During many of our client engagements, we often come across misconceptions about the EU General Data Protection Regulation, or GDPR. This is no surprise. After all, it's a long and complex set of requirements. It's easy to see how the rapidly approaching compliance deadline coupled with the amount of information – and misinformation – about the new directive can easily create and spread confusion. In the interest of helping organisations properly prepare for GDPR, let's address some of the most common and significant misconceptions circulating throughout the marketplace.
I'm not based in the EU so GDPR doesn't apply to me.
Unfortunately, many companies holding that view are quite mistaken. GDPR isn't about where the legislation sits or even purely about where the processor is situated. It's about the data. In other words, it is about where the data subjects are based. If you process data about EU citizens or residents, irrespective of where you are based and whether you have an EU subsidiary or office or not, then you are in scope. Take a look at GDPR Article 3 for further details.
Indeed, some US-based organisations are already advanced in their GDPR preparations and others are making it a priority. Not only that, but many countries including Hong Kong, Singapore and countries in the Middle East are tailoring GDPR for their own purposes. As a matter of fact, Australia already has its own similar breach notification regulations to protect its citizens' data.
It is also worth noting that GDPR will become law before the expected date of Brexit, therefore it is applicable in the UK as well.
Overall it's clear that GDPR is set to change the way personal data is handled globally, not just in the EU.
If it does apply to me, then legal will take care of it.
Certainly, your legal team will be responsible for the legal aspects of GDPR. It is first and foremost a data protection regulation, and as such there is a considerable legal component around topics such as consent, access, data portability and the right to be forgotten. However, GDPR's impact extends well beyond your legal department. Instead, IT, security and, to a lesser extent, departments such as HR and finance, have important roles to play too. GDPR is not the responsibility of a single part of your business. Legal deals with rights management, consent, privacy notices, adequacy, contracts; IT with implementing technical controls and Security with protection of the data, including detecting and responding to any threats to that data. Other departments must ensure that their adherence to other legal requirements such as employment law and their general day-to-day business practices don't lead them to breach data protection good practice.
Okay, I can see I can't ignore this. But at least as soon as it's addressed, it won't impact business as usual.
Not so fast. It's accurate that the GDPR deadline is fast approaching – May 25th 2018 to be precise, but maintaining compliance is not a one-time fix, nor is it a regulatory framework easily met by ticking a few boxes and forgetting about it most of the year.
GDPR compliance is the new business-as-usual. Adhering to its principles must become part of the lifecycle of information management. Any single change you make going forward must be assessed to ensure that it doesn't put you into a position of non-compliance.
GDPR is the New Normal
GDPR doesn't contain a list of controls and tools in the same way that some compliance frameworks do. Because it's a risk-based, business-driven model, built around your own particular operations and your own risk profile and that of your data subjects; controls for each organisation will be different. Be wary of any vendor trying to sell you out-of-the-box GDPR solutions that downplay the importance of understanding your specific organisational needs.
GDPR is a living process, designed to protect you and your data subjects. Good information governance can be business enabler and a competitive advantage and not necessarily the roadblock many fear GDPR will be. And with how the regulatory landscape is evolving, organisations not yet impacted might find it advantageous to bolster their compliance standing now because as data grows ever more critical to protect, it may not be long before similar regulations are introduced across the globe.