Long answer short, people talk. Anything that is popular ends up being a long game of Chinese Whispers, for example, “blind as a bat” or your loo flushes in the opposite direction in the Southern Hemisphere. My point is, false information is easily spread, so i'm here to clear that up.
GDPR is not a completely new set of EU data protection rules, it has been formed by a collection of pre-existing rules, primarily based on the Data Protection Directive. These rules have been around since 1995, so GDPR aims to make sure it fits the new digital age.
The protection of personal data and sensitive personal information is a fundamental right in the E.U. As such it applies to processing of personal data through artificial intelligence and robotics. However, when the data used for AI are anonymised, then the requirements for GDPR do not apply. GDPR has been developed and designed to be technologically neutral and provides the framework for the development of an AI respective of individuals.
The GDPR does not require names to be removed from doorbells or mailboxes. Consent is only one of the legal basis on which data can be processed under the GDPR. Another legal basis applicable in this case is “legitimate interest” as people need to know who lives in the flat in order to contact the person at hand or just to deliver mail. If names on doorbells are addressed in the rental contract, the contract as such is another potential legal basis.
The obligations set out are not the same for all companies and organisations. The GDPR is not meant to overburden small businesses, the obligations are calibrated to the size of the business and/or the nature of the data being processed. For small businesses, processing less data which is not sensitive (such as political views, gender) then there will be fewer obligations to follow.
For example small organisations will not have to submit data protection impact assessments or appoint data protection officers.
The new data protection legislation takes journalism into account and provides them a sense of “freedom”. This means journalists are still able to do their work and protect their sources. EU member states shall, when necessary, provide for exemptions or derogation to the press in their national laws.
Non EU companies operating in the EU have to comply with GDPR too, no matter where they are based and where their data processing activities are occurring, all companies will be subject to the same sanctions if they break the rules. This creates a level playing field for both EU and non-EU companies.
Companies will have to ask for consent again if they wish to use your data for a second purpose (or sent to a third party) which was not originally stated. The GDPR states that personal data cannot be used without consent of the person concerned. Where your consent has been requested to process your data, you can, at any point in time, ask the organisation to stop processing it and withdraw your consent. THey must do so if they have not relied on any other legal grounds for processing your data.
Political parties can process data for campaigns, but only for reasons which sit within the public's interest and provided that appropriate safeguards are established.
Breaking the rules does not automatically mean you will be fined €20 million. The GDPR establishes a range of penalties for those who break the rules, although there are fines, there are other corrective measures such as warnings, reprimands and orders to comply with data subject’s requests. The data protection supervisory authorities decision to impose fines must be proportionate and based on an assessment of the circumstances of the individual case. If they decide to impose a fine, the €20 million or 4% of annual turnover is the MAXIMUM amount. The amount of the fine greatly depends on the circumstances of the individual case, including the gravity of the infringement or if the infringement was intentional or negligent.
GDPR does not prevent children from writing to Santa. It's accurate to say that GDPR rules are designed to protect your personal details being used without your permission. So all in all, it's up to the parents to decide whether their kids can share their wishlist or not.
I hope I have cleared some of the myths about GDPR that have been floating around the internet. I will be soon writing a guide on how to make your website GDPR compliant so make sure to subscribe to our newsletter to keep updated with all blogs.
This article was written for Saint Financial Group, a multidisciplinary group based in the UK that helps small businesses develop and grow. SaintFG offers a range of quality solutions in supporting businesses.
Saint provides the luxury of free business consultancy for of our clients, call now for your free consultation with a friendly business advisor to discuss your burning questions and put that energy back into your business!
You might be considering starting a business or you may have already started - either way this something great! This could be the stepping stone for taking control of your life. When starting a business there several areas that need to be considered. With a business, you get the perks of being your own boss but this also means you have the responsibility now. Our guide is to take care of the uncertainties for you and to give you peace of mind on starting your new business.Next Blog