The GDPR – Five common misconceptions

The EU General Data Protection Regulation (“GDPR”) has arrived marking the biggest shake-up to data protection laws for twenty years. Despite extensive guidance from regulators, there are still a number of misconceptions about the GDPR. Our top five are set out below.

1. I must get consent from individuals

The lead-up to the GDPR was marked by a flurry of emails seeking consent for a variety of different purposes. Do you also need to contact individuals and ask for consent? In many cases, the answer is no.

If you process personal data, you must satisfy one of the six lawful bases for processing set out in the GDPR. One of those legal bases is consent but, in many cases, you will be better off relying on a different legal basis. This is because the individual must have a genuine choice for the consent to be valid. This means the consent must:

• be for a specific and identified purpose. For example, asking the individual to consent to the whole of your privacy policy will not normally result in a valid consent;
• involve an affirmative action by the individual. Silence or pre-ticked boxes are not sufficient; and
• be freely given. The consent may be invalid if the individual will suffer detriment by refusing consent or if there is a power imbalance.

Moreover, the individual can withdraw consent at any time. Where consent is withdrawn the relevant processing should normally stop.

This means most organisations should apply the ABC principle (Anything But Consent). Other legal bases may well be more appropriate. For example, the processing may be necessary for: (i) a contract with the individual; (ii) a legal obligation you are subject to; or (iii) your legitimate interests and is not overridden by the individual’s interests.

One exception is email marketing or the use of cookies. ePrivacy laws mean you may still need consent (see below).

2. The law protects all EU citizens

Another misconception is that the GDPR was passed to protect EU citizens. For example, if an EU citizen checks into a hotel in South Africa, must the hotel comply with the GDPR?

The GDPR primarily applies to organisations established in the EU. If you are caught by this primary test, the GDPR applies regardless of the location or citizenship of the individual. For example, a company based in Madrid must apply the GDPR to all individuals regardless of whether they live in Málaga or Mongolia.

The GDPR also has a secondary test based on the targeting of individuals in the EU. If an organisation is established outside of the EU, it will be subject to the GDPR if it:

• offers goods or services to individuals in the EU; or
• monitors the behaviour of individuals in the EU.

Importantly, the question is whether the individuals are in the EU, not whether they are EU citizens. In addition, if you are caught by this test you only need to comply with the GDPR in respect of the individuals in the EU, not the whole of your operations.

Is the South African hotel subject to the GDPR? The answer depends on whether it is caught by the offering or monitoring tests set out above. For example, if the hotel has been actively marketing to individuals based in the EU, it will be caught by the GDPR in respect of those individuals.

3. This a completely new law

The GDPR marks a big shake-up to European data protection laws, but the core principles in the GDPR are very similar to the old Data Protection Directive. In particular, the GDPR retains the core concepts of personal data, controller and processor. It also preserves the core requirements that personal data be processed fairly and lawfully, for limited purposes, use is minimised, and that personal data be accurate, secure and not kept longer than necessary.

However, there are some big changes. These include:

• some tweaks to those core concepts, such as the more restrictive approach to consent and the broad extra-territorial reach (see above);
• new compliance obligations, such as the need, in some cases, to appoint data protection officers, carry out data protection impact assessments and update contracts with processors; and
• new obligations, such as the duty to notify some data breaches to regulators and grant new rights to individuals.

In other words, if you were largely compliant with the old Data Protection Directive, the additional steps to comply with the GDPR should not be too painful. The GDPR marks an evolution, not revolution, in data protection laws.

4. I only need look at the GDPR

The GDPR provides a detailed set of privacy rules but, despite its length and complexity, does not provide a complete overview of your obligations.
You also need to factor in complementary laws such as:

• the ePrivacy Directive. Amongst other things this: (i) requires you to obtain consent to the use of certain cookies; and (ii) only permits the sending of direct marketing emails if you either have the individual’s consent or the similar products and services exemption applies. (In some Member States, there is an exemption for emails to corporate subscribers); and
• the Network and Information Systems Directive which contains overlapping provisions on security and incident notification.

In addition, the GDPR will be modified by each EU Member States’ implementing laws. For example, in the UK, the Data Protection 2018 contains important refinements such as additional rights to process sensitive personal data and exemptions based on public interest grounds.

National law also contains important provisions in Germany that require many organisations to appoint a data protection officer and imposes special rules when processing personal data about employees.

This can make a comprehensive analysis of your obligations a daunting prospect. Further complications arise from the fact many Member States have still not passed national implementing law.

5. Breach will result in huge fines

Some articles on the GDPR start, or end, with a warning that breach will result in huge fines.

The GDPR does raise the risk of very significant administrative fines. Breaches of most provisions of the GDPR can result in a fine of up to the greater of 4% of annual worldwide turnover or €20 million₁.

In some cases, this is a big number. For example, the privacy activist Max Schrems recently made complaints against Facebook and Google, pointing out that they can be fined up to €1.3 billion and €3.7 billion, respectively. For some of the big US tech companies, these figures are not entirely theoretical. The Irish regulator has already suggested that serious GDPR breaches could “without a doubt” run to billions of euros for some of these organisations_2.

However, most organisations are very unlikely to face this level of sanction and, even then, only for the most serious of breaches. For example, the UK Information Commissioner has never issued the maximum fine available under the old law (£500,000). She has described the suggestion she will simply scale fines up to the new limits under the GDPR as nonsense_3.

The risks associated with non-compliance have increased, but there is no need to panic.

More information about the GDPR is available in our Survival Guide and more information on national implementing laws is in Data Protected.

_{1.Some breaches result in a smaller fine calculated as the greater of 2% or €10 million.}

_{2.Ireland warns tech groups over new EU data rules, Financial Times, 8 March 2018.}

_{3.Blog: GDPR – sorting the fact from fiction, ICO website, 9 August 2017.}