5 Common GDPR Misconceptions - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management
Commentary
5/16/2018
10:00 AM
Tomas Honzak, Director of Security and Compliance at GoodData
Tomas Honzak, Director of Security and Compliance at GoodData
Commentary
50%
50%

5 Common GDPR Misconceptions

A company's effort to comply with GDPR don't end on May 25. The work is ongoing, tied to a recognition of privacy as a fundamental right.

When GDPR was announced two years ago, most organizations were in awe of its complexity, scope, global impact, and unprecedented penalties. Although compliance efforts were started, the general description and lack of detail left many confused. Most organizations are used to a compliance checklist and that was not forthcoming with GDPR. Even now, less than a month before “GDPR Day,” 27% of respondents say they have concerns about GDPR going into effect and many of these concerns stem from common misconceptions about what effect GDPR will have on how companies operate.

Misconception #1: Companies must ensure that personal data resides in the country of origin.

Reality: Keeping data secure is what you need to focus on, not residency. 

We’re hearing companies express concern that they’ll have to go through the lengthy and costly process of moving data they originally processed in the US to the EU under GDPR. That concern is unfounded. In its framework, GDPR states that “flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation,” so data residing outside the EU is to be expected. While data that has already been processed in the US doesn’t necessarily have to be moved back to the EU. Data protection and security must be assured regardless of the location. If the data is to stay in US, a few additional arrangements are necessary, such as execution of the Model Clauses or registration to Privacy Shield, but if the company complies with GDPR, these steps are merely a legal formality.

Misconception #2: Individual privacy rights are the end-all, be-all. 

Reality: Requests pertaining to privacy rights are not ultimate.

Under GDPR, an individual can request that his or her personal data be deleted, which is also known as the Right to be Forgotten. It’s been causing a lot of companies to worry about the complexity of the process, especially when the data is stored in multiple systems, and that they might not only lose the audience for their marketing or business development but also valuable business data. But this is just not the case. If companies were to delete all personal data, how could they prove that they had honored a privacy request or sent a bill to a customer? Under GDPR, the data must only be deleted when there is no other valid business reason for it to exist and be processed.

Misconception #3: GDPR will limit my company’s ability to do business. 

Reality: The impact of GDPR will mostly be felt by companies that thrive on personal data.

It was the business model of social networks, global advertisement network operators, and other enterprises that monetize personal data that led the EU to reconsider its privacy practices. The primary purpose of GDPR is to protect individual privacy, so it restricts the collection of personal data and emphasizes the importance of consent before data is collected. Consequently, the kind of companies that rely on aggregating and selling consumer data as their primary source of revenue will be the most affected. For most other companies, those that collect personal data as a part of their regular business operations, the effects should be minimal. After all, GDPR does not aim to make business more complicated, but it does aim to force companies to re-evaluate how they use data in an effort to protect the individual’s privacy.

Misconception #4: Consultants will save the day.

Reality: It’s up to companies to figure out how to ensure ongoing compliance.

Consultants can be a great resource as companies navigate the GDPR compliance process, and they can help assess gaps and document compliance efforts. While this is certainly useful, it’s ultimately up to the company to figure out how it needs to change its business processes, if at all, to be in compliance. This is especially important because GDPR isn’t simply a checklist of requirements; it’s a framework or a way of thinking about privacy. Only someone intimately familiar with a company’s practices can truly understand the nuances of their business processes and the way they use data to prove that the appropriate adjustments have been made.

Misconception #5: Companies can relax after May 25, 2018.

Reality: Your compliance efforts need to switch gears and remain in effect after May 25.

GDPR goes into effect on May 25, and I find that a lot of companies are focusing on what they can do to be in compliance today. However, very few have thought about what they’ll need to change to remain in compliance moving forward. Basically, your compliance efforts don’t end on May 25, but they do transform the focus on how compliance can permanently be integrated into business processes.

What it comes down to is that GDPR is about privacy and security. Compliance not based on checklists may seem confusing until organizations realize they need to fundamentally change the way they think about privacy. For the EU, privacy is the most important fundamental human right, which needs to be honored and respected above all others — similar to how the US values freedom above other rights. As long as companies keep this in mind and focus on making these measures part of the way they do business, they’ll be likely to find success in the compliance process.

Tomas Honzak is Director of Security and Compliance at GoodData.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
Commentary
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
Commentary
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
White Papers
Register for InformationWeek Newsletters
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll