Everybody has heard of fake news. Any politician worthy of their claim to modernity has dispensed the term as a battle cry against challenging forces. Bias, misunderstanding, spin, bending the truth are just some of the linguistic aliases which sit on a sliding scale of innocent mistake to concocted falseness.
In the past, it may just have been the case that the misrepresenting lacked a platform to be heard from. Although, today we have social media to thank for that no longer being true. No more obvious has this been evident than the rabble which surrounds the GDPR (General Data Protection Regulation). Since its two-year count-down was announced, all forms of media, including the social kind have been overwhelmed with commentary. Take for example, that up until March 2017, there have been nearly 5,000 articles posted on LinkedIn regarding the subject of the GDPR.
There is no suggestion that all or even the majority of these articles are of poor quality, in-fact the industries rally to educate organisations about the upcoming changes is admirable. However, there exists such an overwhelming desire to be associated with the buzz term that is GDPR, that facts are often tested to the extremes of their elasticity.
The Five Horsemen of the Regulatory Apocalypse
Below are just five of the most commonly observed GDPR myths and monsters lurking in our midst:
- Crash, Burn and Punish – The one which has calculator warriors at the ready, the administrative fines for non-compliance. Often quoted as 4% of annual turnover or €20,000,000 after any publicised data breach, this scare tactic fails to tell the whole truth. In-fact this GDPR administrative fines are listed as maximum values and are tiered based on the nature of the breach. The true value of the administrative fine is for the supervisory body to decide based on the factors surrounding the breach and is very unlikely in all but the most extreme cases to reach these levels. The purpose of the regulation isn’t to force companies into liquidation, it is to force them to choose the cheaper option of better security and business practices.
- The Protected EU Citizens – It is often written that the GDPR covers EU citizen’s personal information regardless of where it resides in the world. The truth is of course slightly more complicated. For organisations based in an EU (European Union) member state, compliance with the GDPR is mandatory for all personal information collected and processed including those who reside outside of the EU. For organisations, which are based in non-EU member states, the requirement is to apply GDPR protection to personal information of data subjects who reside in the EU for the purpose of providing a service or product, irrespective of whether it is free. Citizenship is never mentioned in the pages of the GDPR.
- GDPR is Basically DLP (Data Leakage Prevention) – This interpretation fails to grasp the real purpose of the GDPR and in particular its six core principals. The GDPR does indeed advocate the protection of personal data and processing systems, however it is mostly concerned with items such as clear consent for collecting personal data, ensuring personal data is correct, ensuring the data subject is aware of what personal information is being collected and why. There are over 260 pages in the GDPR, assuming its triviality does it an injustice.
- Buy My Stuff – Sometimes the GDPR reminds me of a convenience store notice board littered with adverts for almost anything for sale. The truth is, it is unlikely you need to buy swathes of solutions to satisfy the requirements of the regulation. The best advice for anyone seeking help with the GDPR is to perform a risk assessment, known as a data protection impact assessment, and identify areas where there may be undue risk to data subjects. A solution or even a new business process may reduce that risk.
- We Outsource Therefore we are Exempt – If there are readers who believe this, please take this as the starkest of warnings. There is almost no chance of an organisation in existence which has no exposure to the GDPR. Under the incumbent Data Protection Act, breaches at third-parties were the responsibility of the third-party, this is no longer the case. Responsibility is on the data controller to ensure their processors are capable. The supervisory body will look unfavourably on those who think they can shift blame with complacency.
Shining Light onto Darkness
The truth is ultimately less scary than the falsifications and mistakes but of course that makes it more difficult to write sensationalised content or sell something. The GPDR was never written to sell solutions or punish organisations across Europe. It is simply there to force better data hygiene in a world where breaches are daily reality.
There will always be myths and monsters, you just need to see them for what they really are by shining the light onto them.