In an industry steaming of buzzwords, GDPR ticks every box. Acronym? Check. Experts galore? Check. Filling marketing banner at trade shows? Definitely check. Behind the noise, hype, and misunderstanding is a substantial piece of legislation that will change how organizations operating in Europe approach data protection.
Set to come into full effect on May 25, 2018, GDPR marks a significant update on the existing 1995 EU directive (95/46/c). It also harmonizes data protection across 28 EU member states, replacing the need for national legislation. The headlines are naturally around data breach fines of up to €20 million (or 4 percent of gross annual turnover), as well as mandatory security notifications, new rules around user consent, a clearer definition around what could be personal data (such as IP addresses, for example), and greater rights for people to access — or request deletion of — the information companies hold on them.
As such, GDPR transcends IT and spreads into areas like sales and marketing, but this complex legislation carries numerous misconceptions. For example, it’s often believed consent must always be explicit, that the 4 percent fine is for all data breaches (it isn’t), and that it’s mandatory to appoint a data protection officer (the DPO role is largely reserved for those processing “special categories of data”). The ambiguity over data processors and controllers — not aided by the controversial Google Spain court case of 2015 — has also caused headaches, especially around data stored in the cloud.
This confusion has had consequences: A recent study from WatchGuard revealed that one in three global organizations weren’t sure if they needed to comply with GDPR, while similar studies have indicated that numerous U.S. firms think the regulation wouldn’t affect them (it does if processing EU personal data). At a conference in July, one speaker revealed that four FTSE 100 companies had yet to start moving toward GDPR compliance — a sign perhaps that fear is stopping progress.
A common reality though is that GDPR isn’t really far removed from existing data protection regulations — it’s just that organizations weren’t overly prepared with them either. “The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation,” says Christian Toon, CISO at legal firm Pinsent Masons. “A lot of businesses are now holding back full implementation for compliance because it's hard to determine what compliance looks like, and are putting faith in a clear plan of action will be enough to deter the regulator.”