6 GDPR myths that must be busted
Despite months of publicity surrounding the General Data Protection Regulation, including the potential benefits of compliance, very few organizations are ready for the May 25 mandate.
That is the finding of one of the most recent studies to look at GDPR compliance, CGOC’s Top Corporate Data Protection Challenges survey. Only 6 percent of organizations say they are fully ready for the new data privacy and data protection regulation even at this late stage.
This means over the next several months, both before and after the implementation date, businesses will be scrambling to catch up.
If you’re one of these companies, it is essential you not fall into the trap of believing any of the following myths that have risen about the regulation – which can lead to overconfidence, poor risk assessments, wasted effort and ultimately noncompliance.
Myth 1: GDPR does not apply to us. We are subject only to the laws of the country and state in which we are incorporated, or we don’t store or process consumer information.
The wide scope of the GDPR accounts for protecting personal data of residents in Europe being processed by companies that are not based in the EU or that don’t do the processing in the EU. For example, a Brazilian company selling kitchen supplies to EU residents only from its website is still subject to the GDPR.
Further, the regulation is not limited to consumers. It applies to all EU residents, including an organization’s employees and business associates residing in the EU. Significantly, it also applies if a company is just monitoring the behavior of individuals in the EU, such as a research firm, even if the data is not permanently stored.
Myth 2: A data controller or processor will pay horrendous fines for every infraction.
First the good news. A fine is just the final step in a long process designed to understand the scope of an infringement by a controller or processor and how the organization allowed the infringement to happen. Not every violation will result in a fine, and not every fine will be based on the maximum amount.
Now the bad news. A fine is only one of the corrective measures included in the GDPR to put pressure on controllers and processors to comply with the regulation.
Myth 3: GDPR creates an EU-wide harmonized set of rules, so if we are compliant in one country we are compliant in all.
This was certainly the hope going into the process of creating the GDPR. Unfortunately, the member states did not agree on all aspects of the regulation. As a result, each member state can have special rules, and there are currently more than 70 of them – the most prominent related to the processing of employee data.
Each member state also has its own independent public authority responsible for monitoring how the regulation is applied. Organizations operating in more than one EU country must understand each country’s specific rules and have the flexibility in their technology and processes to comply with each.
Myth 4: We have consent processes in place so we are fully GDPR compliant.
Not true. While consent is essential in most cases, the regulation involves far more than complying with the consent requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU.
Myth 5: We already comply with EU data transfer regulations, such as Privacy Shield, and we are located in a country with adequate security, so we are GDPR compliant.
Not true. While protecting personal data being transferred outside the EU is essential, the regulation involves far more, such as the consent requirement, the right to be forgotten, and data protection by design and by default.
Myth 6: We are a certified processor or controller, or we are adhering to a code of conduct, so we must be complying fully with the GDPR.
The purpose of a certification for processors and controllers or developing a code-of-conduct for them to follow was to create entities that could help organizations understand their requirements and that could track compliance. However, while certification makes demonstrating compliance easier and enables the market to identify certified organizations to do business with, it does not in any way ensure ongoing compliance or create immunity from an infringement should a breach occur.
Focusing on just one aspect of the GDPR or basing your compliance program on a superficial reading of articles about the regulation (yes, including this one!) is very dangerous. You must understand the full scope and applicability – and with time running out, consider turning to organizations such as IAPP and the CGOC that can help you find the GDPR and information management resources you need to ensure your compliance program is on track.