[BreachExchange] 10 Common GDPR Myths Busted

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 10 19:05:09 EDT 2018


With GDPR rolling up fast this month, PerformanceIN addresses some of the
more common misconceptions around the regulatory update with the help of
GDPRPLAN.com founder and affiliate marketing specialist, Micky Khanna.

1. Data collected ahead of GDPR will be OK to use after May 25

Myth: Unless the data has already been collected in accordance with the

2. Every company will need to opt-in their contactable database

Myth: If you have already obtained specific consent or have another lawful
basis for contacting your user database then the ICO states that you do not
need to send re-opt in emails. Under the Privacy and Electronic
Communications Regulations (PECR) – which will run alongside the GDPR until
it is replaced with the new e-privacy directive – it does also state that
you must not send marketing emails to individuals without specific consent,
but there is a limited exception for previous customers, under a “soft

3. GDPR will only affect companies operating in the EU

Myth: The GDPR affects any business who collects or processes personal data
of ANY EU Citizen, regardless of whether they are based inside or outside
the European Union.

4. GDPR compliance will be a safeguard against data breaches

Fact: If strict security measures around the storage, transfer, collection
and any additional processing are adhered to, and staff have been trained
to understand the security implications of their actions and obligations to
comply with company policy in accordance with the Accountability and
Governances measures as set out by the ICO (which we at gdprplan.com
provide training for), then this demonstrates that organisational measures
are being taken in order to comply with the GDPR.

5. GDPR compliance is an issue only for the tech/data teams

Myth: The GDPR should be a business-wide issue that needs everyone to
demonstrate respect for personal data, and ultimately it’s the CEO who is
accountable if found guilty of non-compliance (loss of existing customers,
no new business revenue as prospective customers divert their business
requests to competitors). If you’re a publicly listed company then there’s
the loss of share price which ultimately lies on the doorstep of the CEO
(and therefore the future of their position – and personal reputation).

6. All information classed as ‘personal data’ will need to be treated the

Myth: Personal data should be classified according to the level of privacy
and threat to the rights and freedoms of the individual. For example, you
may classify personal data under “public, private, & restricted” and
associate the appropriate privileges with the organisation’s hierarchy.

7. With multiple companies working with the same consumer data (ie,
networks and publishers), the burden of responsibility will fall with just
one member.

Myth: It is the responsibility of the data controller to ensure that they
have the appropriate contracts in place with each and every processor who
is involved with the processing of personal data and that both the
"Controller and Processor guarantees to implement appropriate technical and
organisational measures in such a manner that processing will meet the
requirements of the GDPR and ensure the protection of the rights of the
data subject".

Failure to do so could result in the supervisory authority enforcing
sanctions on each processor within the chain if found guilty of
non-compliance (which could include the processor/s being ordered to cease
processing and the controller being on the receiving end of a penalty for
not taking steps to guarantee the protection of personal data for which
they've been entrusted with).

8. Hefty fines are the most concerning threat from GDPR

Myth: The ICO have gone to great lengths to state that they will not be
looking to issue hefty fines and will only look to issue fines as a last
resort. What is probably more concerning is the reputational damage and
knock-on effects from the negative PR and associated damage to your brand
if found guilty of non-compliance. As per point 7, the associated effects
will also bring into question the leadership and position of those at the
top of the organisation.

9. The ICO requires companies to assign a Data Protection Officer

Fact (kind of…): The General Data Protection Regulation states that you
need to appoint a Data Protection Officer if:

- You are a public authority (except for courts acting in their judicial
- Your core activities require large scale, regular and systematic
monitoring of individuals (for example, online behaviour tracking); or your
core activities consist of large scale processing of special categories of
data or data relating to criminal convictions and offences.

10. Small businesses will be exempt from GDPR rulings

Myth: Where any business falls within the category of Private Sector,
Public Sector or NGO/Charities Sector, every business who collects or
processes personal data will need to comply with the GDPR – regardless of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180510/59232635/attachment.html>

More information about the BreachExchange mailing list