GDPR Myths
The General Data Protection Regulation (GDPR) is a regulation on protecting personal data of EU citizens within and outside the European Union (EU) and European Economic Area (EEA). The regulation covers all aspects of data protection including data processing activities, rights of data subjects, obligations of controllers and processors, security measures, conditions for consent, breach notification process, personal data transfer to third countries, and potential consequences for noncompliance.
The General Data Protection Regulation (GDPR) is a regulation on protecting personal data of EU citizens within and outside the European Union (EU) and European Economic Area (EEA). The regulation covers all aspects of data protection including data processing activities, rights of data subjects, obligations of controllers and processors, security measures, conditions for consent, breach notification process, personal data transfer to third countries, and potential consequences for noncompliance. Since it came into effect on May 25th, 2018, GDPR raised an enormous interest and controversies on its application and implementation among public and private organizations. Two years later, some of the most controversial matters that are ascribed to GDPR are still inaccurate. In this article, we debunk five common misconceptions related to GDPR application.
1. GDPR ONLY APPLIES TO ORGANIZATIONS RESIDING IN THE EU
The purpose of GDPR is to ensure that EU citizens have more control on the processing of their personal data. Developments in information technology have allowed organizations and individuals to share, process, store and analyze a huge amount of data for a short period of time. The Regulation applies to organizations within and outside the EU, that process personal data of EU citizens for various purposes. Article (3.1) of GDPR on the territorial scope states that: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. When does GDPR apply to organizations outside the EU? Based on article (3.2), organizations outside the EU that offer goods or services to EU citizens, or monitor their behavior must comply with the GDPR.
2. THE GDPR CONTAINS UNBEARABLY HIGH FINES FOR ORGANIZATIONS
GDPR includes fines and penalties that are designed for organizations that do not comply with its requirements related to protection of personal data. There are claims that “GDPR is the biggest threat to your business” or that “GDPR threatens the existence of organizations”, which can be simply considered as myths. GDPR imposes two categories of fines for organizations that do not comply with the GDPR. The first category is for less severe infringements that could lead to fines up to € 10 million, or 2% of the annual global turnover, whereas the second category is for severe or serious infringements that could lead to fines up to € 20 million, or up to 4% of the annual global turnover, whichever is greater. However, the particular supervisory authority is accountable to determine and assess the amount of the fine based on the severity of the infringement.
3. ORGANIZATIONS NEED EXPLICIT CONSENT FOR PERSONAL DATA PROCESSING
Consent obtained from data subjects to process their personal data is one way to comply with the GDPR. Based on the Regulation, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Explicit consent is also a debated topic that has led to misleading information. However, GDPR does not define explicit consent, but it requires from organizations to obtain valid consent. Valid consent means that consent is a clear statement, that is obtained freely by the data subjects, without imposing any precondition for a particular service.
4. DATA SUBJECTS HAVE THE ABSOLUTE RIGHT TO BE FORGOTTEN
One of the rights of data subjects related to the processing of personal data is the right to erasure or the right to be forgotten. Data subjects have the right to request from the controller to erase their personal data based on the cases set in article (17.1). This right has been widely discussed and interpreted in different ways. However, GDPR has specified also the extent of applying this right, which it appears that is not an absolute right of data subjects. According to article (17.2), the right to be forgotten does not apply for exercising the right of freedom of expression and information, for reasons of public interest for different purposes, and for the establishment, exercise or defence of legal claims.
5. EVERY ORGANIZATION NEEDS A DATA PROTECTION OFFICER
The provisions related to the appointment of a Data Protection Officer (DPO) were feared and resisted especially by small organizations. This is understandable since appointing a Data Protection Officer (DPO) can be a financial burden for small organizations. However, GDPR does not require every organization to appoint a Data Protection Officer (DPO). There are three types of organizations that must appoint a Data Protection Officer (DPO), as follows:
- Public Organizations
- Organizations engaged in large scale and systematic monitoring.
- Organizations engaged in processing of sensitive personal data on a large scale.
Even though that some organizations may not fall into one of the above-mentioned categories, it is recommended to appoint a Data Protection Officer (DPO) as it is considered a good practice to monitor and advise on data protection requirements.