Six Myths About GDPR

Despite months of publicity surrounding the General Data Protection Regulation, including the potential benefits of compliance, very few organisations are ready for the May 25 mandate.

That is the finding of one of the most recent studies to look at GDPR compliance, CGOC’s Top Corporate Data Protection Challenges survey. Only 6 percent of organisations say they are fully ready for the new data privacy and data protection regulation even at this late stage.

This means over the next several months, both before and after the implementation date, businesses will be scrambling to catch up.

If you’re one of these companies, it is essential you not fall into the trap of believing any of the following myths that have risen about the regulation, which can lead to overconfidence, poor risk assessments, wasted effort and ultimately noncompliance.

Myth 1: GDPR does not apply to us. We are subject only to the laws of the country and state in which we are incorporated, or we don’t store or process consumer information.

The wide scope of the GDPR accounts for protecting personal data of residents in Europe being processed by companies that are not based in the EU or that don’t do the processing in the EU. For example, a Brazilian company selling kitchen supplies to EU residents only from its website is still subject to the GDPR.

Further, the regulation is not limited to consumers. It applies to all EU residents, including an organisation’s employees and business associates residing in the EU. Significantly, it also applies if a company is just monitoring the behavior of individuals in the EU, such as a research firm, even if the data is not permanently stored.

Myth 2: A data controller or processor will pay horrendous fines for every infraction.

First the good news. A fine is just the final step in a long process designed to understand the scope of an infringement by a controller or processor and how the organisation allowed the infringement to happen. Not every violation will result in a fine, and not every fine will be based on the maximum amount.

Now the bad news. A fine is only one of the corrective measures included in the GDPR to put pressure on controllers and processors to comply with the regulation.

Myth 3: GDPR creates an EU-wide harmonised set of rules, so if we are compliant in one country we are compliant in all.

This was certainly the hope going into the process of creating the GDPR. Unfortunately, the member states did not agree on all aspects of the regulation. As a result, each member state can have special rules, and there are currently more than 70 of them, the most prominent related to the processing of employee data.

Each member state also has its own independent public authority responsible for monitoring how the regulation is applied.

Organisations operating in more than one EU country must understand each country’s specific rules and have the flexibility in their technology and processes to comply with each.

Myth 4: We have consent processes in place so we are fully GDPR compliant.

Not true. While consent is essential in most cases, the regulation involves far more than complying with the consent requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU.

Myth 5: We already comply with EU data transfer regulations, such as Privacy Shield, and we are located in a country with adequate security, so we are GDPR compliant.

Not true. While protecting personal data being transferred outside the EU is essential, the regulation involves far more, such as the consent requirement, the right to be forgotten, and data protection by design and by default.

Myth 6: We are a certified processor or controller, or we are adhering to a code of conduct, so we must be complying fully with the GDPR.

The purpose of a certification for processors and controllers or developing a code-of-conduct for them to follow was to create entities that could help organizations understand their requirements and that could track compliance.

However, while certification makes demonstrating compliance easier and enables the market to identify certified organisations to do business with, it does not in any way ensure ongoing compliance or create immunity from an infringement should a breach occur.

Focusing on just one aspect of the GDPR or basing your compliance program on a superficial reading of articles about the regulation (yes, including this one!) is very dangerous.

You must understand the full scope and applicability, and with time running out, consider turning to organisations such as IAPP and the CGOC that can help you find the GDPR and information management resources you need to ensure your compliance program is on track.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Information- Management:

You Might Also Read: 

Data Protection Officer's Guide To The GDPR Galaxy:

GDPR Countdown:

 

« A New Cold War Will Not Be Based On Hardware.
Leaked Emails Expose Russian Exploits In Ukraine »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Conference-Service.com

Conference-Service.com

Conference-Service.com provides a categorised calendar of conferences and events which includes Information Security.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

Bellvista Capital

Bellvista Capital

Bellvista Capital connects entrepreneurs with capital and unmatched business expertise in the technology areas of Cloud Computing, Cyber Security and Data Analytics.

Qasky

Qasky

Anhui Qasky Quantum Technology Co. Ltd. (Qasky) is a new high-tech enterprise engaged in quantum information technology industrialization in China.

HacWare

HacWare

HacWare is a data driven cybersecurity awareness product that leverages machine learning and behavior analytics help IT professionals combat phishing.

Kainos

Kainos

Kainos is a leading provider of Digital Services and Platforms. Our services include Digital Transformation, Cyber Security, Cloud, AI, IoT and more.

Netography

Netography

Netography provides a scalable and reliable platform for detection & remediation of cyber threats found on your network.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Reflectiz

Reflectiz

Reflectiz empowers digital businesses to make all web applications safer by non-intrusively mitigating any website risks without a single line of code.

Solvere One

Solvere One

Solvere One is a managed service provider (MSP) focused on corporate consulting and partnership.

Cybernatics

Cybernatics

Cybernatics is inspired by bringing together best-in-class innovations around Cybersecurity and Analytics. We offer tailored enterprise solutions to safeguard your organisations best interests.

Nokod Security

Nokod Security

Nokod Security delivers an application security platform for low-code / no-code custom applications and Robotic Process Automation (RPA).

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Graphiant

Graphiant

Graphiant’s Data Assurance service gives businesses end-to-end control and visibility into how data travels throughout the entire business network.