Becoming GDPR compliant was never going to be straightforward and many businesses continue to struggle with the challenge. But, there are steps that businesses can take to reduce the risks. Below we list the top 5 most common mistakes and misconceptions. By tackling these the journey to full GDPR compliance will be a smoother one.
Mistake #1: Not understanding what personal data is
Many businesses fail to understand what personal data is and where it’s located. This means they underestimate the volume of personal data they’re responsible for and risk undermining their compliance efforts. This is particularly true of businesses based outside the EU, who often interpret personal data too narrowly. Personal data doesn’t just consist of sensitive information such as health records, it also covers day-to-day information which is often overlooked, such as business email addresses.
Are you confident that your organisation’s interpretation and definition of personal data is correct?
Mistake #2: Playing fast and loose with public domain information
Personal data that is in the public domain remains personal data. Too many organisations make the mistake of thinking that GDPR rules do not apply if information is readily and publicly accessible. Data subjects who have entered personal data into the public domain may have lower expectations about how that data will be processed, but it remains personal data. Activities such as holding information from purchased marketing distribution lists, or building a database of email contacts gathered from LinkedIn are subject to GDPR provisions.
Mistake #3: Thinking you’re exempt because you’re based outside the EU
It’s easy to assume that you don’t need to worry about a European regulation if you’re based outside the EU. However, if you hold or process personal data belonging to data subjects in the EU then the GDPR may affect you just as critically as it does any EU-based organisation. Tellingly, the very first enforcement action taken by the UK ICO following the introduction of GDPR, was to serve an Enforcement Notice against Canadian company AggregateIQ Data Services Ltd. The CNIL has also now (as of 21 January 2019) issued a financial penalty against Google LLC of €50 million (almost US$60 million) for failing to process personal data transparently, providing insufficient and unsatisfactory information to data subjects and collecting invalid consent to processing for advertising personalisation.Failing to understand the territorial scope of GDPR does not excuse non-compliant behaviour.
How deeply have you mapped the origin of all your customer data and your processing activities?
Mistake #4: Assuming that deleting data will achieve compliance
It is important not to resort to large-scale deletion of personal data thinking that this could be a ‘silver bullet’ solution to GDPR compliance. Deletion is of course an act of processing and so must itself comply with the GDPR. In certain cases, compliant processing requires the retention of data and so any mass deletion is potentially disastrous. Even when data deletion is appropriate, it must be carried out in a compliant manner.
How well does your organisation understand the risks of data deletion?
Mistake #5: Thinking ‘consent’ always provides immunity
Many organisations make the mistake of relying too heavily on the provision of consent to ensure GDPR compliance. Operating a consent-driven database is by no means 100% reliable and leaping to consent as your lawful grounds for processing is an imperfect solution. Is consent the correct basis for your data processing? If so, can you be certain that consent is valid?
How confident are you that your organisation can register and implement every removal of consent without delay or error?
Mewburn Ellis advises a wide range of international and domestic clients on how to achieve and maintain GDPR compliance.
If you would like to speak to a member of the team please contact Emma Kennaugh-Gallacher at firstname.lastname@example.org