The truth is out there, but so is a lot of misinformation
The deadline (or perhaps more descriptively, the “deadline”) is approaching quickly. The deadline of course refers to the date by which the General Data Protection Regulation mandates compliance set for May 25, 2018. At the time I’m writing this, that’s only slightly over three weeks away.
Unless you’ve been living in a cave for the past year, you already know that the GDPR is the European Union privacy law that supersedes the Data Protection Directive adopted in 1995, and that the new rules are stricter and broader in scope than those of its predecessor; all companies that collect, store, or transfer personal data of residents of EU countries are required to comply – including those that aren’t located in the EU.
The GDPR legislation was enacted in 2016, so organizations have had two years to implement the technological and policy changes necessary to comply, but many are still scrambling at the last minute, and because some of the wording is vague and imprecise, many are uncertain as to whether the measures they’ve taken are enough. This is a real concern, since maximum penalties are steep – up to 20 million euros or 4% of the company’s worldwide annual turnover, whichever is the highest.
The confusion is complicated by the fact that there are many consultants, writers, and various “experts” out there who are attempting to help organizations interpret the law and apply the appropriate compliance measures, but not all of them are always telling “the truth, the whole truth and nothing but the truth.” That doesn’t mean anyone is deliberately trying to mislead you. The GDPR is a complex document that involves both law and technology and can easily be misconstrued.
Let’s take a look at a few myths and misconceptions that you might encounter in the last minute rush to achieve compliance:
1. “The GDPR doesn’t apply to the USA because they don’t deal with the data of EU citizens”
First, are you absolutely sure of that? Just because you don’t operate a business in Europe, that doesn’t mean you aren’t conducting transactions within the EU and collecting or processing data on European citizens and/or permanent or temporary residents.
One of the most common errors made by those who write about the GDPR (one that I made myself, in the early days) is to use the term “EU citizens.” The GDPR actually applies to anyone conducting transactions within the EU: citizens, residents, and even tourists who are staying there temporarily.
If you have a website where you sell products or services and a resident of the EU logs on and enters personal data to buy something, that transaction falls under the auspices of the GDPR. However, remember that an EU resident doesn’t have to engage in a financial transaction for the data collection to be covered by the GDPR. It also applies to “monitoring the behavior” of individuals who are in the EU. Articles 2 and 3 in Chapter 1 define the regulation’s material and territorial scopes, and it’s important to understand their language before you decide your organization is exempt from GDPR compliance.
2. “If my company is in the U.S., I don’t really have to worry about complying because they won’t enforce it”
I’ve heard and read a few opinions that although the GDPR applies to organizations outside the EU “on paper,” it’s doubtful that it will be enforced because the regulators don’t have enough staff resources to do so. Some companies are taking that to mean they’re safe from GDPR penalties if their businesses are smaller, low profile, and don’t have a physical presence in Europe.
Of course, we all know that no law can ever be enforced fully and equally. Many violators are never caught and some of those who are get let off the hook for various reasons. Most of us exceed the speed limit from time to time but we don’t get ticketed every time. Unless and until big brother technology reaches the point shown in the 1993 movie Demolition Man, breaking laws will always be a gamble that some will win and others will lose.
Until the enforcement deadline arrives, no one really knows exactly how and to what extent the GDPR will be enforced. It’s important to remember that the actual enforcement is to be handled by each of the different EU countries – so which country the data subjects reside in may make a big difference. Some countries are more or less business-friendly while others are much stricter about privacy protection.
To assume that you’ll luck out and get away with ignoring the GDPR could end up being an expensive mistake. Like the speeders who get hit with hefty fines and points against their drivers’ license, you might wish you had just paid attention to the law to begin with.
3. “OMG – if I accidentally miss complying with one obscure section, or experience a data breach, I’ll be fined $20 million euros and go bankrupt.”
At the opposite end of the spectrum from the “ignore it and maybe it’ll go away” contingent are those business people whose paranoia over possible penalties have them paralyzed. Some compliance consultants and technology writers, for the purpose of getting business or generating more readerships through sensationalized headlines (or out of genuine misunderstanding) have exaggerated those fears.
Certainly the huge numbers that are often quoted from Article 83, General conditions for imposing administrative fines, sound scary – but that article starts off in section (1) by saying that “Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.” (my emphasis).
Section (2) goes on to spell out the factors that are to be taken into consideration in determining fines and other penalties, which include not only the severity of the infringement but also its duration and its character (intent or negligence). Actions taken to mitigate the damage are recognized in the violator’s favor, whereas past infringements would count against you. In fact, there is a whole list of mitigating or aggravating factors that will determine whether and how much you’re fined if you do come under the scrutiny of the regulators.
Remember that the intent of the law wasn’t to put businesses out of business – it was to protect the privacy of individuals. According to the compliance director quoted in Info Security magazine online, “The intent of larger fines is to punish those who blatantly disregard their responsibilities. The majority of incidents breaches are the result of errors not mal-intent and I believe the ICO will continue to issue sensible fines in those cases.”
The scaremongering in this regard became such a problem that last summer the U.K. information commissioner issued reassurances that regulators there will not be imposing the maximum fines for minor infringements.
4. “If you just implement best security practices, you’ll be in compliance”
Good security is an important element in complying with the GDPR, but there’s more to it than that. Article 5, Principles relating to processing of personal data, doesn’t even mention security until subsection (f). Its first requirements are that the data be processed lawfully, fairly, and in a transparent manner. Even if the data is secured, you must also show that it:
• Is collected for specified, explicit and legitimate purposes
• Is accurate, relevant and limited (also called data minimization)
• Is kept up to date
• Is not kept longer than necessary
• In addition, compliance means showing that you abide by the rules regarding the rights of the data subjects in regard to communication, provision of information, access, rectification of inaccurate or incomplete data, restriction of processing, erasure of data on request, notification, and portability – all of which are detailed in Articles 12 through 23.
Then there are the requirements regarding the designation of a data protection officer (where required), as specified in Article 37, and the carrying out of a data protection impact assessment (DPIA) as described in Article 35. There are also specific provisions for processing of certain types of data.
As you can see, simply securing your data is only the first step on the long journey toward compliance. That’s why it’s important to be familiar with the entire text of the GDPR and the provisions in each section, as well as its recitals that provide context for understanding and interpreting the articles.
5. “The GDPR will make it impossible (or impossibly expensive) to operate my business”
Then there are those who do read the GDPR in its entirety – and panic because of a misunderstanding of the applicability of some of the GDPR provisions. This leads them to believe that they’re going to have huge expenditures to hire additional personnel in order to comply with the GDPR.
They may see that Article 7 spells out conditions for consent and mistakenly think they must get explicit consent before they can collect, process or store any data at all pertaining to EU residents and transactions. In fact, if you look back to Article 6, which addresses lawfulness of processing, you see that consent is only one of the allowable bases for processing.
Another, related misconception is that if a data subject asks you to erase his/her data, you always must do so. Article 17 lays out the rules for this “right to be forgotten,” and specifies those conditions under which the request must be honored. Note that section (3) lists the situations in which the data subjects’ right to erasure does not apply.
Companies may also erroneously think that the GDPR requires all organizations to employ data protection officers (discussed in Article 37) and carry out data protection impact assessments (discussed in Article 35), whereas in actuality these are mandated only in specific cases. In many instances, you can simply assign responsibility for GDPR compliance to an existing employee, and DPIAs are only required in specific cases and circumstances.
Then there are the vendors of compliance solutions who may try to scare you into thinking you must purchase their very high dollar compliance software or services because you can’t possibly comply with the GDPR without it. While compliance software can be a useful tool that may make the job easier, there are many alternatives and whether you need it at all depends on the amount, complexity, and currently organization of GDPR-applicable data in your databases.
Summary
The GDPR is a complex topic and some parts are open to interpretation. There is a great deal of good information available for those who are trying to understand it and comply with it, but there are also sources that contain inaccurate or incomplete information that could lead you astray. When in doubt, always go back to the original text of the legislation and its recitals, and if you need help in navigating or interpreting it, consult with legal advisors who are specialists in GDPR compliance. Even there, you may find some disagreement on some issues.
Navigating through GDPR is challenging, but Proteus® can help by giving you access to a library of full-featured, business-proven network security and communications solutions with Proteus®GRCyber™. This game-changing subscription will allow you to use software such as Proteus®GRCyber™ which aids in compliance, Proteus®GRCyber™ which ensures your system’s patches are up to date, and more for one low price per unit.
Learn more about Proteus® and reach out to your local Proteus® partner.
