With GDPR regulations coming into force this month, data teams are scrambling to comply. But there are a lot of misconceptions out there to avoid.
Europe’s General Data Protection Regulation (GDPR) is an EU regulation concerning data protection and privacy aimed at protecting the data of all individuals within the European Union. Specifically, it tackles the export of personal data outside of EU territory. The aim of this regulation is primarily to give control of their data back to EU citizens and residents.
Adopted in April 2016, it comes into force on May 25, 2018, in the middle of key discussions of enterprise security breaches by hackers seeking personal data, and the recent Facebook news of its involvement in user data access it granted to Cambridge Analytica for that firm’s work around the 2016 U.S. presidential election.
See also: Will GDPR spoil the IoT party?
Because GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
But while this date needs your executive and data teams’ attention, there are several misconceptions about this new regulation you need to clear up first.
Misconception #1: Companies must ensure that personal data resides in the country of origin.
Reality: Keeping data secure is what you need to focus on, not residency.
We’re hearing companies express concern that they’ll have to go through the lengthy and costly process of moving data they originally processed in the US to the EU under GDPR. That concern is unfounded. In its framework, GDPR states that “flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation,” so data residing outside the EU is to be expected. While data that has already been processed in the US doesn’t necessarily have to be moved back to the EU — if it is, data protection and security must be assured regardless of the location.
Misconception #2: Individual privacy rights are the end-all and be-all.
Reality: Requests pertaining to privacy rights are not ultimate.
Under GDPR, an individual can request that his or her personal data be deleted, which is also known as the Right to be Forgotten. It’s been causing a lot of companies to worry about the complexity of the process, especially when the data is stored in multiple systems, and that they might not only lose the audience for their marketing or business development but also valuable business data. But this is just not the case. If companies were to delete all personal data, how could they prove that they had honored a privacy request or sent a bill to a customer? Under GDPR, the data must only be deleted when there is no other valid business reason for it to exist and be processed.
Misconception #3: GDPR will limit my company’s ability to do business.
Reality: The impact of GDPR will mostly be felt by companies who thrive on personal data.
It was the business model of social networks, global advertisement network operators, and other enterprises that monetize personal data that led the EU to reconsider its privacy practices. The primary purpose of GDPR is to protect individual privacy, so it restricts the collection of personal data and emphasizes the importance of consent before data is collected. Consequently, the kind of companies that rely on aggregating and selling consumer data as their primary source of revenue will be the most affected. For most other companies, those that collect personal data as a part of their regular business operations, the effects should be minimal. After all, GDPR does not aim to make business more complicated, but it does aim to force companies to re-evaluate how they use data in an effort to protect the individual’s privacy.
Misconception #4: Consultants will save the day.
Reality: It’s up to companies to figure out how to ensure ongoing compliance.
Consultants can be a great resource as companies navigate the GDPR compliance process, and they can help assess gaps and document compliance efforts. While this is certainly useful, it’s ultimately up to the company to figure out how it needs to change its business processes, if at all, to be in compliance. This is especially important because GDPR isn’t simply a checklist of requirements; it’s a framework or a way of thinking about privacy. Only someone intimately familiar with a company’s practices can truly understand the nuances of their business processes and the way they use data to prove that the appropriate adjustments have been made.
Misconception #5: Companies can relax after May 25, 2018.
Reality: Your compliance efforts need to switch gears and remain in effect after May 25th.
GDPR goes into effect on May 25, 2o18, and I find that a lot of companies are focusing on what they can do to be in compliance today. However, very few have thought about what they’ll need to change to remain in compliance moving forward. Basically, your compliance efforts don’t end on May 25th, but they do transform the focus on how compliance can permanently be integrated into business processes.