5 minute read
GDPR: Myths, Misconceptions & Misinformation
from BSA Today Issue 2
by bsatoday
Article by Stuart Walsh, Blue Stream Academy's Chief Information Security Officer (CISO).
The General Data Protection Regulation (GDPR) has affected everyone, from individuals to global corporations, companies and organisations, both inside and outside of the European Union (EU).
Advertisement
It has transformed marketing practices, the way in which data is managed and given people control of their own personal information.
With a year having passed since its implementation; now seems to be an appropriate time to look back and reflect upon some of the most common myths, misconceptions and misinformation surrounding GDPR.
Consent
Whilst a lawful basis is required in order to utilise personal data, there are six to chose from:
• Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
• Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
• Vital Interests: The processing is necessary to protect someone’s life.
• Public Task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• Legitimate Interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
Due to the high standard for consent set out by the GDPR, the complexities involved and the potential to significantly affect the way in which an organisation operates, more often than not, it is in fact preferable for them to rely upon another lawful basis.
Individual’s Rights
The GDPR provides the following rights for individuals:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
Whilst these rights are a significant part of the GDPR, they’re not absolute and may be superseded by other legal rights and/or obligations.
For example, an individual’s right to erasure does not apply if processing is necessary for one of the following reasons:
• To exercise the right of freedom of expression and information.
• To comply with a legal obligation.
• For the performance of a task carried out in the public interest or in the exercise of official authority.
• For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
• For the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
• If the processing is necessary for public health purposes in the public interest (e.g. protecting against serious crossborder threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices).
• If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services).
This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
Data Must Be Stored in the EU
Many organisations hold the mistaken belief that under the GDPR all personal data must reside within the EU and cannot transferred outside of it.
This would be particularly problematic given the nature and increasing proliferation of cloud storage solutions.
The GDPR framework states that, “flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation”.
A requirement of the GDPR is that the transfer of data outside of the EU must only occur with countries deemed as having adequate data protection laws.
Whilst the US is not considered to meet this requirement, the Privacy Shield is an agreement between the EU and US that allows for transfer of personal data; this is based upon the participating organisation being regarded as having satisfactory protection in place.
All Data Breaches Must Be Reported to the Information Commissioners Office (ICO) and the Individuals Affected Immediately
A significant change that the GDPR brought about was the requirement for data controllers to notify the ICO of certain types of personal data breach within 72 hours of them becoming aware of the breach, where feasible.
In instances where the breach has the significant potential to have a negative effect on individuals’ rights and freedoms, then those individuals must also be informed, and without any undue delay.
It should be noted that it is the data controllers’ responsibility to notify the data subjects and ICO of any high-risk breach; the data processor must inform the data controller of any such occurrence but are not obligated to notify the ICO.
Unfortunately, it’s not always practical for organisations to provide accurate details of data breaches straight away, as the incident will need to be investigated so as to ensure the accuracy of the information supplied; remedial and/or preventative measures may also need to be put in place to prevent further adverse impact or related occurrences in the future.
So, whilst the ICO should be notified as soon as is reasonably possible; they will not expect to be provided with in-depth analysis and reports, which can be provided later; they will be more concerned with the cause of the breach, the way in which the incident is being dealt with and the actions being taken to mitigate the problem.
In the event of a suspected data breach, it is always advisable to contact the ICO who will ascertain the level of risk posed to the individuals affected and be able to recommend the best course of action.
You may also be required to report the breach under other laws such as the Privacy and Electronic Communications Regulation (PECR), the Electronic Identification and Trust Services (eIDAS) Regulation or the NIS Directive. Regardless of whether or not you are required to notify the ICO, you must keep a record of the incident.
