With under two years until the UK Data Protection Act 1988 is replaced with GDPR, businesses need to get access to the right information about the new legislation to properly assess the impact it may have. Misinformation has already started to spread which could cause some companies to come unstuck, so in order to combat some of the most common GDPR myths before they take hold, Rackspace puts right some of the misconceptions.
1. GDPR will become irrelevant to British businesses once the UK leaves the European Union
UK businesses may also think that once the UK leaves the European Union they will no longer have to follow GDPR mandates. However, regardless of whether the UK ultimately leaves the EU, the new GDPR will apply to businesses that deal with customers within the EU.
2. Responsibility lies with cloud and security providers – not the business
It’s not just businesses that collect data, but any business that handles the data will also have to ensure they are compliant with the new regulations. This means that any business that provides data processing – regardless of whether it stores the data – will be impacted. Previously, businesses may have assumed that they could pass on the responsibility to their cloud and security providers to be compliant with data security regulations, but the onus is beginning to shift towards both providers and business customers to become more savvy about what security measures are necessary to protect their data.
3. German data can’t leave its borders
A myth that has re-emerged since GDPR was approved is that German data cannot leave its borders. But this is inaccurate – data can leave German territory if the correct process is followed. There are always restrictions on where data can go, how it can be used and who has access to it, but as long as a business is compliant with EU regulations then Germany shouldn’t be treated differently to other EU countries. For example, in the case of tax data, this may be stored outside of German borders so long as a copy of the original data still exists within Germany and the stored data is accessible by the applicable German tax authority.
4. Powerful countries like the USA can get access to data in other countries
The myth that powerful governmental bodies can demand access to data stored in foreign countries is a very common one, but is untrue. For example, the USA government recently demanded that Microsoft should hand over data stored in Ireland, and like all countries, the US had to follow due process when Microsoft filed an appeal against this in the US. The courts decided that the legislation on which the US government was relying when making the request was not sufficient. Although this leaves the issue to be debated, it’s clear that governments cannot operate freely outside of their own jurisdiction.
This myth feeds off the worries around data localisation – consumers are naturally concerned when they cannot see where their data is being sent. As news of large businesses and governments requesting access to foreign data becomes more frequent, the demand for clear legislation and regulation will help reassure customers that only those that have been granted permission maintain control and access to their data.
5. My business encrypts its data, so I’m compliant with security regulations
It would be easy to assume that by simply deciding to encrypt its data a business is therefore secure. Unfortunately, encryption alone is not sufficient. It should be regarded as the minimum standard with alternative mechanisms also being considered.
As more customers become security-savvy, and ask about measures beyond mere encryption, businesses need to consider alternative methods to enable them to secure data. This could include looking at two-factor authentication and key management strategies to safely and securely store their users’ data or deleting data that is no longer needed.
Lilian Pang is senior director of Legal and DPO at Rackspace.