GDPR myths debunked by leading barristers

With GDPR officially coming into force on the 25^th May 2018, all organisations involved in handling data are increasingly under pressure to comply with this new regulatory landscape. But, according to barristers at law, Quentin Hunt and Dean Armstrong QC (co-author of Cyber Security Law and Practice), even those organisations who consider themselves to be up to speed remain at serious risk of falling foul.
Recent research by Capgemini has identified that, in the UK alone, 45% of companies are not yet fully compliant or ready for the changes, and 15% have made thee bold statement that GDPR does not constitute a priority for them. Overall, the research suggests that 85% of organisations across the US and Europe will fail to be fully prepared for compliance by the looming deadline.
Hunt and Armstrong’s combined experience across the cyber security and GDPR landscape corroborates this view and have highlighted the fact that even organisations who think they are prepared are typically labouring under several key misunderstandings of what GDPR really means. So, the two barristers have come together to lay out the five most common misconceptions and offer practical tools to allow organisations to test their readiness.
The top five myths
Myth 1: GDPR compliance is a black and white business
According to Hunt and Armstrong, one of the biggest legal complications with understanding GDPR is that this is not a rule-based piece of regulation. “When you’re dealing with something like the EU’s Markets in Financial Instruments Directive (MiFID), or driving at 35 miles per hour (mph) in a 30mph zone, the parameters of the law are clear cut and there is little need for interpretation,” says Hunt. “GDPR, on the other hand, is a principle-based regulation. Compliance is assessed in accordance with designated principles, such as whether ‘effective’ consent has been obtained by the data owner and whether that data is considered to be ‘current’. Should an investigation arise, such judgements would be at the discretion of the Information Commissioner’s Office (ICO) and would involve a legally-based assessment. So, it’s easy to see how organisations who might consider they’re on top of GDPR may in reality be at risk of being found to be non-compliant.”
Myth 2: GDPR fines are just the cost of doing business
Whilst fines and losses are often accepted as a necessary business adjustment, GDPR fines are at a level never seen before in data protection. The extent of these financial penalties have the potential to destroy a business, Hunt and Armstrong warn. Certain infringements have the potential to incur fines of up to €20 million or 4% of worldwide annual turnover – whichever is higher. The nature, gravity and length of the infringement, number of people affected, and any mitigating action, will all affect the level of fine. Plus, there’s the reputational damage to consider. If severe, a breach could impact massively on share price, leading to the possibility of class actions and loss of consumer confidence.
Myth 3: GDPR is an EU matter
If your business depends on trading with EU citizens, then organisations will still need to adopt data protection regulation that is as rigorous as GDPR, or more so. Hunt and Armstrong point out that anyone wanting to access the EU market has three paths open to them:

1. One option follows the Norwegian route and involves joining the European Economic Area, which requires that non-EU countries implement rules and procedures that are equivalent to those in the EU.
2. In the case of bilateral trade deals with the EU, these typically result in the non-EU country having to agree to apply laws that are at least as demanding at EU legislation. This is the route Switzerland has taken. In both these instances, non-EU countries would have to adopt data protection regulations that are as strict as GDPR.
3. It is possible for a non-EU country to maintain independent trade deals without taking on the burden of equivalent obligations, but in this instance GDPR will still require ‘adequate’ protection to be put in place in order to allow EU members to pass information to the non-EU country.

The core message is vital: if your organisation is offering goods or services to EU citizens, or monitoring their behaviour, then GDPR will still apply to you, regardless of your own organisation’s location.
Myth Four: The compliance team bears full responsibility for GDPR
Hunt and Armstrong are keen to emphasize that GDPR is something that every business leader must fully understand and be on top of. “At the regulation’s core is the sanctity of personal data,” says Hunt. “This is centred on the notion that personal data belongs to the individual and that businesses are mere custodians. It represents a fundamental change in the way that every organisation uses, manages and protects data – and ignorance or buck-passing will be no defence at all. Make no mistake, it is absolutely an executive responsibility to ensure that your team understands what GDPR means for their job.”
Myth Five: Technology is a panacea
In Hunt and Armstrong’s experience, many organisations are still wrongly assuming that GDPR is all about the data hack, and that beefing up cyber security measures provides all the answers. But compliance by design and default is the GDPR mantra – therefore by definition technology can only solve part of the problem.
In the case of, for example, a breach caused by someone leaving confidential papers in a taxi, there’s nothing technology can do to prevent that. What’s more, the two Barristers note, GDPR also forbids reliance on automated decision making. This means, for example, that mortgage companies can no longer approve or reject an application based on an automated credit score. Technology has a role to play in GDPR, but there is also a crucial role for human judgement and the ability to reverse a decision. Technology should only ever act as the supporting role of bespoke expert advice in this area.
Five steps to take right now
Especially with the enforcement deadline looming, Hunt and Armstrong’s initial advice is to consider the following questions to establish your organisations’ readiness for the regulations.

1. Regularly review your data, including the type you are collecting. Ask yourself:
   1. Can any of this data be anonymised?
   2. Where is the data going?

2. Review your processes for data breach notification, security and risk assessment.

3. Check your contracts – do you need to conduct a data protection impact assessment?

4. If you are a data controller, review your relationships with data processors.

5. Train your workforce. As mentioned, it is not enough to rely on your compliance or technical teams. Consider the following questions:
   1. Do you need to hire a data protection officer?
   2. Do you have adequate processes in place should employees have to handle a serious data breach?
   3. Are your contracts – with staff and subcontractors – GDPR compliant?
   4. Have you given your employees the correct information?

“There is still time to make an initial and informed assessment of your readiness for GDPR,” says Hunt. “But, with so many misconceptions remaining rife, and with so much at stake if you fail to comply, it’ vital that you honestly assess these areas immediately and seek advice in any areas that are unclear.
You can also head over online to take the GDPR quiz, to quickly establish what level of risk you are at and how to proceed.