I hear odd data myths. Here’s a compilation.
Myth 1: UK law says I can’t transfer my data outside the UK
Truth: Wrong. You can transfer within the EEA, to any country on the EU Commission’s adequacy list and to other countries with appropriate safeguards, such as the EU/US Privacy Shield.
Myth 2: German law says I can’t transfer my data outside Germany
Truth: Wrong. This article explains that and other German law myths: Dispelling German Data Myths.
Myth 3: If I use a server in India but access the data stored on it from the UK, that’s not a transfer
Truth: Wrong. That is a transfer of data and must comply with the Data Protection Act.
Myth 4: It’s cheaper to pay a data breach fine than implement proper data security
Truth: Actually, that’s probably true until next year. The ICO fined TalkTalk £400,000 for its data breach. The maximum could have been £500,000. If the new GDPR had been enforced in the UK, that fine could have been up to £70,000,000. So, from May 2018 (when GDPR becomes enforceable), it will probably be cheaper to avoid a fine.
Myth 5: My cloud provider contracts on standard terms and therefore dictates the data terms. That means they’re the controller not me, so they’ll be fined, not me
Truth: Wrong, you’re still the controller and you need to check the terms and make sure they will protect the data properly. You could be fined and you’ll probably find your cloud provider has excluded all liability.
Myth 6: GDPR won’t change anything
Truth: Wrong. Apart from the massive new fines, it introduces a number of changes including more rights for individuals. Read my article for more info.
Myth 7: GDPR won’t apply in the UK because of Brexit
Truth: Wrong, GDPR becomes enforceable in May 2018. The UK will still be in the EU then so GDPR will apply.
Myth 8: Upon Brexit, GDPR is a form of EU red tape that will be abolished
Truth: Unlikely. The Great Repeal Bill – which will take the UK out of the EU – will likely curtail freedom of movement of people, not data.
Myth 9: UK compliance to GDPR will be unaffected by Brexit
Truth: Brexit will likely take the UK outside the EEA. If the EU Commission decides that the UK Investigatory Powers Act is too broad, the UK will need it’s own Privacy Shield.
Myth 10: GDPR means I have to appoint a Data Protection Officer
Truth: Yes, if you’re a public sector organisation or you regularly and systematically monitor data on a large scale. Otherwise, no, you don’t need a dedicated DPO. You should still appoint someone with responsibility for data compliance though to avoid those nasty fines.
Myth 11: What’s GDPR?
Truth: Actually, I get asked that a lot. If that’s you, then you should probably start here.
Myth 12: I’ve been doing business for 25 years. I don’t need you to tell me about DPA and contracts.
Truth: You’re probably right. With massive data breach fines on the way and other changes under GDPR, you’re probably already updating your contracts to reduce your new risks.
What others have you heard?