Anyone in the process of complying with the EU General Data Protection Regulation (GDPR) will know that it’s hard work. Misinterpreting the GDPR can cause organisations to waste time and effort on ineffective measures, and unless they spot their mistake, they could be subject to disciplinary action.
This blog outlines some of the mistakes organisations make when preparing for the GDPR, and explains how to avoid falling for them.
1. “I didn’t realise the GDPR applied to me”
The biggest trap people can fall into is to assume that ‘the GDPR is only for big companies; it doesn’t apply to my organisation’. These people fail to address the Regulation at all and face the strictest punishment. But it’s not only the organisation’s size that people use to justify ignoring the GDPR. People say to us, ‘But my organisation isn’t in the EU’ or ‘We run a charity, so we’re fine, right?’.
These assumptions are irrelevant. It doesn’t matter where your organisation is based, how big it is, how much personal data you collect or what you use it for. The only thing that matters is whether you collect EU residents’ personal data. If you do, you need to either stop collecting it or comply with the GDPR. There are only two derogations. The GDPR doesn’t apply to “household activities”, such as individuals’ personal email or phone contacts, and the requirements are relaxed for organisations with fewer than 250 employees.
2. “You don’t always need consent?!”
Most organisations rely on consent to lawfully process people’s data, so many people have balked at the GDPR’s strict new consent requirements. Critics have said the rules, which include the need for “clear affirmative action” from the individual, make it too hard to get consent. Without it, organisations won’t have access to personal data, and some of their most important processes will fail.
It’s true that the GDPR’s requirements are intended to discourage organisations from seeking consent, but this doesn’t mean they can’t process personal data. Consent is only one of six lawful grounds for processing personal data, and it is by far the least preferable. Persisting with it as your basis creates a host of potential problems. For instance, if you used consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses or who doesn’t reply must be removed from your records.
Individuals are also free to withdraw their consent at any time, which again means you have to remove them from your records. If you don’t do this, your organisation risks disciplinary action from the relevant supervisory authority.
The other lawful grounds are much more stable, and provide organisations with security in the event that an individual objects to the processing of their data. If the organisation provides documented proof that the processing meets the lawful requirement, the individual’s objection will probably be rejected.
3. “Am I the controller or the processor?”
The GDPR splits the legal responsibilities for handling personal data into two categories: data controllers, which determine the purpose for collecting personal data and how it will be done, and data processors, which carry out the data collection.
This might seem simple enough, but the relationship between controllers and processors is rarely straightforward. Organisations are often data controllers in some scenarios and processors in others. Moreover, as VentureBeat explains, there might be multiple data processors for the same data: “For example, my company makes an IT service management (ITSM) platform. Customers store personal data in our Help Desk solution. That makes our customers controllers and my company a processor. However, our cloud platform runs on Amazon Web Services, so Amazon is a processor to us.”
VentureBeat adds: “Amazon controls personal data of some of our employees, perhaps in a CRM file or in an Amazon.com shopping account. But those are separate, unrelated relationships.”
The responsibilities for data controllers and data processors are different, so it’s essential that everyone involved in data collection is aware of their role. You can learn more about what that entails and the GDPR’s other requirements by enrolling on one of our GDPR training courses.
Depending on your level of expertise, you might be interested in either:
These courses are available in both classroom and distance learning formats. Book these courses together in our Combination Course to save 15%.