data processors, such as cloud service providers, will acquire direct obligations under data protection law. Those obligations include information security, record keeping and notifying data controllers of personal data breaches. However, the organisation using a cloud service still retains overall responsibility for the decision to use that provider and for ensuring that the processing complies with GDPR.
That means organisations still need to carry out appropriate diligence on the cloud service provider – including understanding how the service provider keeps the data secure, where it is hosted, and what subcontractors are used. The organisation should also ensure that a contract is in place that complies with the new mandatory clause requirements under GDPR. There is no grandfathering provision for existing contracts.
Myth #5 No one will get fined
Some think the risks of heavy fines are over-exaggerated. But targeted enforcement is likely, and authorities may go after high-profile companies or companies with particularly egregious data processing faults. Assuming no one will get fined may pose high-impact risks.