7 EU GDPR Misconceptions

The new General Data Protection Regulation (GDPR) will come into force 25th May 2018 and many misconceptions have surfaced since its announcement. There is no denying that this law is an incredibly complex piece of legislation and as such, many interpret it in different ways. We have worked with several clients to ensure they have all the information they need to make the right decision when it comes to complying under GDPR and as part of the process have heard many questions asked as well as many incorrect statements made…

So, we have created a list of the top 7 common misconceptions when it comes to the EU GDPR legislation and our take on them:

  • “It doesn’t affect us after we leave the European Union”

    Following the result of the Brexit vote when Britain decided to leave the EU, many were unclear as to whether the UK would implement GDPR however the ICO has confirmed that they will opt into the GDPR as we will still be in the EU in 2018. It is also worth noting that GDPR applies to ALL businesses that deal with the data of European Citizens, regardless of where the business is located, so it is advised to start taking actions now to ensure you are compliant. UK government have said that the GDPR will be incorporated into UK law and will remain in effect once the UK has left the EU.

  • “I need expensive infrastructure and software to protect myself”

    There is a big emphasis under GDPR that you need to detect Data breaches and report them to the relevant supervisory authority within 72 hours of becoming aware of a breach and if a breach is likely to result in a risk to people’s rights and freedoms. Many businesses don’t have the necessary technology in place to monitor, detect or deal with Data breaches and their concerns are that they need to invest in several different security products to be able to protect themselves. Metaphor IT have alleviated these concerns by offering their Managed Cyber Security Service, Soteria. Having a Managed Security Service means you only pay a monthly fee for what you use and we look after everything – You get access to enterprise level security and cyber security specialists without the hefty investments. Read more about Soteria here.

  • “I don’t hold personal data”

    The General Data Protection Regulation applies to any Personally Identifiable Information on any European Citizen. Whether they are your employees, prospects, suppliers, shareholders or even your customers, the rule applies. The data you store on them is classed as Personally Identifiable Information and can mean anything from names and addresses to bank details and even information provided in a form on your website.

  • “I have Anti-Virus so I am protected from a data breach”

    In today’s world, building out an effective security strategy requires multiple layers of protection and antivirus is only one piece of the puzzle. Traditional products are not enough anymore; additional layers are required to help protect your business and remote workers from emerging cyber threats before they happen.

    Antivirus is a reactive security product. It mitigates against threats by updating itself using information on known attacks, meaning it only knows about an attack after it has launched and infected others. Whereas other proactive security products protect against advanced threats as they spawn by predicting new threats, for example with CryptoLocker, there are currently over 8 million variants which are still adapting every day. Ask Metaphor IT about their Managed Security Service offering which includes a variety of security layers to help protect your business.

  • “My IT / Cloud / Security provider is responsible for this, not me”

    Under the GDPR both your business ‘the controller’ and your provider ‘the processor’ will be responsible, regardless of where the data is stored.

    If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

    Per the Information Commissioner’s Office, the new accountability principle requires you to demonstrate that you comply with what is outlined in the regulation and states explicitly that it is the responsibility of the Board of Directors.

  • “I will know when my business has been breached”

    Some business owners out there think of a breach or cyber-attack like the ones in the movie where all the computer screens are taken over but in reality most breaches can go undetected for days, months and even years. Most businesses lack the capability to detect anything other than malware-based attacks or have untrained and inexperienced staff. Sony’s breach which they reported in November 2014 occurred a year prior to them discovery it. It’s estimated the average time to detect a breach is 9 months.

    The other point to make here is you may only know about a breach once it has caused damage to your organisation – why wait for this to happen when you can monitor, detect, respond and adapt to threats before you become a victim?

  • “The biggest threat to my business are the massive fines”

    Whilst the headline fines are huge and look great on the front page of newspapers, the regulation is not about fines. The regulation is there to put the customer, the “data subject”, first. The Information Commissioner’s Office has already stated that they wish to guide and educate businesses to comply with the law, not just levy huge fines and move onto the next business. The fines are there as a deterrent and for use in the most serious cases or for businesses who fail to take any guidance or make any changes towards data protection for “data subjects”.

If you have any concerns or questions around the General Data Protection Regulation and would like unbiased advice for your business, then get in touch with us today.

Are ready to take on the challenge of preparing your business for GDPR? Take our readiness assessment to see what actions, you need to take next.