Demystifying the EU General Data Protection Regulation – Let’s BUST the Myths
Yes, you’ve all heard about it. Many companies have been raising the alarm about GDPR for months now, all offering protection and silver bullets to solve anything and everything to do with GDPR—all you have to do is install this one box. Right! It’s caused a lot of confusion and many questions, and organizations have no idea where to start. They assume they are excluded and do not need to do anything. Let’s clear this all up now, and demystify the EU GDPR.
The new EU General Data Protection Regulation has been in progress for several years. It replaces what was previously the European General Data Protection directive from 1995. The idea was to build a consistent foundation across all European Union States to create a basic commonality for the protection of data and critical infrastructure
Protecting the Personally Identifiable Information (PII) of European Citizens
The regulation is focused on ensuring that any nation state, organization, or company dealing with European citizens’ personally identifiable information is obliged to comply with this regulation. It requires that organizations dealing with the personal data of European citizens have a certain standard they must comply with. This means: effective data protection, adequate security measures, privacy by design, and when there is a data breach they must notify the national authority of the country in which they operate within 72 hours of a breach. Depending on the risk value of the information that’s been compromised—low risk or high risk—they must also notify the impacted party without undue delay.
This is the new foundation of responsibility and accountability when it comes to dealing with European citizens’ data.
What this all means is that your organization can now be held responsible for collecting excessive amounts of information. The more information you collect, the more you are accountable for. If, in the event of a breach, it is found that adequate security measures were not in place, there are significant penalties and fines—20 million euros or 4% of annual turnover.
So, let’s get down to the facts and demystify the EU General Data Protection Regulation so that it’s crystal clear.
Myth #1: If I comply with the EU General Data Protection regulation I will not get hacked
Absolute myth. Complying with the EU General Data Protection regulation does not mean you are protected from being hacked. It simply means that you’ve identified the Personally Identifiable Information from EU citizens that you are collecting or processing, and that you’ve set up appropriate processes to ensure consent, adequate security, and right to removal; and that you’re not collecting excessive data, or using it for inappropriately. It means you have accepted accountability over the collection or processing of EU Citizens’ personal identifiable information.
Myth #2: Our Company is not a European Company, so it does not apply to us
Busted! This is a myth. The EU General Data Protection Regulation is not bound by any borders and is applicable to any company or organization, globally, that is collecting or processing EU Citizen’s Personal Identifiable Information. This includes services hosted outside of the EU.
Myth #3: Our company is very small so we do not need to comply
Oh no, another myth. It doesn’t matter how small the company is. Just like the large enterprise companies, you need to comply. If you do business with EU Citizens personal data you must secure it.
Myth #4: We can just make our IT Manager our Data Protection Officer too, and done. Correct?
Bad, bad idea, and yes, myth busted. The IT Manager cannot be the Data Protection Officer. The role of performing Data Risk Assessments cannot be carried out by the same person who’s managing and procuring your systems. You cannot audit yourself. So the Data Protection Officer who is responsible and accountable for ensuring you comply with the EU GDPR must identify and ensure the appropriate process is in place to secure Personal Identifiable Information.
Myth #5: I can just install a single GPDR Compliance box and I am completely protected
BUSTED. Many companies are offering complete silver bullet compliance for GDPR, but in the end you are responsible and accountable for complying with GDPR, and I can assure you there is no silver bullet compliance box. Many companies will offer quick and easy solutions for GDPR, but it is important to understand clearly what they solve for GPDR. My recommendation is that you pay careful attention to the Incident Response and Breach notification requirements as these can make all the difference in surviving a cyber attack.
So now you have it. With several myths out of the way and the GDPR demystified you can get properly prepared. We have many helpful and educational resources here to help you secure your data, and some additional information about GDPR Compliance to help you rise to the challenge.
Want to learn more? Watch this webinar to learn more about the key impacts and consequences for your organization and how to set expectations for EU GDPR changes affecting the collection or processing of European citizen’s private data.