GDPR is coming! GDPR is coming! It seems like just about everyone knows that the General Data Protection Regulation is on the horizon (May 25), but there is still plenty of confusion over various aspects of this complex set of new rules. Here are 3 common misconceptions about GDPR.
GDPR is only for European Companies
This is one of the biggest points of confusion around GDPR. If a company collects, stores, or processes any personal data from EU residents, they will fall under the provisions of the new regulation – even the company is located outside the EU. While some countries’ privacy laws may only apply to companies with a physical presence within the country, GDPR is specifically designed to focus on any company with personal data about EU residents.
Pseudonymized Data is No Longer Considered Personal Data
While the GDPR highly recommends pseudonymizing (the process of hashing and/or encrypting each individual record) personal data as a best practice, the use of encryption of this data does not actually change its status as personal data. It still needs to be collected, stored, processed, and otherwise used in ways that are compliant with the new regulations.
Legitimate Interest Will Exclude Many Companies from Compliance Requirements
The regulation does include an exception for personal data to be used without specific user consent in certain circumstances of ‘Legitimate Interest,’ however this exception will be weighed against personal data rights. Some companies have hoped that this section of the GDPR might allow them to remain outside of the new consent rules, but this remains to be seen. In action, Legitimate Interest may turn out to have very narrow applications and not be applicable for many companies. Only time will tell for certain.
These are just a few areas where there is some confusion about GDPR. For more information on GDPR, you can visit the UK’s Information Commissioner’s Office website.
What is Pseudonymisation? The processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution.
What is Legitimate Interest? Legitimate interest is the most flexible lawful basis for the processing of data. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
***This is not to be taken as legal advice. We encourage you obtain professional legal advisement as to how GDPR may impact your business.