Voice of the Industry

GDPR: data protection vs data privacy – clearing some myths...

Tuesday 10 July 2018 09:27 CET | Voice of the industry

To clear some confusion caused by GDPR, EPA’s Neira Jones has sat with The Paypers to debunk some myths created around data protection and data privacy.

Unless you have been living under a stone over the past year, you can’t have missed the stories, some good, some bad, and some downright ridiculous (and potentially dangerous), surrounding that worldwide regulatory behemoth we call the GDPR...

At first, the regulation was grabbed by the security pros, seen as a boon to sell yet more technology and services, and then the privacy pros embraced it as a welcome way to put individuals back in control of their information, and to have a bash at technology companies... After all, many have said, data is the new money...

However, we must not forget that the distinctions between data privacy and data protection are fundamental to our understanding of how one complements the other. Data protection, the traditional realm of security professionals, is about securing data against unauthorised access. And there lies the crux of the matter: we traditionally associate “unauthorised” with criminal activity (e.g. a data breach), and therefore “authorised” access is perfectly acceptable to a security pro, such as is the case when sharing data with an “authorised” third party.

Of course, in this context, who decides that the third party is “authorised” is, of course, the organisation holding the data, which up until now, may have considered that they actually own that data (such as the famous comment by the former Equifax CEO about owning the customer data they hold). On the other hand, Data Privacy concerns arise wherever personal information is collected, stored, or used, and the data subject is not in control of such activities. To go back to the earlier example, personal data may be shared with a third party “authorised” by company (aka a data controller), which might be perfectly acceptable for satisfying data protection (e.g. information security) purposes, but may be unacceptable under data privacy principles, as said third party may not have been “authorised” by the individual whose data it is, as they may object to the processing activities.

In a nutshell, the GDPR combines data protection and data privacy principles, and puts individuals back in control of how their data is used, whilst ensuring that businesses processing personal data are held accountable for their actions. This is a good thing, but it also has generated a lot of confusion, and the rest of this article aims to clear some of it:

Myth 1: The GDPR affects JUST Europe
Busted: The GDPR has Worldwide Impact

The GDPR applies to data processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods and services to individuals in the EU.

Myth 2: The GDPR protects EU Citizens and Residents
Busted: A Data Subject is anyone with the borders of the EU

The GDPR uses the term “Data Subject” and the term “citizen” is not used at all in the regulation. The Data Subject is not just an EU citizen or resident, and doesn’t have to be either. It can be someone on holiday in the EU, or even someone in transit through the EU. A Data Subject is anyone within the borders of the EU.

Myth 3: The GDPR aims to protect Personally Identifiable Information
Busted: The GDPR aims to protect “Personal Data”

The GDPR only talks about “Personal Data” and “Sensitive Personal Data” (which is a subset of Personal Data and subject to more stringent protection requirements). There is no mention of PII (Personally Identifiable Information, which is information directly linked to a person) anywhere in the regulation. The table below aims to explain this:








Myth 4: Under the GDPR, businesses must obtain consent to process personal data
Busted: Under the GDPR “Consent” is only one of six lawful bases to process personal data

Consent gives individuals choice about how businesses use their data and ensures that they are accountable and transparent when it comes to data processing. Consent is not appropriate (and therefore unlawful) if

You would do it anyway

You made it a pre-condition of accessing services (and therefore not freely given)

You are in a position of power












Myth 5: Under the GDPR, businesses must disclose all data breaches
Busted: Under the GDPR, only data breaches likely to result in a risk to the rights and freedoms of individuals must be reported.

The risks to individuals as a result of breaches can be around discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. If the data breach is deemed a high risk to the rights and freedoms of individuals, the individuals must be notified without undue delay. A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. In addition, organisations must deploy and regularly test Incident Response processes.

Myth 6: Under the GDPR, Businesses Must Appoint a Data Protection Officer
Busted: Under the GDPR, Data Protection Officers are only essential appointments in the case of a) Public authorities, b) Organisations that engage in large-scale systematic monitoring and c) Organisations that engage in large-scale processing of sensitive personal data.

However, it is good practice to have someone allocated with the responsibilities of a data protection officer, whether mandated or not. Please also note that there is no company size threshold for the mandatory appointment of a DPO, which means it also applies to SMEs if they fit in the categories above. Please also note that anyone with an information security remit is charged with protecting the company & its data, whereas the responsibility of the DPO is to protect the interests of the data subject, even if these appear to clash with those of the company. Make sure there is no conflict of interest when choosing a DPO.

Myth 7: Under the GDPR, businesses must delete personal data when asked by a data subject
Busted: Under the GDPR, The right to erasure does not provide an absolute “right to be forgotten”.

The right to erasure does not provide an absolute “right to be forgotten”, and a Request for Erasure can be denied:

to exercise the right of freedom of expression and information;

to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;

for public health purposes in the public interest;

for archiving purposes in the public interest, scientific research historical research or statistical purposes; or

For the exercise or defence of legal claims.

The right to erasure applies when:

the personal data is no longer necessary in relation to the purpose for which it was originally collected/ processed.

the individual withdraws consent.

the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

the personal data was unlawfully processed.

the personal data has to be erased in order to comply with a legal obligation.

The personal data is processed in relation to the offer of information society services to a child.

Myth 8: Under the GDPR, businesses must encrypt personal data.
Busted: Under the GDPR, Encryption is not a mandatory requirement.

Encryption is mentioned in Recital 83, Articles 6, 32 and 34 as an example of suitable risk mitigation technology. Businesses need to assess the “scope, nature and context” of processing to determine whether encryption is a suitable tool for them. Encryption alone does not make businesses compliant with the GDPR. Not encrypting all personal data does not mean that data will be at risk of exposure.

Always ask: Could the processing of data harm the fundamental rights & freedom of individuals? Could it go against the protection of natural persons?

Myth 9: The GDPR will lead to huge fines.
Busted: The GDPR is not about fines. It’s about putting the consumer and citizen first.

Supervisory authorities are empowered to impose significant administrative fines on both data controllers and data processors.

Fines may be imposed instead of, or in addition to, measures that may be ordered by supervisory authorities. They may be imposed for a wide range of contraventions, including purely procedural infringements.
Administrative fines are discretionary rather than mandatory; they must be imposed on a case by case basis and must be “effective, proportionate and dissuasive”.

There are two tiers of administrative fines:

Some contraventions will be subject to administrative fines of up to EUR 10 mil or, in the case of undertakings, 2% of global turnover, whichever is the higher.

Others will be subject to administrative fines of up to EUR 20 mil or, in the case of undertakings, 4% of global turnover, whichever is the higher.

Fines will be calculated depending on:

How the regulator was told about the infringement

The types of data involved

The duration of the infringement

Whether the infringement was intentional or negligent

The policies and procedures deployed by the company

Prior infringements by the controller or processor

The degree of cooperation with the regulator

Myth 10: The GDPR is like Y2K.
Busted: GDPR compliance is NOT focused on a fixed point in time.

Whilst 25th May 2018 is engraved in everyone’s mind as the compliance deadline, complying with the GDPR is NOT focused on a fixed point in time and as such is very different from the Y2K Millennium Bug... GDPR compliance is an ongoing journey and organisations need to put in place key building blocks, including organisational commitment, understanding the information they have, implementing accountability measures, ensure appropriate security and training staff.

About Neira Jones

Neira advises organisations on payments, fintech, regtech, information security, regulations and digital innovation. She holds a number of Non-Executive Directorships and Advisory Board positions and is on the Thomsons Reuters UK’s top 30 social influencers in risk, compliance and regtech 2017 and the Planet Compliance Top 50 RegTech Influencers 2018.

About Emerging Payments Association

The Emerging Payments Association (EPA) has over 120 members from across the payments value chain. We connect the payments ecosystem, encourage innovation and drive business growth, strengthening the payments industry to benefit all stakeholders. Get in touch at info@emergingpayments.org or +44 20 7378 9890

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: EPA, Neira Jones, data protection, data privacy, GDPR, consent, PII, fraud prevention, online security, identity theft
Countries: World