The GDPR (General Data Protection Regulation) has been in effect for almost a year, but its compliance requirements are still subject to a lot of confusion. Many organisations aren’t sure exactly what they’re supposed to be doing, and even more worryingly, some are working under false assumptions.
If you fall into either of those categories, you might find yourself making one of these compliance mistakes:
1. Not realising that the GDPR applies to you
The biggest trap people can fall into is to assume that, for some reason or another, the GDPR doesn’t apply to them. Many people incorrectly assume that ‘the GDPR is only for big companies and doesn’t affect me’ or that ‘we run a charity, so we’re fine, right?’.
These assumptions are irrelevant. It doesn’t matter how big your organisation is, how much data you collect or what you use it for. The only thing that matters is whether you collect EU residents’ personal data. If you do, you need to either stop collecting it or comply with the GDPR.
There are only two derogations. First, the GDPR doesn’t apply to “household activities”, such as individuals’ personal email or phone contacts, and second, the requirements are relaxed for organisations with fewer than 250 employees.
2. Relying on consent when it’s not necessary
Most organisations have historically relied on consent to process people’s data, which caused a lot of people to balk at the GDPR’s strict new consent requirements. Critics said the rules, which include the need for “clear affirmative action” from the individual, make it too hard to get consent. As a result, organisations won’t have access to personal data, and some of their most important processes will fail.
It’s true that the GDPR’s requirements are intended to discourage organisations from seeking consent, but this doesn’t mean they can’t process personal data. Consent is only one of six lawful grounds for processing personal data, and it is by far the least preferable. Persisting with it as your basis creates a host of potential problems.
For instance, if you used consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses or who doesn’t reply must be removed from your records.
Individuals are also free to withdraw their consent at any time, which again means you have to remove them from your records. If you don’t do this, your organisation risks disciplinary action from the relevant supervisory authority.
The other lawful grounds are much more stable, and provide organisations with security in the event that an individual objects to the processing of their data. If the organisation provides documented proof that the processing meets the lawful requirement, the individual’s objection will probably be rejected.
3. Being unable to determine whether you are a data controller or data processor
The GDPR splits the legal responsibilities for handling personal data into two categories: data controllers, which determine the purpose for collecting personal data and how it will be done, and data processors, which carry out the data collection.
This might seem simple enough, but the relationship between controllers and processors is rarely straightforward. Organisations are often data controllers in some scenarios and processors in others. Moreover, as VentureBeat explains, there might be multiple data processors for the same data:
“For example, my company makes an IT service management (ITSM) platform. Customers store personal data in our Help Desk solution. That makes our customers controllers and my company a processor. However, our cloud platform runs on Amazon Web Services, so Amazon is a processor to us.”
VentureBeat adds: “Amazon controls personal data of some of our employees, perhaps in a CRM file or in an Amazon.com shopping account. But those are separate, unrelated relationships.”
Get the GDPR right with our Starter Bundle
If your organisation is guilty of any of these mistakes, you need to rectify your practices as soon as possible. With our GDPR Starter Bundle, this is light work.
This package contains three essential products to help you build a compliance framework. We provide everything you need to document your practices, assess your compliance posture and teach employees about their responsibilities under the Regulation.