Demystifying GDPR myths and grey areas

By Jim, on Filed in Fear Uncertainty and Doubt / GDPR / Incident Management / Incident Response / PrivacyTagged , , ,

The General Data Protection Regulation (GDPR) has been the buzz word that is causing media hype and organisations across the globe. You can find myths and misconceptions around GDPR more than you can find factual information. This blog post will address some of the key myths that we have found.

From the “EU citizens” myth to the “targeting EU” misconception, a lot of organisations have no clue where to start. GDPR “Experts” have also confused decision makers with discussions around GDPR grey areas and forgot to focus on the majority of black and white areas which organisations are already lacking and require a lot of work to meet.

Axenic has previously published an article on “How the General Data Protection Regulation applies to New Zealand organisations” where we captured official text from the GDPR and interpreted its meaning to organisations in New Zealand. After attending several events and discussing with a number of customers, here are the key points that we think matter most. While this is an attempt to clear some FUD (Fear, Uncertainty and Doubt) around GDPR, this is not a legal advice.

  • GDPR does not apply to EU citizens. GDPR applies to data subjects in the EU. For example, a New Zealand organisation that has a website in English, French and German is considered to be targeting data subjects in the EU. The personal information of a Kiwi living, or even visiting, the EU who happens to visit this website while they are in the EU, falls under GDPR. On the other hand, GDPR does not apply to the personal information of an EU citizen (or a Kiwi) visiting a local New Zealand site that does not target data subjects in the EU.
  • GDPR does not prescribe how you allow data subjects to exercise their rights. Data subject rights do not have to be automated. Whether a data subject exercises their right to object to the collection of information, requests access to information, be forgotten, or rectification, this does not mean that you have to build automated means into your systems or services to achieve that. Manual processes are fine as long as you can provide data subjects with their rights in a reasonable timeframe. However, it is recommended that you automate as many of these rights as you can to avoid consuming valuable resources to meet the “reasonable” timeframe.
  • GDPR distinguishes a specific category of personal data as sensitive personal data. Sensitive personal data is a special category of personal data that is related to the fundamental rights and freedoms of individuals. Sensitive data merits specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms, according to recital 51 of the GDPR. Examples of sensitive data include health, racial and ethnic data. Photos has been one of the most significant grey areas in this category. Recital 51 of the GDPR clarifies this by stating that this is only the case if its processed “through a specific technical means allowing the unique identification or authentication of a natural person”. If in doubt, seek consent and keep data subjects fully informed. Better off, do not collect it if you don’t need it.
  • While the GDPR has a few grey areas, I don’t envisage that organisations will be fined simply because they got caught into those. There are more clear “Dos” and “Don’ts” under the regulation that require a lot of effort to comply with than the grey areas.
  • On the 25th of May 2018, regulators in the EU will not slam every data controller or processor. A number of the EU countries do not have their legislative frameworks ready for GDPR and a lot of regulators are not ready either. While this means organisations should not panic, this should not be an excuse to relax. Compliance with the GDPR requirements consumes time and resources, so you should start now if you haven’t already.
  • Organisations will not always pay hefty fines for any “breach”. GDPR administrative fines will depend on nature, gravity and duration of the infringement while considering the purpose of processing, the number of affected data subjects and the level of damage. I don’t think that an organisation will be fined 20 million Euros for an honest mistake, that happened once, which led to missing the erasure of the name or address of a data subject that exercised their right to be forgotten and did not have substantial impact on them. In determining administrative fines under GDPR, the intentional or negligent character of the breach, cooperation with supervisory authorities, the number of provisions infringed, and the actions taken to mitigate the impact of the breach (a.k.a. incident response), will all determine whether the organisation should be fined and the severity of the fine.

Given the above, the 72 hours notification period and the fact that the majority of organisations know about their data breaches from external parties, incident management is of a specific importance within GDPR. While I will write a specific post to discuss Article 29 Data Protection Working Party Guidelines on Personal data breach notification, you can in the mean time check my Rapid Reaction series here.