GDPR is a pervasive topic in social media, news outlets, marketing materials, professional conferences, and even vendor marketing materials. Given the complexity of the topic, there’s been some confusion regarding certain items within the regulation. This post will attempt to decipher a few of the more common myths.
The General Data Protection Regulation (GDPR) was passed on April 14, 2016 and goes into enforcement on May 25, 2018. The regulation was established to protect and empower EU citizens data privacy and alter the way organizations approach data privacy. It is a set of 99 articles defining guidelines and requirements for how organizations must handle data they have been given to control and/or process. The following flow chart provides a simple process to determine if GDPR applies to an organization.
Let’s explore some of the common myths related to GDPR.
Myth 1: We’re a non-EU based company with no offices anywhere in Europe.
Fact: The regulation isn’t focused on the location of your company headquarters or satellite offices. It is focused on the subject of the data that your company collects, processes, and stores related to doing business. If you process or retain data on even one EU citizen, you will have to comply with GDPR. The applicability of GDPR for this situation, and level of compliance requirements, changes based on a few potential factors. Trace3 can assist with deciphering these requirements with a GDPR workshop.
Myth 2: I don’t do business directly with EU citizens, as we are a third-party processor of data provided to us by our partner.
Fact: in the terms of GDPR, this makes you a processor and your partner a controller. You are as equally responsible for the protection of the data that you have been entrusted with as your partner who collected the data is.
Myth 3: I store all of my data with a cloud service provider, so GDPR is their responsibility, not mine.
Fact: On the inverse of Myth 2, you have now become the controller. This means that your organization is the one that collected the data that is applicable to GDPR. The regulations don’t allow for passing the buck of responsibility. Once you’ve received and processed data of an EU citizen, you are now responsible for the proper stewardship of that data.
Myth 4: We encrypt all of our data at rest, so that is enough for GDPR purposes.
Fact: Although encryption is a very useful control to have in place toward ensuring data control and security, it is not enough to satisfy the tenets of the regulation. Article 32 requires companies to implement technical and organizational measures that are appropriate to the level of risks presented by the company’s data processing activities. Pseudonymization and encryption cannot stand alone in defense of appropriate data protection measures. Other examples of additional and appropriate measures include, DLP, information governance technologies that address data retention and defensible disposition issues, and data access control should also be considered as appropriate.
Myth 5: We just need to avoid being fined.
Fact: Although GDPR proposes some hefty administrative fines for failing to meet the obligations of the regulation, failing to comply also has other extenuating costs associated with it, depending on the severity of the incident. We’re all aware of the costs and impacts that the breaches experienced by Target, Home Depot, Equifax, etc. that were incurred by those companies. In addition to the quantifiable costs instituted by GDPR, provisions have also been implemented that permit compensation to be made to those suffering damages from any infringement of the regulation.
Myth 6: Product X will get me to compliance right away. They tell me that their technology covers all of the requirements.
Fact: There is no magic bullet to reaching compliance with GDPR. As is the case with PCI, HIPPA, etc., compliance is more than a technology. In order to obtain and sustain compliance, a full program needs to be implemented that encompasses efforts from departments within an organization, including sales and marketing, finance, HR, legal, IT, and Information Security. Compliance is a people, process, and technology issue, and success cannot be obtained if any one of these three components is ignored or marginalized. Technology can be an accelerator to the process but is not the fix for non-compliance.
I’m hoping that this article has provided some assistance for you in navigating some of the initial confusion surrounding GDPR. For further assistance, please watch for future articles to be published, or give us a call. Trace3’s holistic approach to solving your GDPR needs encompasses subject matter experts across our data security, data management, and data intelligence teams.