The General Data Protection Regulation (GDPR) comes into force in May 2018. For the information commissioner, GDPR creates an onus on companies to understand the risks they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework that can be used to build a culture of privacy that pervades an entire organisation, the information commissioner recently said.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Let’s explore a few areas of misunderstanding I have encounters when speaking to IT suppliers and customers.
Myth 1: It is just about hacking – Although many of the news stories focus on hacking and GDPR breaches, GDPR is not just about hacking. For example, it currently costs £10 for individuals to get their data from organisations under data protection law. Under the GDPR, it will be free subject to various exemptions such as repetitive requests, manifestly unfounded or excessive requests or further copies.
As a result, organisations can probably expect more individuals wanting a copy of their data, including customers and employees both past and present. The time limit for responding to these requests is 30 days. If an organisation receives many requests from employees or customers, is it prepared to provide this personal data to them within the 30-day time limit?
Myth 2: It is all about avoiding fines – Many people focus on the high fines in the GDPR, which are up to €20m, or 4% of worldwide annual turnover. However, also of concern is that if there is a data breach that poses a high risk to individuals (for example, if all credit card details are lost or stolen so that fraudsters can use those details), the organisation has to notify those individuals.
Now organisations might have to notify their whole customer base of this kind of data breach, it could lead to a rush of enquiries by customers, and many may want to switch to competitors. Hence, losing a large number of customers in a short period of time can obviously severely impact upon an organisation’s reputation and revenues. Any fines may then come later.
Myth 3: It is just an IT problem – Because GDPR is heavily linked with personal data, the word “data” often signals that this is some kind of IT issue. However, GDPR is a cultural change in terms of how organisations process personal data throughout the organisation – where personal data is obtained from, how it is used, where it is stored, who it is passed to and how those parties use that data.
As a result, complying with GDPR will often be a team effort from different departments in the organisation. IT teams that feel it may be their responsibility to soldier on and deal with GDPR alone should be letting the whole organisation know about GDPR and explaining it is not just an IT issue.
Myth 4: GDPR compliance is a job for the IT director – It is mandatory for public sector bodies and certain other organisations to have a data protection officer. Many organisations may feel that if they need a data protection officer under the GDPR, then they might just appoint their IT director as a data protection officer.
However, legal developments suggest that when appointing a data protection officer there should not be a conflict of interest – for example, if the IT director is responsible for the organisation’s processing of personal data, the IT director cannot also be responsible for signing off on GDPR compliance regarding the processing of it.
Myth 5: Compliance can be achieved very quickly – The way the GDPR obliges organisations to take another look at how they process personal data, such as their customer database, will need significant organisational work, involving departments including sales and marketing, finance, HR, IT and legal. Given the GDPR comes into force in May 2018, this does not leave a lot of time for an organisation to become GDPR compliant.