Eight misconceptions regarding the General Data Protection Regulation

In 2016, the General Data Protection Regulation (GDPR) was adopted. In May 2018, the regulation will become fully applicable. For companies doing business in Europe, it is crucial to align business operations with the new regulation. However, we regularly encounter misunderstandings about the GDPR. We have listed the eight most important ones below.

Misconception 1: The GDPR does not apply to small businesses

Although some concessions have been made towards small entrepreneurs and SMEs, the GDPR applies to all organisations processing personal data. The impact of the GDPR on your company depends on the manner in which data is processed, and not on the number of data records or the size of the organisation.

The regulation states the processing of data or monitoring of individuals must be part of the core business of the company as a condition. The term “core business”, however, is not specified. You must, therefore, assume that the regulation applies to any company that processes identifiable personal data with a commercial interest.

Misconception 2: any company to which the GDPR applies must appoint a Data Protection Officer (DPO) 

Whether or not the GDPR applies to a company, does not necessarily mean that the company must appoint a Data Protection Officer (DPO). This is only true for public institutions which process data, companies that systematically process personal data on a large scale and organisations that process data relating to specific data categories (such as health data).

Even if your company does not fall in any of these categories, it could still be wise to appoint a DPO. This provides additional supervision and more certainty in case of disputes.

Misconception 3: appointing a DPO is just a formality

The GDPR requires that a Data Protection Officer has demonstrable expert knowledge of privacy and data security. Simply appointing one of your current employees as a DPO is not enough. In addition, the appointed DPO must be adequately informed of the company-specific data processes.

Misconception 4: our company encrypts data so we are GDPR compliant

It is a misconception that by merely encrypting data, the GDPR requirements are met. Data encryption should rather be interpreted as the minimum standard, and so crucially requires additional measures. Companies must offer additional options to protect personal data, such as using two-step verification and permanently deleting data that is no longer used.

Misconception 5: data is stored in the cloud, so the responsibility for data security lies with the cloud provider and security provider

The GDPR does not only apply to companies that store data, but also to companies that process the data. That means the GDPR also applies if a company uses third party providers for data storage in the processing of data.

Misconception 6: my company is compliant with our national Privacy Act, hence we comply with GDPR

The GDPR replaces the Data Protection Directive, which was transposed into national legislation by all member states of the European Union. The GDPR and the current national privacy legislation are different in many ways. There are, for example, differences in the extent to which users have to grant permission for the processing of their data, and the way in which the user needs to be informed in the event of data leaks.

It is true, however, that compliance with your national privacy law allows an easier transition to fulfil the GDPR requirements.

Misconception 7: my company is compliant with the Privacy Shield, hence we comply with GDPR

Although there are many similarities between the regulations of the Privacy Shield and the regulations of the GDPR, it is not true that these two systems are the same. The Privacy Shield is only related to one of the many GDPR topics, namely international data transfers. The Privacy Shield does not mention user permissions, data protection officers, etc. for example.

Misconception 8: The GDPR is an all-in-one solution for data processing in Europe

The GDPR was released as a universal regulation that simplifies and unifies legislation in Europe. In practice, however, this is not the case. For multinationals, the GDPR is only the next regulation in line, adding to a number of existing regulations. For example, there are different legal rules on the notification duty in the event of a data breach or data leak. In addition, companies must comply with national privacy rules which vary by country. It gets even more complicated when the GDPR appears to be inconsistent with such national or industry-specific guidelines.

About Edwin Jacobs

Edwin Jacobs is a FinTech lawyer at Time.lex and lecturer at the University of Leuven and Antwerp. Specialties: business law in the information society, negotiation and legal management of ICT-projects, outsourcing, intellectual property rights, electronic invoicing and archiving, copyright, trademarks, privacy/data protection, e-business, electronic contracting.

About time.lex

Time.lex is a law firm specialised in FinTech, information and technology law in the broadest sense, including privacy protection, data and information management, e-business, intellectual property, online media and telecommunications.