Don’t be fooled. GDPR implementation is a complex undertaking and being unprepared could have significant and expensive repercussions.
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will take effect throughout all European Union member states. GDPR is a new regulation by which the European Commission intends to strengthen and unify data protection for individuals whose data is managed by organizations within the EU and for EU resident data worldwide.
But this doesn’t mean US companies can ignore GDPR.
Every country that does business in the EU must conform to GDPR standards. Even if your email list has subscribers in the EU, you have to be compliant. Many companies, particularly in the EU, are already well on their way to compliance. Others are only beginning to consider the consequences of GDPR; they face months of hurried efforts to align with GDPR requirements.
While GDPR has been widely publicized and discussed, myths abound.
Myth 1: GDPR is like Y2K
Some firms are tackling GDPR with the same hysteria prevalent during the Y2K millennium bug, approaching GDPR as a single project with a defined end date. But GDPR is not just a “point in time” activity. Also, many firms believe that phenomena like Y2K and now GDPR are overblown. But compliance with GDPR should be the default position for legitimate firms.
Myth 2: No one will get fined
Some think the risks of heavy fines are over-exaggerated. But targeted enforcement is likely, and authorities may go after high-profile companies or companies with particularly egregious data processing faults. Assuming no one will get fined may pose high-impact risks.
Myth 3: Everyone will get fined 4 percent
Certain factors — the types of data affected, degree of negligence, a company’s prior infringements, and others — will affect fines. Two tiers of fines, either 2 percent or 4 percent based on the previous year’s revenues, will apply, depending on which rule has been infringed.
Myth 4: Noncompliance is equivalent to a security breach
Compliance with all the GDPR’s fundamental personal data processing principles will be important. It is likely that some authorities will seek to send a message by imposing high fines on firms that infringe those or other principles, especially if they are doing so deliberately — even if a security breach is not involved.
Myth 5: For security breaches, the fine is only 2 percent
“Controllers,” companies that determine the purposes and means of the processing of personal data, can receive higher-tier fines for security breaches. “Processors,” companies that process personal data, can receive lower-tier fines for security breaches, but can still be sued. Risks could be large if non-governmental organizations (NGOs) sue on behalf of numerous affected individuals.
Myth 6: All security breaches must be reported within 72 hours
In fact, only personal data breaches will have to be reported, and reporting obligations will vary with a firm’s role as controller or processor. Controllers’ reporting obligations and timing depend on the risk. Processors will have to notify their controllers of personal data breaches without delay.
Myth 7: It will be safest not to report security breaches
Some firms may think that if they conceal security breaches from authorities, they will not get fined. This is untrue: they could be found out anyway, and could be fined for failing to report data breaches.
Myth 8: To comply with GDPR, we should encrypt everything
GDPR requires companies to implement measures to ensure a level of security appropriate to the likelihood and severity of risks among individuals for every situation, including storage and transmission. Security measures should be risk-based depending on the available technology and the costs involved.
Myth 9: Companies will be able to outsource GDPR liability for security to third parties
In fact, it will be critical to make sure that contracts sufficiently cover risks. Processors will want to carry out due diligence on both customers and subcontractors. Insurance merits investigation — not just cyber-insurance but also liability insurance, though regulatory fines may not be insurable.
Myth 10: Data location is not a security issue
While data location may not be a technical security issue, it is one factor that may be relevant to overall security. Some firms may think that properly encrypted personal data may safely be stored outside the EU if they alone can access the keys. However, the geographic location of personal data is highly regulated under data protection laws as a legal compliance matter. Also, many EU regulators take the view that data location is a security issue.
In conclusion
GDPR implementation is a complex undertaking that demands a step-by-step approach based on a shared vision among an organization’s IT department, legal department, line-of-business owners, and board-level executives. A lack of preparation for GDPR may bring significant, expensive and highly unwelcome repercussions.
This article originally appeared on CIO.