When GDPR was announced two years ago, most organizations were in awe of its complexity, scope, global impact, and unprecedented penalties. Although compliance efforts were started, the general description and lack of detail left many confused. Most organizations are used to a compliance checklist and that was not forthcoming with GDPR. Even now, less than a month before “GDPR Day,” 27% of respondents say they have concerns about GDPR going into effect and many of these concerns stem from common misconceptions about what effect GDPR will have on how companies operate.
Misconception #1: Companies must ensure that personal data resides in the country of origin.
Reality: Keeping data secure is what you need to focus on, not residency.
We’re hearing companies express concern that they’ll have to go through the lengthy and costly process of moving data they originally processed in the US to the EU under GDPR. That concern is unfounded. In its framework, GDPR states that “flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation,” so data residing outside the EU is to be expected. While data that has already been processed in the US doesn’t necessarily have to be moved back to the EU. Data protection and security must be assured regardless of the location. If the data is to stay in US, a few additional arrangements are necessary, such as execution of the Model Clauses or registration to Privacy Shield, but if the company complies with GDPR, these steps are merely a legal formality.
Misconception #2: Individual privacy rights are the end-all, be-all.
Reality: Requests pertaining to privacy rights are not ultimate.
Under GDPR, an individual can request that his or her personal data be deleted, which is also known as the Right to be Forgotten. It’s been causing a lot of companies to worry about the complexity of the process, especially when the data is stored in multiple systems, and that they might not only lose the audience for their marketing or business development but also valuable business data. But this is just not the case. If companies were to delete all personal data, how could they prove that they had honored a privacy request or sent a bill to a customer? Under GDPR, the data must only be deleted when there is no other valid business reason for it to exist and be processed.
Misconception #3: GDPR will limit my company’s ability to do business.
Reality: The impact of GDPR will mostly be felt by companies that thrive on personal data.
It was the business model of social networks, global advertisement network operators, and other enterprises that monetize personal data that led the EU to reconsider its privacy practices. The primary purpose of GDPR is to protect individual privacy, so it restricts the collection of personal data and emphasizes the importance of consent before data is collected. Consequently, the kind of companies that rely on aggregating and selling consumer data as their primary source of revenue will be the most affected. For most other companies, those that collect personal data as a part of their regular business operations, the effects should be minimal. After all, GDPR does not aim to make business more complicated, but it does aim to force companies to re-evaluate how they use data in an effort to protect the individual’s privacy.
Misconception #4: Consultants will save the day.
Reality: It’s up to companies to figure out how to ensure ongoing compliance.
Consultants can be a great resource as companies navigate the GDPR compliance process, and they can help assess gaps and document compliance efforts. While this is certainly useful, it’s ultimately up to the company to figure out how it needs to change its business processes, if at all, to be in compliance. This is especially important because GDPR isn’t simply a checklist of requirements; it’s a framework or a way of thinking about privacy. Only someone intimately familiar with a company’s practices can truly understand the nuances of their business processes and the way they use data to prove that the appropriate adjustments have been made.
Misconception #5: Companies can relax after May 25, 2018.
Reality: Your compliance efforts need to switch gears and remain in effect after May 25.
GDPR goes into effect on May 25, and I find that a lot of companies are focusing on what they can do to be in compliance today. However, very few have thought about what they’ll need to change to remain in compliance moving forward. Basically, your compliance efforts don’t end on May 25, but they do transform the focus on how compliance can permanently be integrated into business processes.
What it comes down to is that GDPR is about privacy and security. Compliance not based on checklists may seem confusing until organizations realize they need to fundamentally change the way they think about privacy. For the EU, privacy is the most important fundamental human right, which needs to be honored and respected above all others — similar to how the US values freedom above other rights. As long as companies keep this in mind and focus on making these measures part of the way they do business, they’ll be likely to find success in the compliance process.
Tomas Honzak is Director of Security and Compliance at GoodData.