For the last couple of years, GDPR EU has been one of the hottest topics across all digital industries. The result of four years of work by the European Commission is set to replace the current EU Data Protection Directive from 1995, which has become insufficient to meet the needs of the current digital environment. This new framework introduces a series of regulations that will not only give European citizens more control over their data, but will also imply tougher fines for companies that are not complying with the protection rules.
Nonetheless, the implementation of the so-called General Data Protection Regulation still spikes some confusion among digital companies. Just four months before it enters into force, we continue to stumble across a variety of myths that people seem to believe in – and, considering the complexity of the topic, we can’t really blame them. However, it is important to make sure that everything is clear before GDPR EU gets implemented in May 2018. As a cloud service provider concerned about security, we decided to debunk 7 common myths that continue to circle around the Internet:
Myth #1: GDPR doesn’t concern non-European countries
Despite the fact that the General Data Protection Regulation was issued by the European Commission, its application is not limited to EU countries. In fact, each organization that manages and processes data of EU citizens will have to be in compliance with the new regulations. In other words, almost every major global corporation falls under the requirements of data protection, and will need to work on its strategy in order to avoid costly data breaches.
Myth #2: GDPR EU Compliance is a one-time event
While many companies are actively getting ready for the official date of its implementation, it is important to know that compliance with the new data protection regulations does not end in May 2018. In fact, GDPR is an ongoing process that will require a continuous reviewing of organizational processes and data collection. Long after the legislation takes effect, you will still be expected to continue identifying and addressing emerging security risks and threats.
Myth #3: Only data collected after the legislation date should be compliant
Even if the data was collected before the General Data Protection Regulation took place, it still needs to be compliant. According to the new legislation, companies need to make sure that individuals whose data is being collected have given their clear consent. If an informed consent has been obtained from the user before the date of effectiveness, there is no need to collect the information again. However, if the company has existing consents that were valid under the 1995 Directive, but do not satisfy the requirements of the GDPR EU, they will have to be re-obtained.
Myth #4: Everyone needs to appoint a Data Protection Officer
According to Article 37 of the GDPR, the mandatory appointment of a DPO to take care of the internal data protection practices of a company applies to:
- Public authorities that process data
- Companies (either controllers or processors) whose core activities require regular and systematic data processing on a large scale
- Companies (either controllers or processors) that process sensitive data on a large scale, or data related to criminal convictions
Earlier drafts of the new legislation were limiting these requirements to companies with +250 employees, but the final version has no restrictions – in which case you might need to appoint a DPO even if you are a small company (and you fall under one of the above-mentioned categories).
Myth #5: All details must be provided immediately after a data breach
Under the GDPR requirements, you must inform the corresponding authorities within 72 hours after becoming aware of a breach. However, more specific details can be added later – there is no need for a comprehensive report immediately after the incident. In many cases, it takes some time until all the details of a breach are discovered; nonetheless, you will have to inform about the potential scope and the cause of the breach.
Myth #6: I don’t need to be GDPR compliant if my data is stored on a cloud service provider who meets the requirements
If you are storing personal data on a cloud provided by third-parties, both you and your provider need to make sure that it is handled securely under the new legislation. However, some practices related to data storage can be out of your provider´s reach, and it is your responsibility to ensure that all internal processes within your company are aligned with the security regulations for data management.
As a cloud solutions provider, Cloud Worldwide Services always makes sure that all data storage practices are protected with the necessary security layers. For example, our cloud-based call recording software Recordia not only encrypts communication between services, but it also allows for full access traceability in compliance with GDPR.
Myth #7: GDPR EU is all about avoiding fines
A lot of people are concerned about the huge fines that can affect their company after a data breach – which can be up to €20 million, or 4% of the worldwide annual turnover. However, being compliant and providing good data protection is not about avoiding fines. If a serious data breach occurs within your company, it will have a huge negative impact on your revenue and reputation – in which case, fines will be the last thing on your mind.
In the lights of the upcoming legislation on May 25th this year, it is extremely important to clarify concepts and debunk myths on time for the last preparations. Are you ready for GDPR yet?