Pozrieme sa na 6 najčastejších mýtov o GDPR

The 6 greatest myths about the GDPR

The adoption date of the GDPR is approaching and there are increasing unverified reports on the internet that do not truthfully inform people about the new legislation. In this article, we look at the 6 most common myths about the GDPR and set the record straight.

Myth 1 - consent to the processing of personal data must be explicit

Explicit consent is only required when processing sensitive data. In general, though, it is enough for the consent to be clear – e.g. selecting the technical settings of services or any other kind of declaration or action that in this context clearly means the data subject consents to the proposed processing of their personal data.

Myth 2 - companies are obliged to appoint a Data Protection Officer (DPO)

A Data Protection Officer must be appointed only for those companies that pursue activities as specified in the GDPR. This concerns the following entities:

  1. public authorities
  2. organizations that deal with systematic monitoring of data subjects on a large scale
  3. organizations that deal with systematic processing of personal data on a large scale

If your company is not included in one of these categories, then you do not need to appoint a DPO, even though this step is recommended as part of the GDPR.

Myth 3 - Achieving compliance with the GDPR is a process to the extent

Preparation of the documentation for GDPR compliance greatly influences the operation of an organization and represents a complex process requiring collaboration of various company departments (HR, IT, Legal Department, Finance, Sales, Marketing). Due to its broad coverage, sufficient time should be planned for the analysis and preparation of measures for the collation, processing and archiving of personal data. The binding implementation date of the GDPR is 25 May 2018.

Myth 4 - Data subjects have the absolute “right to be forgotten”

Even in spite of a request for personal data to be erased, organizations can still process these personal data provided the original purpose of processing is still valid or if there is some legal obligation to preserve these data. If personal data are provided to third parties, it is necessary to take reasonable steps to inform third party controllers that the data subject has requested the erasure and to arrange the erasure of respective data.

Myth 5 - Personal data that a company already has in its database

These data are not subject to the regulation. The GDPR applies to all personal data regardless of when the data was collected. In other words, if these data were collected before the regulation took effect (25 May 2018), they are subject to the same GDPR requirements as data collected after this date.

Myth. 6 - Giants like Facebook and Google will profit from the GDPR

Many articles have appeared on the internet recently claiming that technology giants like Facebook and Google will profit greatly from application of the GDPR. General director of Digital Content Next – Jason Kint, on the other hand, argues that it is precisely Facebook and Google that are among those companies facing the greatest risk from increased consumer data protection in the EU. It is therefore a myth that the regulation could have come from the workshop of Facebook or Google lobbyists.