General Data Protection Regulation (GDPR) will go into effect on May 25, 2018, and there’s been a whirlwind of information about it since it was formally adopted in April 2016. While it’s great to have more knowledge at your fingertips, unverified, often opinion-based information can spread and even turn into fake news.
That’s why it’s key to stay informed about what your company really needs to know about GDPR. Here are four of the most common myths about GDPR debunked, based on the Information Commissioner’s Office’s 12 actionable steps:
GDPR Myth #1: “GDPR doesn’t apply to us because we’re a US-based company.”
Not so fast. Companies based in the US can still have interests and in particular the data of European citizens so their data privacy concerns still need to be addressed. Time for you to determine where your company keeps European citizen’s data and even have your IT team do a data assessment report to find and document sensitive personally identifiable information data in the case of future compliance and e-discovery requests.
GDPR Myth #2: “If I’m compliant, I’ll prevent breaches.”
The goal of GDPR is not to quash cyber attacks nor encourage companies to be cybersecurity leaders. Instead, GDPR wants to raise the minimum level of security and personal information protections. This creates an opportunity for your company to work on a solid cybersecurity plan that will grow and transform with the times. You’ll want to first find out where your data is located, whether or not it’s encrypted, and where it may be stored in the EU. Do this in a legally defensive manner and you’ll be leading the pack in complying with GDPR.
GDPR Myth #3: “My company uses encryption and other methods to protect private data, so we’re GDPR-compliant.”
Also known as data masking, companies can create similar but still inauthentic versions of their data, thereby protecting their real data while having a substitute when real data isn’t needed. While this is helpful, it still may not meet Article 32 of GDPR, which states that companies are required to focus on the risk of accidental or unlawful destruction, loss, change, and unauthorized disclosure of personal data. Take a wide look at the technology available to see if your company is doing enough to meet this rule and then make a comprehensive privacy and data protection plan.
GDPR Myth #4: “My company’s personal data is already in our database. That means it’s not subject to GDPR.”
Well, not quite. GDPR applies to all data regardless of when GDPR itself goes into effect. That means all collected data connected or associated with a person in the EU will be considered under GDPR protection based on the person’s name; ID number; or physiological, genetic, or other factors.
Debunking these and other myths is key to preparing for GDPR in the real world. Getting past the misconceptions can mean you’ll reduce the chances of being out of compliance and potentially incurring a lengthy audit and large fines—and by “large,” we mean potentially 4 percent of your global revenue wasted on a GDPR fine.
Ready to become GDPR-compliant (and potentially avoid these hefty fines)? Download Hanzo’s GDPR trend report and become up to date on the new rules. If you’d like to learn more about which solutions might fit your company, please contact us at email@example.com.