The European Union’s (EU) General Data Protection Regulation (GDPR) took effect last month throughout all European Union member states. Despite potentially expensive repercussions, many unprepared companies are sleep-walking into significantly challenging situations. Here are 13 GDPR myths that you probably believe. How many have you been fooled by?
While many EU companies are well on their way towards GDPR compliance, others are woefully unprepared for this new piece of regulation that aims to unify and strengthen data protection for European citizens. The GDPR took effect on May 25th and the European Commission is aiming to improve how data is managed both within and outside of the EU. Despite widespread publicity and discussion, including a guide to the GDPR on the Information Commissioner's Office (ICO) official website, GDPR myths abound. Here are the top 13 myths, debunked.
Myth #1: Encrypted personal data may safely be stored outside the EU
Reality: Many EU regulators view data location as a security issue and it is certainly one factor that is highly relevant to overall security. Contrary to widely held belief, the geographical location of personal data is highly regulated. This means that even if a company are the only ones who can access the encryption keys, there still may be an issue with storing encrypted data outside of the EU.
Myth #2: Regulatory fines will be insurable
Reality: Despite the prevailing belief that companies are able to outsource GDPR liability for security to third parties, by purchasing cybersecurity insurance to cover data breaches, due diligence is critical. Both customers and subcontractors must be subject to due diligence for the contract to sufficiently cover risks. This means investigating the limitations of both cyber-insurance policies and liability insurance.
Myth #3: All personal data should be encrypted
Reality: A common GDPR misconception is that all personal data should be encrypted. In fact, according to the terms of the GDPR, security measures are risk-based and depend on the costs and available technology. Consumer data only requires a level of security appropriate to the risks and therefore doesn’t require blanket encryption.
Myth #4: Failure to report data breaches isn’t punishable
Reality: Failure to report data breaches can result in a fine. Many companies mistakenly believe that concealing a security breach would be the best course of action. However, this is deemed intentional negligence and may result in a fine from the ICO.
Myth #5. Failure to report a data breach will automatically result in a large fine
Reality: Yes, the ICO could issue your company with a fine if you report a data breach. However, you need to consider the proportional risk of the breach. Are you a repeat offender? Is the scope and scale of the breach significant enough that it would warrant an automatic fine? There are some key pieces of advice from the ICO’s own guide to the GDPR. If you’ve been open, upfront and honest and have reported without undue delay, that will go in your favor.
Myth #6. Only major data breaches need to be reported to the ICO
Reality: All personal data breaches should be reported to the ICO. However, you need to look at the rights and freedoms of the data subjects that have been impacted. You need to think about containment: is the risk still there? How much information has been compromised? On occasions, you may have to inform the data subjects when a breach occurs. This will help you contain the breach and will be in your favor when you file your report to the ICO.
Myth #7: Security breaches must be reported within 72 hours
Reality: The specific time frame for reporting data breaches can vary depending on what has been compromised and the risks involved. In reality, only personal data breaches must be reported. The exact timing depends on the risk. While processers (companies that process personal data) should notify their controllers (companies that determine the purposes and means of the processing of personal data) of personal data breaches, the exact timings will depend on the firm’s role.
Myth #8: 72-hour Breach Report Notifications must include all details
Reality: Sometimes this isn’t always possible. The key things to focus on when writing the ICO report is the scope of the incident, the causes of it and mitigating actions that you’ve put in place. Eventually, a full report will need to be submitted to the case officers but it isn’t necessary to include all details in the 72-hour report.
Myth #9: Security breaches only carry a two percent fine
Reality: In fact, the size of the fine depends on the type of company and the nature of the risk. Processors will receive lower-tier fines (two percent) for security breaches while controllers may receive high-tier fines in the region of four percent. In the case of numerous affected individuals, non-governmental organizations (NGOs) could sue on their behalf, leading to much more severe fines.
Myth #10: Noncompliance is legally equivalent to data breaches
Reality: As per the ICO’s advice, higher tier fines may be leveled at firms that deliberately and repeatedly engage in noncompliance even if a data breach has not occurred. However, while compliance with the GDPR’s principals is important, noncompliance is not equivalent to data or security breaches.
Myth #11: Fines are capped at four percent
Reality: As we’ve already highlighted, many factors come into play when the ICO decides on the fine to impose. This includes the type of data that has been affected, the degree of negligence, the level of compliance and which rule has been infringed. While there are two tiers of fines – two or four percent – there are situations where fines may exceed four percent of a company’s previous year's revenue.
Myth #12: GDPR fines are focused on punishing companies
Reality: Yes, ICO fines can be significant. However, this isn’t something to dwell on. According to the ICO’s own statistics, out of the 17,300 cases that they investigated in 2016, only 16 of them actually resulted in fines. The GDPR will only strengthen the power that the ICO has to enforce these actions. The GDPR’s focus is protecting consumer’s personal data, not punishing companies.
Myth #13: The risk of heavy fines are over-exaggerated
Reality: While the ICO’s own data indicates that the likelihood of targeted enforcement is low, assuming that no one will be fined will lead to high-impact issues for many companies. The goal of the GDPR is to strengthen the ICO’s hand so we can expect to see some increase from the 2016 enforcement numbers.
Ultimately, the GDPR will strengthen the ICO’s ability to enforce data protection rules. Companies should focus on the protection of data to stay on the right side of this. Hopefully, this has helped quash a few rumors and has given you some more clarity on what to expect from the GDPR. For more details and information, leave us a comment below or refer to the ICO’s Guide to the General Data Protection Regulation (GDPR).