Despite the GDPR requirements already being in effect, we’re hearing lots of misconceptions swirling around the new privacy regulations. To help dispel some of the myths and misunderstandings that have arisen, we put together a list of nine things that GDPR is definitively not, along with explanations of what it really is, to help you better address this wide-reaching new privacy regulation.
9 Things GDPR is NOT
Understanding all the ins and outs of GDPR is essential, which is why we’re debunking nine things that GDPR is not and revealing the facts.
Only Applicable to European Companies
Given it’s called the “EU General Data Protection Regulation,” it’s easy to understand why many organizations believe that if they aren’t located in the EU, it won’t apply to them. But not so fast. Every organization that processes, stores, or handles the data of EU residents will be impacted and must prepare to meet the regulations. In reality, this applies to many organizations outside the EU, including many U.S., Middle Eastern, and African companies—and beyond. Make sure you understand whose data you are touching as a business before you decide that the GDPR does not apply to you—because odds are pretty good it does.
Before the EU GDPR was ratified, its predecessor, the Data Protection Directive 95/46/EC, was in place for many years. The Data Protection Directive was a framework that organizations could choose to adhere to if they wanted to demonstrate their focus on privacy. The new, improved EU GDPR is a regulation—not a directive or a friendly suggestion—meaning it is legislatively binding and enforceable. The exact implementation and enforcement will vary from country to country, but GDPR is very much a set of laws and not an optional directive.
A Slap on the Wrist
Fines for violations of the EU GDPR can be as high as 4% of annual revenue or up to €20 million — whichever is higher. That’s nothing to mess around with. While at this point it’s impossible to say exactly how and to what extent it will be enforced, it’s clear that the consequences for violating the regulation could be disastrous for many organizations. The bottom line: If you process or store the data of EU residents, not following GDPR is a significant risk to take on.
Something to Procrastinate About
If you can believe it, a whopping 80% of businesses admit that they aren’t ready for EU GDPR. Moreover, 22% aren’t even aware of the regulation, while 52% say they know about it, but the impact to them isn’t clear yet. Of those who are aware, 20% admit to being completely unprepared; 59% are at least somewhat unprepared. Frighteningly, Gartner estimates by 2020, 40% of organizations will be in violation of the regulation. If you’re one of the unprepared organizations, it’s time to get to work. (Don’t worry: We can help.)
If you’re wondering what kind of data is covered by the EU GDPR, the answer is any information related to a real, live human being—or, in GDPR terminology, a “Data Subject”—that can be used to identify the person (directly or indirectly). That casts quite a wide net, so odds are high if you’re providing goods or services to EU residents in some format, you are touching personal data.
Relevant data types can include:
- Email addresses
- Bank details
- Social media posts
- Medical info
- Computer IP addresses
- & moreMake sure you understand what kinds of data are covered, where that data resides at your organization, and how you will protect and monitor it.
A Security Regulation
Curious about the purpose and intent of EU GDPR? Some organizations have mistakenly regarded GDPR as a security legislation. However, the two keywords to focus on are privacy and control. The intent behind GDPR is less improving security and more guaranteeing stronger rights to data privacy. So while there are many security implications around the regulation and security benefits to adhering to it, it is at its heart designed to guarantee and preserve privacy.
A One-Time Activity
As with many other compliance frameworks, going through a GPDR audit and preparation exercise is not something you can do once and then move on. You need to implement continuous and comprehensive controls that you can verify and tweak at any time. This includes continuous monitoring of user activity to identify and prevent instances of data loss and misuse. The EU GDPR 2018 wants organizations to build in privacy by design, and that is an ongoing process that must be budgeted for, with appropriate human resources delegated to the effort on a long-term basis.
Permissive of Slow Response Times
One of the most challenging aspects of GDPR is the requirement to respond very quickly in the event of an incident. In case of a breach, you must notify the supervising authority within 72 hours and affected data subjects “without undue delay.” In practice, this means, if you haven’t already, you need to implement a highly sophisticated detection, alerting, and response process for any of your systems that store or process EU resident data. It also means maintaining clear and detailed audit trails that can help you demonstrate what happened, why, and how—and enable you to put together a plan to avoid similar incidents in the future.
Simply a Technology Challenge
While GDPR obviously has a big impact on technological systems and may require heavy investment in software and technology at your organization, it is not a systems problem alone. GDPR asks organizations to conduct awareness-raising and training for staff involved in processing operations and auditing, to ensure that your people understand what it takes to protect customers’ privacy and are able to take corrective action in the event of an incident.
Ready or Not, Here GDPR Comes!
To meet GDPR, ObserveIT helps organizations achieve data privacy and protection by design and by default. We empower teams with:
- Visibility into what users are doing and how they are handling personal data
- The ability to anonymize all user data
- Detection of data exfiltration, loss, and misuse
- Investigational tools to help you notify authorities quickly about any data breaches, with full context at-hand
We can work with you to reduce misunderstandings around GDPR, build in privacy controls, and take the stress out of establishing and maintaining GDPR compliance.
See how we map to specific requirements of GDPR and book your free trial or demo of ObserveIT today: