As most of us know by now, the General Data Protection Regulation (GDPR) is just around the corner. From the 25th of May, theoretically, organizations under the mandate will be subject to its strict data protection laws and face hefty penalties for non-compliance.
You may be forgiven for thinking that, because your company resides outside of the EU, GDPR doesn’t apply to you. I say this because there are a lot of myths about GDPR circulating at the moment, including how it will affect companies in the US, or those in a post-Brexit Britain.
In this article, I will try to dispel six of the most common myths about GDPR that I’ve seen circulating, as well as giving you an idea of how you can be better prepared for May 25th. But first, let’s define what GDPR means and why it has been proposed.
A Brief Outline of GDPR
GDPR has been proposed for two main reasons. Firstly, the current data protection legislation in the EU is out of date. Since 1995, when it was first introduced, the EU has evolved tremendously. Whilst that’s a good thing for globalization, it has made data protection very difficult to implement, as each member state has its own way of interpreting application of the directive. Secondly, technology has changed massively, bringing with it a new set of data protection challenges, including cloud computing, mobiles, social media and much more.
Under GDPR, organizations are required to know what data they hold, who can access it and where it is located. It mainly refers to PII (personally identifiable information), which includes card numbers, social security information, names and much more.
GDPR aims to give more power to people over how their data is stored and processed, increasing security of PII regardless of where it is sent.
So, with that out of the way, let’s get into some of the most common myths surrounding GDPR that organizations are still falling victim to.
Myth 1. GDPR Only Affects EU Companies
This is an easy one to dispel. GDPR has what’s referred to as an “extraterritorial” scope. If an organization, regardless of location, processes or stores the personal data of EU citizens, then they are bound by this mandate.
So, what this means for companies outside of the EU, is that if you process the data of a citizen of the EU then you will probably have to prepare for GDPR (regardless of where you operate). This shouldn’t be too much of an organizational shift, thankfully, as most organizations around the world should already be bound by similar data legislation; such as the EU-US Privacy Shield in the US (which recently replaced the Safe Harbor agreement).
Myth 2. GDPR is Just About the Fines
This myth could be a result of the scaremongering tactics many organizations use to get people to start thinking about GDPR compliance. It’s true, there are hefty financial penalties for non-compliance, ranging from approximately $25 million to 4% of annual turnover (whichever is higher). But this is not what GDPR is about.
It’s easy to be taken aback by these hefty potential fines, as they make for great headlines, but focusing on this is completely missing the true objective of the regulation. GDPR is about putting the consumer and the general public at the forefront of data security.
It’s also worth noting that being outed as non-compliant could have potentially far greater implications than a simple financial penalty. You may have to deal with the damage to reputation and consumer confidence that comes along with it.
Myth 3. GDPR Is Mainly to Defend Against External Hacks
Many news stories of recent data breaches focus on external hacks, as these tend to create the biggest and most sensationalist headlines. One example being Uber, the global taxi technology company, who revealed in late 2017 that they had been hacked and the personal information of 57 million Uber users and drivers had been stolen.
Stories like these are almost always picked up by the mainstream press because of the rise in popularity of “hacker culture.” But this isn’t showing the whole side of the story, and it definitely isn’t the only thing that GDPR is aiming to defend against.
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, malicious or criminal attacks only accounted for 47% of data breaches. Meaning that the majority of data breaches occur due to human error and system glitches. It’s these unintentional mistakes that are made when handling sensitive data that need to be addressed and, under GDPR, hopefully the frequency these mistakes are made will reduce.
Myth 4. GDPR Is Just About Punishing Companies
The Information Commissioner’s Office (ICO) – an organization in charge of upholding information rights in the UK – do not issue fines lightly. Over the 2016/2017 period, there were 17,300 cases of non-compliance, with only 16 organizations being fined. The objective of GDPR will not be to make examples of organizations, it’s about putting the privacy and security of your customers first.
I’m sure there will be a few cases where organizations face punishments for gross non-compliance, and they will almost certainly be widely publicized. However, I expect this to be the exception and not the norm.
GDPR is about shifting mindsets – going into business activities whilst keeping the safety and security of your customers and citizens at the forefront of your mind.
Myth 5. GDPR is Unnecessary
I have already touched upon this point, but as it is such a common myth it bears repeating. There is a misunderstanding that, because there are already strict data protection laws in place across Europe, that GDPR is unnecessary. This stems from a frustration that implementing GDPR will undoubtedly have an impact on organizations’ resources.
GDPR is a necessary update to an old and outdated regulation that builds upon many of the key themes that already existed – being transparent, ensuring data is secure and putting the customer first. These are all things that organizations should already be used to doing.
There is also a worry that GDPR will place a particularly hard strain on SMEs. However, the ICO remains firm that the task of compliance is scaled to the risk. Meaning that SMEs with limited resources and time to spend on GDPR will not be treated the same way as Enterprise organizations.
Myth 6. GDPR Is a Problem for the It Team Only
This relates not just to GDPR, but to data protection as a whole. The word “data” seems to be a buzzword which is exclusively related to IT. Issues with data protection are often simply palmed off to IT departments. In reality, data protection (and in particular, GDPR) forces organizations to work interdepartmentally to ensure compliance.
In order to fully understand where personal data resides, where it originated from, who uses it, how it’s used and more, information from multiple departments will be required. You must educate your whole organization on best practices for meeting GDPR in order to stand a chance of meeting the stringent requirements.
How to Get Ready
If this is the first time you’re realizing that GDPR applies to you, and that you need to get ready, I wouldn’t blame you if it all felt a bit daunting. However, don’t fear, there are numerous affordable and easy-to-use auditing solutions that can give you the required information about sensitive data in your organization.
About the Author
Philip Robinson is a London-based marketing professional with a wealth of experience in blogging for cybersecurity, compliance and IT auditing related publications. Since graduating from the University of Southampton with a BA Honours degree, he regularly produces informative and educational blogs in his spare time around the world of info-security.