Donu2019t be fooled. GDPR implementation is a complex undertaking and being unprepared could have significant and expensive repercussions. Credit: Thinkstock On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will take effect throughout all European Union member states. GDPR is a new regulation by which the European Commission intends to strengthen and unify data protection for individuals whose data is managed by organizations within the EU and for EU resident data worldwide. Jon Valk Download the CIO July/August 2017 digital issue In short, every country that does business in the EU must conform to GDPR standards. Many companies, particularly in the EU, are already well on their way to compliance. Others are only beginning to consider the consequences of GDPR; they face months of hurried efforts to align with GDPR requirements. While GDPR has been widely publicized and discussed, myths abound. Myth 1: GDPR is like Y2K Some firms are tackling GDPR with the same hysteria prevalent during the Y2K millennium bug, approaching GDPR as a single project with a defined end date. But GDPR is not just a “point in time” activity. Also, many firms believe that phenomena like Y2K and now GDPR are overblown. But compliance with GDPR should be the default position for legitimate firms. Myth 2: No one will get fined Some think the risks of heavy fines are over-exaggerated. But targeted enforcement is likely, and authorities may go after high-profile companies or companies with particularly egregious data processing faults. Assuming no one will get fined may pose high-impact risks. On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will take effect throughout all European Union member states. GDPR is a new regulation by which the European Commission intends to strengthen and unify data protection for individuals whose data is managed by organizations within the EU and for EU resident data worldwide. Jon Valk Download the CIO July/August 2017 digital issue In short, every country that does business in the EU must conform to GDPR standards. Many companies, particularly in the EU, are already well on their way to compliance. Others are only beginning to consider the consequences of GDPR; they face months of hurried efforts to align with GDPR requirements. While GDPR has been widely publicized and discussed, myths abound. Myth 1: GDPR is like Y2K Some firms are tackling GDPR with the same hysteria prevalent during the Y2K millennium bug, approaching GDPR as a single project with a defined end date. But GDPR is not just a “point in time” activity. Also, many firms believe that phenomena like Y2K and now GDPR are overblown. But compliance with GDPR should be the default position for legitimate firms. Myth 2: No one will get fined Some think the risks of heavy fines are over-exaggerated. But targeted enforcement is likely, and authorities may go after high-profile companies or companies with particularly egregious data processing faults. Assuming no one will get fined may pose high-impact risks. Myth 3: Everyone will get fined 4 percent Certain factors — the types of data affected, degree of negligence, a company’s prior infringements, and others — will affect fines. Two tiers of fines, either 2 percent or 4 percent based on the previous year’s revenues, will apply, depending on which rule has been infringed. Myth 4: Noncompliance is equivalent to a security breach Compliance with all the GDPR’s fundamental personal data processing principles will be important. It is likely that some authorities will seek to send a message by imposing high fines on firms that infringe those or other principles, especially if they are doing so deliberately — even if a security breach is not involved. Myth 5: For security breaches, the fine is only 2 percent “Controllers,” companies that determine the purposes and means of the processing of personal data, can receive higher-tier fines for security breaches. “Processors,” companies that process personal data, can receive lower-tier fines for security breaches, but can still be sued. Risks could be large if non-governmental organizations (NGOs) sue on behalf of numerous affected individuals. Myth 6: All security breaches must be reported within 72 hours In fact, only personal data breaches will have to be reported, and reporting obligations will vary with a firm’s role as controller or processor. Controllers’ reporting obligations and timing depend on the risk. Processors will have to notify their controllers of personal data breaches without delay. Myth 7: It will be safest not to report security breaches Some firms may think that if they conceal security breaches from authorities, they will not get fined. This is untrue: they could be found out anyway, and could be fined for failing to report data breaches. Myth 8: To comply with GDPR, we should encrypt everything GDPR requires companies to implement measures to ensure a level of security appropriate to the likelihood and severity of risks among individuals for every situation, including storage and transmission. Security measures should be risk-based depending on the available technology and the costs involved. Myth 9: Companies will be able to outsource GDPR liability for security to third parties In fact, it will be critical to make sure that contracts sufficiently cover risks. Processors will want to carry out due diligence on both customers and subcontractors. Insurance merits investigation — not just cyber-insurance but also liability insurance, though regulatory fines may not be insurable. Myth 10: Data location is not a security issue While data location may not be a technical security issue, it is one factor that may be relevant to overall security. Some firms may think that properly encrypted personal data may safely be stored outside the EU if they alone can access the keys. However, the geographic location of personal data is highly regulated under data protection laws as a legal compliance matter. Also, many EU regulators take the view that data location is a security issue. In conclusion GDPR implementation is a complex undertaking that demands a step-by-step approach based on a shared vision among an organization’s IT department, legal department, line-of-business owners, and board-level executives. A lack of preparation for GDPR may bring significant, expensive and highly unwelcome repercussions. Related video: This article originally appeared in the CIO July/August 2017 Digital Magazine. Related content feature 10 most popular IT certifications for 2023 Certifications are a great way to show employers you have the right IT skills and specializations for the job. These 10 certs are the ones IT pros are most likely to pursue, according to data from Dice. By Sarah K. White May 26, 2023 8 mins Certifications Careers interview Stepping up to the challenge of a global conglomerate CIO role Dr. Amrut Urkude became CIO of Reliance Polyester after his company was acquired by Reliance Industries. He discusses challenges IT leaders face while transitioning from a small company to a large multinational enterprise, and how to overcome them. By Yashvendra Singh May 26, 2023 7 mins Digital Transformation Careers brandpost With the new financial year looming, now is a good time to review your Microsoft 365 licenses By Veronica Lew May 25, 2023 5 mins Lenovo news Alteryx works in generative AI for speedy analytics results OpenAI integration and AI wizardry for report generation are aimed at making Alteryx’s analytics products more accessible. By Jon Gold May 25, 2023 3 mins Analytics Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe