Three common GDPR misconceptions

By Jan van Vliet, VP and GM EMEA at Digital Guardian.

  • 5 years ago Posted in
The General Data Protection Regulation (GDPR) is underway. IT vendors, acutely aware of how unprepared many organisations still are, have been looking to cash in on the rush to compliance. The issue is that these vendors are not always selling products that actually help with compliance. The resulting mixed marketing messages coming from the industry has left many businesses’ IT professionals confused.
 
 Below are three of the main misconceptions currently out there, alongside what the GDPR really means for organisations in each case:
 
1. Don’t just stop breaches – ensure comprehensive data protection
Perhaps the biggest misconception about GDPR is that it’s about preventing data breaches. While that is a major focus of the regulation, it’s certainly not the sole objective of it. GDPR is about data protection by design, which is much broader than just preventing breaches. In fact, the regulation encompasses protecting data from leakage, alteration, destruction and malicious activity (i.e. breaches).
 
Data protection by design emphasises the importance of building and implementing security programs with data protection best practices in mind from the outset. This includes only collecting the minimal amount of customer information necessary, ensuring all data is encrypted while in transit, and applying pseudonymisation techniques to make it unidentifiable at all times.
 
As many security experts point out, the GDPR really shouldn’t pose too much of an issue for any organisation that already has a robust data protection program in place. If the incoming implementation deadline has caused panic stations, there’s a very high chance that existing security policies fall far below the standard required/expected in the modern business environment.
 
2. Classifying data will not lead to compliance
Many security vendors are promoting data classification tools and detection controls as the central tenet of a robust, GDPR compliant security program.
 
Data classification tools certainly help companies to identify and classify personal data, thereby making it easier to implement auditing and controls. As such, it's easy to see why one would think that data classification tools play a key role in meeting the GDPR requirements. However, the complexity of data classification often impedes businesses instead of helping them. Classification of personal information in particular, has traditionally been difficult to put in place without specialised technology and is usually full of false positives.
 
In relation to the GDPR, data classification could get very complicated indeed. For example, some pieces of data might be unique enough to identify a particular person (e.g. social security number), while others would need to be associated to a handful of other pieces of data in order to properly identify a person (e.g. first name + date of birth + hair colour).
 
Furthermore, data classification cannot provide any instant protection to data, only techniques such as encryption and pseudonymisation can do that. The same is true for detection controls. While detection controls might help in identifying the who, what and where in the event of a breach, they don’t help meet the GDPR’s requirements around ensuring an appropriate level of security versus the risk of collecting and storing personal data.
 
3. The c-suite is actually responsible for all data breaches
Article 37 of the GDPR introduces the need for certain types of organisation to appoint a Data Protection Officer (DPO). While the DPO has formal responsibility for data protection compliance within an organisation, many c-suite teams are unaware that ultimate responsibility and accountability for meeting the requirements of GDPR still lies with them.
 
The DPO has a precise role under the GDPR to act as the authoritative voice inside an organisation and ensure that the regulations are being applied, followed and audited. They are also tasked with being the liaison and public face of the organisation in the event of a breach, as well as for any data subject requests. 
 
To ensure a DPO is successful, it is imperative they are given authority by the senior management team and board. Despite this, the position is already being seen by many as little more than a sacrificial lamb in the event of a breach. Rather than treating the DPO as a ‘scapegoat-in-the-making’, it is far more constructive to work closely with them and ensure compliance requirements are being met, for everyone’s sake.
 
Businesses must treat the GDPR with respect; the fines if they don’t are substantial. The regulation is designed to make businesses aware of the data that they use, and to think more carefully about whether there are safer, more private, ways to work. The end game for businesses is to create a data-centric culture. An organisation that achieves this will make sure that any data residing in the company, from the moment it receives the data, ensures its protection and internal visibility - so that it can always be located. Businesses must not let misconceptions get in the way of achieving this goal.
By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...