5 Common GDPR Misconceptions - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management
10:00 AM
Tomas Honzak, Director of Security and Compliance at GoodData
Tomas Honzak, Director of Security and Compliance at GoodData

5 Common GDPR Misconceptions

A company's effort to comply with GDPR don't end on May 25. The work is ongoing, tied to a recognition of privacy as a fundamental right.

When GDPR was announced two years ago, most organizations were in awe of its complexity, scope, global impact, and unprecedented penalties. Although compliance efforts were started, the general description and lack of detail left many confused. Most organizations are used to a compliance checklist and that was not forthcoming with GDPR. Even now, less than a month before “GDPR Day,” 27% of respondents say they have concerns about GDPR going into effect and many of these concerns stem from common misconceptions about what effect GDPR will have on how companies operate.

Misconception #1: Companies must ensure that personal data resides in the country of origin.

Reality: Keeping data secure is what you need to focus on, not residency. 

We’re hearing companies express concern that they’ll have to go through the lengthy and costly process of moving data they originally processed in the US to the EU under GDPR. That concern is unfounded. In its framework, GDPR states that “flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation,” so data residing outside the EU is to be expected. While data that has already been processed in the US doesn’t necessarily have to be moved back to the EU. Data protection and security must be assured regardless of the location. If the data is to stay in US, a few additional arrangements are necessary, such as execution of the Model Clauses or registration to Privacy Shield, but if the company complies with GDPR, these steps are merely a legal formality.

Misconception #2: Individual privacy rights are the end-all, be-all. 

Reality: Requests pertaining to privacy rights are not ultimate.

Under GDPR, an individual can request that his or her personal data be deleted, which is also known as the Right to be Forgotten. It’s been causing a lot of companies to worry about the complexity of the process, especially when the data is stored in multiple systems, and that they might not only lose the audience for their marketing or business development but also valuable business data. But this is just not the case. If companies were to delete all personal data, how could they prove that they had honored a privacy request or sent a bill to a customer? Under GDPR, the data must only be deleted when there is no other valid business reason for it to exist and be processed.

Misconception #3: GDPR will limit my company’s ability to do business. 

Reality: The impact of GDPR will mostly be felt by companies that thrive on personal data.

It was the business model of social networks, global advertisement network operators, and other enterprises that monetize personal data that led the EU to reconsider its privacy practices. The primary purpose of GDPR is to protect individual privacy, so it restricts the collection of personal data and emphasizes the importance of consent before data is collected. Consequently, the kind of companies that rely on aggregating and selling consumer data as their primary source of revenue will be the most affected. For most other companies, those that collect personal data as a part of their regular business operations, the effects should be minimal. After all, GDPR does not aim to make business more complicated, but it does aim to force companies to re-evaluate how they use data in an effort to protect the individual’s privacy.

Misconception #4: Consultants will save the day.

Reality: It’s up to companies to figure out how to ensure ongoing compliance.

Consultants can be a great resource as companies navigate the GDPR compliance process, and they can help assess gaps and document compliance efforts. While this is certainly useful, it’s ultimately up to the company to figure out how it needs to change its business processes, if at all, to be in compliance. This is especially important because GDPR isn’t simply a checklist of requirements; it’s a framework or a way of thinking about privacy. Only someone intimately familiar with a company’s practices can truly understand the nuances of their business processes and the way they use data to prove that the appropriate adjustments have been made.

Misconception #5: Companies can relax after May 25, 2018.

Reality: Your compliance efforts need to switch gears and remain in effect after May 25.

GDPR goes into effect on May 25, and I find that a lot of companies are focusing on what they can do to be in compliance today. However, very few have thought about what they’ll need to change to remain in compliance moving forward. Basically, your compliance efforts don’t end on May 25, but they do transform the focus on how compliance can permanently be integrated into business processes.

What it comes down to is that GDPR is about privacy and security. Compliance not based on checklists may seem confusing until organizations realize they need to fundamentally change the way they think about privacy. For the EU, privacy is the most important fundamental human right, which needs to be honored and respected above all others — similar to how the US values freedom above other rights. As long as companies keep this in mind and focus on making these measures part of the way they do business, they’ll be likely to find success in the compliance process.

Tomas Honzak is Director of Security and Compliance at GoodData.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll