Six Myths About GDPR

Uploaded on 2018-04-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Despite months of publicity surrounding the General Data Protection Regulation, including the potential benefits of compliance, very few organisations are ready for the May 25 mandate.

That is the finding of one of the most recent studies to look at GDPR compliance, CGOC’s Top Corporate Data Protection Challenges survey. Only 6 percent of organisations say they are fully ready for the new data privacy and data protection regulation even at this late stage.

This means over the next several months, both before and after the implementation date, businesses will be scrambling to catch up.

If you’re one of these companies, it is essential you not fall into the trap of believing any of the following myths that have risen about the regulation, which can lead to overconfidence, poor risk assessments, wasted effort and ultimately noncompliance.

Myth 1: GDPR does not apply to us. We are subject only to the laws of the country and state in which we are incorporated, or we don’t store or process consumer information.

The wide scope of the GDPR accounts for protecting personal data of residents in Europe being processed by companies that are not based in the EU or that don’t do the processing in the EU. For example, a Brazilian company selling kitchen supplies to EU residents only from its website is still subject to the GDPR.

Further, the regulation is not limited to consumers. It applies to all EU residents, including an organisation’s employees and business associates residing in the EU. Significantly, it also applies if a company is just monitoring the behavior of individuals in the EU, such as a research firm, even if the data is not permanently stored.

Myth 2: A data controller or processor will pay horrendous fines for every infraction.

First the good news. A fine is just the final step in a long process designed to understand the scope of an infringement by a controller or processor and how the organisation allowed the infringement to happen. Not every violation will result in a fine, and not every fine will be based on the maximum amount.

Now the bad news. A fine is only one of the corrective measures included in the GDPR to put pressure on controllers and processors to comply with the regulation.

Myth 3: GDPR creates an EU-wide harmonised set of rules, so if we are compliant in one country we are compliant in all.

This was certainly the hope going into the process of creating the GDPR. Unfortunately, the member states did not agree on all aspects of the regulation. As a result, each member state can have special rules, and there are currently more than 70 of them, the most prominent related to the processing of employee data.

Each member state also has its own independent public authority responsible for monitoring how the regulation is applied.

Organisations operating in more than one EU country must understand each country’s specific rules and have the flexibility in their technology and processes to comply with each.

Myth 4: We have consent processes in place so we are fully GDPR compliant.

Not true. While consent is essential in most cases, the regulation involves far more than complying with the consent requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU.

Myth 5: We already comply with EU data transfer regulations, such as Privacy Shield, and we are located in a country with adequate security, so we are GDPR compliant.

Not true. While protecting personal data being transferred outside the EU is essential, the regulation involves far more, such as the consent requirement, the right to be forgotten, and data protection by design and by default.

Myth 6: We are a certified processor or controller, or we are adhering to a code of conduct, so we must be complying fully with the GDPR.

The purpose of a certification for processors and controllers or developing a code-of-conduct for them to follow was to create entities that could help organizations understand their requirements and that could track compliance.

However, while certification makes demonstrating compliance easier and enables the market to identify certified organisations to do business with, it does not in any way ensure ongoing compliance or create immunity from an infringement should a breach occur.

Focusing on just one aspect of the GDPR or basing your compliance program on a superficial reading of articles about the regulation (yes, including this one!) is very dangerous.

You must understand the full scope and applicability, and with time running out, consider turning to organisations such as IAPP and the CGOC that can help you find the GDPR and information management resources you need to ensure your compliance program is on track.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Information- Management:

You Might Also Read: 

Data Protection Officer's Guide To The GDPR Galaxy:

GDPR Countdown:

 

« A New Cold War Will Not Be Based On Hardware.
Leaked Emails Expose Russian Exploits In Ukraine »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

Prim'X Technologies

Prim'X Technologies

Prim'X Technologies provides information protection solutions to prevent unauthorised access to sensitive data.

Kount

Kount

Kount's “decision engine” platform is ideal for managing fraud in online/telephone channels that process payments and onboard new customers.

BetterCloud

BetterCloud

BetterCloud puts IT in control of the modern workplace through user lifecycle management, data discovery, and IT and security automation purpose-built for SaaS.

Cyber Security Specialists

Cyber Security Specialists

Cyber Security Specialists Limited provide Security services across a wide range of markets, from multi-national Corporate Organisations and Government Agencies, through to smaller Businesses.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

Bradley-Morris

Bradley-Morris

Bradley-Morris is a leading recruiting firm specializing in transitioning military and veteran talent into civilian careers including Cybersecurity.

Nubeva Technologies

Nubeva Technologies

Nubeva provide a breakthrough TLS Decrypt solution with Symmetric Key Intercept to gain the visibility needed to monitor and secure network traffic.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

ID North

ID North

ID North is a Nordic service provider offering identity security to its customers by providing world class expertise and best-in-class solutions and services.

Rootly

Rootly

Rootly is an incident management platform on Slack that helps automate manual admin work during incidents.

Doherty Associates

Doherty Associates

Drawing on our deep industry knowledge and business insight, Doherty deliver intelligent IT solutions and services that help people work more securely, more productively and more creatively.

ProvenRun

ProvenRun

ProvenRun is a leading provider of trusted software solutions with extensive expertise and an unwavering commitment to security.

Myrror Security

Myrror Security

Myrror Security is a software supply chain security solution that aids lean security teams in safeguarding their software against breaches.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.

Seven AI

Seven AI

Seven AI develops cyber security software designed to identify online threats.