It’s not uncommon in political circles to hear the battle cry of ‘fake news’; be it against misunderstanding, erring from the truth, unfair bias and spin. On a sliding scale from concocted falseness to an innocent unwitting mistake, misrepresentation has been given its platform in the form of social media.
However, to that scale we now need to add the rumour, scandal and ongoing commentary that surround the General Data Protection Regulation, or GDPR, has been almost overwhelming. Indeed, since the announcement of the regulation two years ago up to March 2017, almost 5,000 articles have been posted on LinkedIn alone on the topic of the GDPR.
Not that we suggest that any, or the majority, of the articles are in any way poor quality, far from it; in fact, the way industries have pulled together in an effort to educate organisations about the forthcoming changes brought about by the implementation of the GDPR is heartwarming. But that said, the GDPR has become encumbered with the pressing desire by many to be ‘associated’ with this latest trend, or buzz word. Sadly, this can lead to the facts being distorted and stretched to extreme.
The Five Horsemen of the Regulatory Apocalypse
GDPR has, without doubt, its myths and monsters and here are just five of the most common.
- Crash, burn and punish – the finance people have their calculators at the ready when it comes to the potential administrative fines should their organisation be found to be non-compliant. We often seen the quoted fine as 4% of annual turnover or €20,000,000 when a data breach hits the media. But this doesn’t tell the whole story. In reality, this particular GDPR administrative fine is the maximum value; fines are tiered depending in the nature of the breach. It is up to the supervisory body to determine the true value of a fine and this is based on factors that surround individual breaches, and unlikely to be the maximum except in extreme cases. The regulation doesn’t want to push or force companies into liquidation; they’d rather organisations chose the option of improved business practices and security.
- Protecting EU citizens – have you seen the one that says the GDPR covers the personal information of EU citizen’s no matter where it resides? Well, not quite; in fact, it is a little more complicated than that. In reality, organisations that are based in an EU state/country must comply with the GDPR as mandatory with regards to any personal information that is collected and processed, including from data subjects that reside outside of the EU. For those organisations that are based in a non-EU member state/country, they are required to apply GDPR’s protection to the personal information of data subjects that live in the EU for the purpose of a product or service provision, no matter whether that product or service is free. The word citizen or citizenship is not mentioned anywhere in the GDPR pages.
- The GDPR is essential Data Leakage Prevention (DLP) – this statement unfortunately demonstrates that there is a lack of understanding of the purpose of the GDPR; more precisely, it’s six core principals. Whilst the GDPR does, of course, champion the protection of personal information and relevant processing systems, it is, in fact, more focused on other issues, such as gaining clear consent for the collection of personal information, making sure the data subject knows what it is being collected for and why, and that the information is correct. The GDPR comprises of more than 260 pages; it is not a trivial regulation and shouldn’t be regarded as such.
- Buy a solution and we’ll be GDPR compliant – in reality, the answer is no, you probably won’t be. The implementation of the GDPR does not hand out a free pass to allow providers to sell any solution or platform with the assurance that the organisation will then be GDPR compliant. In fact, it may be distinctly unlikely that any organisation will definitely need to buy new technology just to become GDPR compliant and keep the supervisory authority happy. Before anyone goes down this route, it would be better to carry out a risk assessment, or Data Protection Impact Assessment, whereby areas that may be at risk to data subjects are identified. That’s not say that a new solution or business process may not help to reduce the risk.
- We’re exempt because we outsource – if you believe this, please take this as a warning; 99.9% of organisations will be exposed to the GDPR. The current Data Protection Act defines third party breaches as the responsibility of the third party. Under the GDPR, that is not the case; the responsibility of a breach comes under the data controller who has to make sure that their data processors are capable. If you think you can shift the blame on complacency, think again; any supervisory body will not look favourably on this.
From Darkness, Let There be Light
Yes, you will hear and read about GDPR ‘fake news’ but the truth, in reality, is not as scary at all; it just doesn’t sell newspapers and get the media all hyped up. The concept of the GDPR was never to severely punish organisations across Europe or as a mechanism for selling technology solutions. It was written to simply enforce improved data hygiene in a worldwide environment of ever-increasing data breaches.
The GDPR myths and monsters will still come to the surface; be calm and shine a light on them so that the reality is clear for the eye to see.
For more information on Cyber Management Alliance, assistance with GDPR Readiness, ISO 27001 Certification, their Live Online CISSP Training & Mentorship program and other courses, webinars, the Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, click here or contact us today.