1. What GDPR is really about
If you think it is just about data, then you’re wrong. GDPR is about how you process the data and what the control is over that process.
2. EU citizens’ rights are protected by GDPR
Unfortunately, not. Under the GDPR, protection extends to the rights of people whose data is collected when located in the EU and EEA, and when that data is collected in the EU and EEA.
3. Key responsibilities and duties of a Data Controller and Data Processor
The role of a Data Controller is to determine the purposes and means of processing the data. The Data Controller should always ensure to have a formal contract with their Data Processors. Contracts are required for GDPR compliance, as they will outline what data and how it should be processed.
If you are the Processor, like we often are, then you collect data that outside the boundaries of those specified by the controller, you will become the Controller of this additional data. A clear data processing agreement between Controller and Processor is essential.
4. It is OK to contact people only when they have given you permission?
If you’re in possession of contact information of people you want to do business with, it is OK to use it, even if you haven’t had permission from them, as long as you stay away from harassment. Contacting someone daily may bring some complains your way. It is important to be reasonable, and if someone asks you to stop, you should.
5. It’s our obligation to erase and/or provide data if our client requests it
This is not quite correct. Nowadays, the majority financial institutions already have statutory regulatory requirements so they can hold PII (personally identifiable information) data for longer periods of time. However, if you’re planning to keep big amounts of personal data, you should put some timeframes in place. Knowing why you collect the data, its accuracy and keeping it safe are key for compliance.
6. Only big companies need a DPO
You may think that you don’t need to appoint a DPO (Data Protection Officer) because your company is small or medium size. But this is not correct. Small and medium companies may still manage large amounts of personal data and DPOs will act as coordinators between processor/controllers and regulators.
7. Only breaches result in fines
You may get fine due to lack of control over the data you collect or process. Being ignorant of a problem related to your data processing activities may have the same result as breaching the new regulation.
8. If you get fine, prepare to re-mortgage your house
This is not true. With the enforcement of GDPR, fines will be “Effective, Proportionate and Dissuasive”. GDPR is not here to collect money from breaches, but to condition the data-related practices of companies.
9. Only B2C companies are in scope
Every company that has employees is in covered, this includes B2B too. Personal data from your employees may be involved in a problem in future, so we’d recommend you to comply, even if you are not managing PII from customers.
10. Fixing the Data Management is only responsibility of the controller
This is true, to a certain extent. There are many processors that are trying to get additional money from you to fix things that are their responsibility as the providers of this service. As a controller, you should supervise the data processing process, and avoid being additionally charged for something you are already paying the processors to do.