Six Myths About GDPR

Uploaded on 2018-04-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Despite months of publicity surrounding the General Data Protection Regulation, including the potential benefits of compliance, very few organisations are ready for the May 25 mandate.

That is the finding of one of the most recent studies to look at GDPR compliance, CGOC’s Top Corporate Data Protection Challenges survey. Only 6 percent of organisations say they are fully ready for the new data privacy and data protection regulation even at this late stage.

This means over the next several months, both before and after the implementation date, businesses will be scrambling to catch up.

If you’re one of these companies, it is essential you not fall into the trap of believing any of the following myths that have risen about the regulation, which can lead to overconfidence, poor risk assessments, wasted effort and ultimately noncompliance.

Myth 1: GDPR does not apply to us. We are subject only to the laws of the country and state in which we are incorporated, or we don’t store or process consumer information.

The wide scope of the GDPR accounts for protecting personal data of residents in Europe being processed by companies that are not based in the EU or that don’t do the processing in the EU. For example, a Brazilian company selling kitchen supplies to EU residents only from its website is still subject to the GDPR.

Further, the regulation is not limited to consumers. It applies to all EU residents, including an organisation’s employees and business associates residing in the EU. Significantly, it also applies if a company is just monitoring the behavior of individuals in the EU, such as a research firm, even if the data is not permanently stored.

Myth 2: A data controller or processor will pay horrendous fines for every infraction.

First the good news. A fine is just the final step in a long process designed to understand the scope of an infringement by a controller or processor and how the organisation allowed the infringement to happen. Not every violation will result in a fine, and not every fine will be based on the maximum amount.

Now the bad news. A fine is only one of the corrective measures included in the GDPR to put pressure on controllers and processors to comply with the regulation.

Myth 3: GDPR creates an EU-wide harmonised set of rules, so if we are compliant in one country we are compliant in all.

This was certainly the hope going into the process of creating the GDPR. Unfortunately, the member states did not agree on all aspects of the regulation. As a result, each member state can have special rules, and there are currently more than 70 of them, the most prominent related to the processing of employee data.

Each member state also has its own independent public authority responsible for monitoring how the regulation is applied.

Organisations operating in more than one EU country must understand each country’s specific rules and have the flexibility in their technology and processes to comply with each.

Myth 4: We have consent processes in place so we are fully GDPR compliant.

Not true. While consent is essential in most cases, the regulation involves far more than complying with the consent requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU.

Myth 5: We already comply with EU data transfer regulations, such as Privacy Shield, and we are located in a country with adequate security, so we are GDPR compliant.

Not true. While protecting personal data being transferred outside the EU is essential, the regulation involves far more, such as the consent requirement, the right to be forgotten, and data protection by design and by default.

Myth 6: We are a certified processor or controller, or we are adhering to a code of conduct, so we must be complying fully with the GDPR.

The purpose of a certification for processors and controllers or developing a code-of-conduct for them to follow was to create entities that could help organizations understand their requirements and that could track compliance.

However, while certification makes demonstrating compliance easier and enables the market to identify certified organisations to do business with, it does not in any way ensure ongoing compliance or create immunity from an infringement should a breach occur.

Focusing on just one aspect of the GDPR or basing your compliance program on a superficial reading of articles about the regulation (yes, including this one!) is very dangerous.

You must understand the full scope and applicability, and with time running out, consider turning to organisations such as IAPP and the CGOC that can help you find the GDPR and information management resources you need to ensure your compliance program is on track.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Information- Management:

You Might Also Read: 

Data Protection Officer's Guide To The GDPR Galaxy:

GDPR Countdown:

 

« A New Cold War Will Not Be Based On Hardware.
Leaked Emails Expose Russian Exploits In Ukraine »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Auth0

Auth0

Auth0 is a cloud service that provides a set of unified APIs and tools that instantly enables single sign-on and user management for any application, API or IoT device.

AppTec

AppTec

AppTec is a leading software vendor in the field of Unified Endpoint Management and Mobile Security.

Fend

Fend

Fend secures smart infrastructure. We provide a robust, highly secure way to have situational awareness of IoT enabled assets.

Findcourses.com

Findcourses.com

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

Strike Graph

Strike Graph

The Strike Graph GRC platform enables Security Audits & Certifications.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Ostra Cybersecurity

Ostra Cybersecurity

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes.

NANO Corp

NANO Corp

At NANO Corp, we keep your network visible, understandable, operational and secure with state-of-the-art technology.

NextGen Cyber Talent

NextGen Cyber Talent

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

Defendis

Defendis

Defendis develops AI-powered cybersecurity solutions for Government Agencies, Banks, and Businesses, designed to helps them contain data leaks, minimise damage, and proactively hunt for new threats.

GoCloud Systems

GoCloud Systems

GoCloud is an IT consulting firm. We provide IT strategy and cloud adoption services to the New Zealand Government, Non-Profit Organisations and private industry.

National Renewable Energy Laboratory (NREL) - USA

National Renewable Energy Laboratory (NREL) - USA

NREL is transforming energy through research, development, commercialization, and deployment of renewable energy and energy efficiency technologies.

SignalRed

SignalRed

SignalRed provides the cutting edge next-generation penetration testing and secure development solutions to startups and large enterprises.