Six Myths About GDPR

Uploaded on 2018-04-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Despite months of publicity surrounding the General Data Protection Regulation, including the potential benefits of compliance, very few organisations are ready for the May 25 mandate.

That is the finding of one of the most recent studies to look at GDPR compliance, CGOC’s Top Corporate Data Protection Challenges survey. Only 6 percent of organisations say they are fully ready for the new data privacy and data protection regulation even at this late stage.

This means over the next several months, both before and after the implementation date, businesses will be scrambling to catch up.

If you’re one of these companies, it is essential you not fall into the trap of believing any of the following myths that have risen about the regulation, which can lead to overconfidence, poor risk assessments, wasted effort and ultimately noncompliance.

Myth 1: GDPR does not apply to us. We are subject only to the laws of the country and state in which we are incorporated, or we don’t store or process consumer information.

The wide scope of the GDPR accounts for protecting personal data of residents in Europe being processed by companies that are not based in the EU or that don’t do the processing in the EU. For example, a Brazilian company selling kitchen supplies to EU residents only from its website is still subject to the GDPR.

Further, the regulation is not limited to consumers. It applies to all EU residents, including an organisation’s employees and business associates residing in the EU. Significantly, it also applies if a company is just monitoring the behavior of individuals in the EU, such as a research firm, even if the data is not permanently stored.

Myth 2: A data controller or processor will pay horrendous fines for every infraction.

First the good news. A fine is just the final step in a long process designed to understand the scope of an infringement by a controller or processor and how the organisation allowed the infringement to happen. Not every violation will result in a fine, and not every fine will be based on the maximum amount.

Now the bad news. A fine is only one of the corrective measures included in the GDPR to put pressure on controllers and processors to comply with the regulation.

Myth 3: GDPR creates an EU-wide harmonised set of rules, so if we are compliant in one country we are compliant in all.

This was certainly the hope going into the process of creating the GDPR. Unfortunately, the member states did not agree on all aspects of the regulation. As a result, each member state can have special rules, and there are currently more than 70 of them, the most prominent related to the processing of employee data.

Each member state also has its own independent public authority responsible for monitoring how the regulation is applied.

Organisations operating in more than one EU country must understand each country’s specific rules and have the flexibility in their technology and processes to comply with each.

Myth 4: We have consent processes in place so we are fully GDPR compliant.

Not true. While consent is essential in most cases, the regulation involves far more than complying with the consent requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU.

Myth 5: We already comply with EU data transfer regulations, such as Privacy Shield, and we are located in a country with adequate security, so we are GDPR compliant.

Not true. While protecting personal data being transferred outside the EU is essential, the regulation involves far more, such as the consent requirement, the right to be forgotten, and data protection by design and by default.

Myth 6: We are a certified processor or controller, or we are adhering to a code of conduct, so we must be complying fully with the GDPR.

The purpose of a certification for processors and controllers or developing a code-of-conduct for them to follow was to create entities that could help organizations understand their requirements and that could track compliance.

However, while certification makes demonstrating compliance easier and enables the market to identify certified organisations to do business with, it does not in any way ensure ongoing compliance or create immunity from an infringement should a breach occur.

Focusing on just one aspect of the GDPR or basing your compliance program on a superficial reading of articles about the regulation (yes, including this one!) is very dangerous.

You must understand the full scope and applicability, and with time running out, consider turning to organisations such as IAPP and the CGOC that can help you find the GDPR and information management resources you need to ensure your compliance program is on track.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Information- Management:

You Might Also Read: 

Data Protection Officer's Guide To The GDPR Galaxy:

GDPR Countdown:

 

« A New Cold War Will Not Be Based On Hardware.
Leaked Emails Expose Russian Exploits In Ukraine »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Huawei

Huawei

Huawei is a leading global ICT solutions provider. with end-to-end capabilities across the carrier networks, enterprise, consumer, and cloud computing fields.

Bryan Cave LLP

Bryan Cave LLP

Bryan Cave LLP is a global business and litigation law firm. Practice areas include Data Privacy and Security.

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

Greenbone Networks

Greenbone Networks

Greenbone Networks delivers a vulnerability analysis solution for enterprise IT which includes reporting and security change management.

C2A Security

C2A Security

C2A Security offers a comprehensive suite of cyber security solutions for the automotive industry, providing in-vehicle end-to-end protection.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

SBD Automotive

SBD Automotive

SBD Automotive are specialists in automotive technology providing independent research and consultancy to help create smarter, more secure, better connected, and increasingly autonomous cars.

CyCraft Technology Corp

CyCraft Technology Corp

CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration.

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.

SECUINFRA

SECUINFRA

Since 2010, SECUINFRA have specialized in detecting, analyzing and defending against cyber attacks.

MAXXeGUARD Data Safety

MAXXeGUARD Data Safety

MAXXeGUARD: The High Security Shredder. MAXXeGUARD easily destroys hard disks up to the highest security levels as well as other digital data carriers like SSD’s, LTO’s, USB’s, CD’s etc.

RMRF Tech

RMRF Tech

RMRF is a team of cybersecurity engineers and penetration testers which specializes in the development of solutions for early cyber threat detection and prevention.

Krista Software

Krista Software

Krista is an intelligent automation platform that combines iPaaS and Conversational AI to automate complete business processes across your teams and apps.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

Queen Consulting & Technologies

Queen Consulting & Technologies

Queen Consulting & Technologies specialize in providing IT support, management, and Security to Gov’t Contractors, CPAs, and Nonprofits.

Black Belt Secure

Black Belt Secure

We provide critical cybersecurity services such as managed security, ransomware mitigation, penetration testing, system auditing and compliance services to your organization.