Five GDPR myth-busters
Locations
Myth 1: "I am a data processor because that's what it says in my contract"
Think again! Whether a party is a controller or a processor is not dictated by the contract: this is a question of fact. Put simply, if they are calling the shots about how and why personal data is used, they will be a data controller – even if the contract positions them as a processor.
It is important to note that a party can be both a controller and a processor of the same data. For instance, a service provider engaged as a data processor to provide contracted services can also stray into controllership by using the data for their own purposes (such as analytics and service improvements). You can read our blog about the French regulator's commentary on processors using data for their own purposes here.
Myth 2: "We've removed the individual's name and assigned them a number instead – we don't know who they are anymore so this isn't personal data"
False! This process of coding personal data (so that it can no longer be attributed to an individual without the use of additional information) is known as pseudonymisation. Whilst this can be a helpful security and privacy risk management measure, it does not bring the data set outside the scope of EU/UK GDPR: pseudonymised data is still personal data. Only where data is anonymised (i.e. it does not relate to an identified or identifiable individual) will it no longer be personal data. For more information on the hurdles you might encounter when trying to anonymise data in practice, see our guide here.
Myth 3: "I'm not processing personal data; I'm just deleting it"
Not quite! In fact, the definition of "processing" under Article 4 of the UK/EU GDPR is a very broad one, and specifically includes "erasure or destruction" of personal data.
Myth 4: "I can't be a controller of that database because I don't have access to it"
Not always! As mentioned above, whether a party is a controller of personal data will hinge on whether they decide the key purposes and means of processing it. It is not a prerequisite that they have access to the data in question. By way of example, a sponsor of a clinical trial will be a controller of the full, individual-identifying, trial results: and this is still the case even where they never actually have access to that full data set (e.g. they only receive aggregated and/or pseudonymised information about trial participants).
Myth 5: "Data protection law is completely harmonised across the EU after GDPR"
Wrong – regrettably! A key rationale of the GDPR was to harmonise data protection law across the EU and, because it is a regulation, it is directly applicable in member states. However, certain aspects of the GDPR are supplemented by domestic law and the regulation specifically allows for divergence in particular areas. One example is the age of consent (i.e. the age at which a child is able to give their consent to data processing): whilst GDPR sets this at 16, member states can choose to lower this (to no younger than 13).
Separately, it should be remembered that direct marketing rules – whilst overlapping with GDPR given that personal data processing involved in sending marketing must be GDPR-compliant – are in fact set out in a distinct EU directive. Unlike a regulation, the directive is not directly applicable and must be implemented through domestic law in order to take effect in a member state: for this reason, direct marketing requirements differ quite significantly across the EU and the UK.
Note that GDPR hyperlinks in this blog link to our Fieldfisher UK GDPR site: the UK GDPR is substantively identical to the EU GDPR at present.