GDPR Compliance: Common Misconceptions
Attorney Elizabeth Harding Discusses the ChallengesConfusion persists around various provisions of the European Union's General Data Protection Regulation, particularly the issue of when organizations need to obtain a consumer's consent to process their data, says attorney Elizabeth Harding of the law firm Polsinelli.
One of the most common misunderstandings involves the "lawful basis for processing" of Europeans' data, she says in an interview with Information Security Media Group. "Under GDPR, you have to have this lawful basis to process ... and that can come from consent. But you can also have lawful basis for processing if it's necessary for performance of a contract, or for the company's legitimate business," she says.
Many companies, however, are relying on obtaining European individuals' consent for all data processing - and that's often a mistake, she says. "It's not necessary because often there is a different basis for processing."
In those cases where obtaining consent is necessary, GDPR has clear requirements for how consent should be obtained and documented, "and a lot of companies don't comply with those," she explains.
In addition, she notes, "there's the right of an individual to withdraw consent for processing. So, if you are a business and have collected information you really need to collect - [such as] to provide a service to an individual - but you've collected the [data] on the basis of consent, that individual has the right to come back and say, 'I don't want you to process that anymore.' And that leaves a mess."
In the interview (see audio link below photo), Harding also discusses:
- Critical third-party data access considerations and data transfer risks under GDPR;
- Other GDPR compliance challenges;
- The shift in U.S. privacy policies, including several states - including California and Colorado - tightening up their privacy regulations.
Harding, who is a licensed to practice law in Colorado and the United Kingdom, advises clients on data privacy, advertising and technology licensing matters. She also has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to and implement regulatory changes arising out of the GDPR.