General Data Protection Regulation (GDPR) may have a specific effective date, but the expectations pre-implementation are still ever-changing. There are debunked myths and key questions (covered in our two previous GDPR blog posts). It’s been about a month since we last updated information on these upcoming rules.
If you didn’t read the last update, here are the basics: GDPR officially starts on May 25, 2018, when you must comply by having a secure method of storing and collecting an EU citizen’s private information. The regulation applies to all businesses that hold and process data collected in the EU, regardless of your location, meaning you don’t need to be in the EU to be concerned about this law. Not being prepared can put you at risk of an audit and fines, or potentially 4 percent of your global revenue.
These latest news stories also touch on the common myths of GDPR, which as previously mentioned, we debunked. Just to touch on them, these myths include:
GDPR Myth #1: “GDPR doesn’t apply to me because we’re a US-based company.” Companies based in the US can still have the personal data of European citizens' interests in Europe, and data privacy concerns still need to be addressed and the GDPR complied with.
GDPR Myth #2: “If I’m compliant, I’ll prevent breaches.” The goal of GDPR is not to squash cyberattacks nor encourage companies to be cybersecurity leaders. Instead, GDPR wants to raise the minimum level of security and personal information protections.
GDPR Myth #3: “My company uses encryption and other methods to protect private data, so we’re GDPR-compliant.” Companies must meet the requirements of Article 32 of GDPR, which states that companies are required to focus on the risk of accidental or unlawful destruction, loss, change, and unauthorized disclosure of personal data.
GDPR Myth #4: “My company’s personal data is already in our database. That means it’s not subject to GDPR.” Actually, personal data belonging to a European citizen must be processed lawfully, whether it’s inside a database or not. You can only rely on consent as far as that explicit consent has been given (and not withdrawn).
Now that you have the basics and some common myths re-debunked (if that’s a real word), here’s the latest on GDPR from around the internet:
UK firms see employees as top risk to GDPR compliance. Per a poll conducted by IT services firm Bluesource, three-fifths of senior IT executives in 200 medium to large UK companies believe staff members are the biggest obstacle to complying with GDPR. Only 40 percent think their current IT systems won’t be compliant, and just 50 percent of survey respondents are actually taking measures to prepare for GDPR. Even more illuminating: 20 percent of respondents aren’t even sure what to do next.
Only 2 percent of “GDPR-ready” organizations are actually compliant. New research from Veritas revealed that only 9 percent of UK organizations that think they’re prepared for GDPR actually are. The company polled more than 900 business decision-makers in the US, the UK, France, Germany, Australia, Singapore, Japan, and the Republic of Korea, and the vast majority of the organizations they polled mistakenly think they’re ready for when GDPR goes into effect in 2018. In fact, 31 percent of respondents said their current enterprise already conforms to GDPR’s key requirements, but when asked about specific provisions in the legislation, they gave answers showing they weren’t likely in compliance after all.
The lady (or man) vanishes: the thorny issue of GDPR coding. Under the new regulations, customers will be able to ask companies to delete their information simply by withdrawing their consent, but actually deleting that information can be complicated. There are many moving parts for IT professionals, which could result in needing multiple databases.
Hopefully, these latest articles will help you prepare for GDPR. Stay tuned to the Hanzo blog for the latest recaps and updates as they roll in; after all, there will always be more GDPR news before the actual implementation, and you’ll want to be ready every step of the way. If you’d like to learn more about Hanzo, we’d love to hear from you.
What’s your risk? Schedule a time to speak with an expert from the Hanzo team to determine if and how GDPR applies to your organization.
