[BreachExchange] Top 4 GDPR Misconceptions

[Audrey McNeil]

https://www.lightreading.com/enterprise-cloud/security-and-
compliance/top-4-gdpr-misconceptions/a/d-id/742187


When it comes to handling the European Union's General Data Protection
Regulation (GDPR), there are two vastly different schools of thought. Some
shrug off GDPR and assume that it doesn't apply to them. Others take the
opposite approach and believe that their business will likely be shuttered
if the regulation isn't followed to the letter. The truth obviously falls
somewhere in between. In this article, we'll discuss four misconceptions
regarding GDPR that will help point you in the right direction.

Misconception 1: Assuming compliance requests can be met
>From a very high-level perspective, the goal of GDPR is to protect the data
privacy of individuals within the EU. This includes business around the
globe that collect and store data of EU citizens. Protections include an
individual's "right to be forgotten," the ability for citizens to request
and quickly receive their data collections, and the ability for individuals
to identify and correct errors in the data. These may not be easy tasks for
companies that collect and analyze personal data. IT leaders shouldn't
simply assume that these requirements can be met. Instead, thorough testing
should be performed to mimic these types of requests. A best-practice tip
would be to treat GDPR regulation requests like disaster recovery testing.
At a minimum of once per year, application and database administrators
should perform mock user protection testing to verify that data deletion,
reception and changes can be made in a timely manner.

Misconception 2: Where data should be stored
A key misconception regarding GDPR revolves around where and how data is
stored. Some believe that as long as their collected data does not reside
inside a European Union data center, they are exempt from the regulations.
This is of course a false assumption. It's about the data, not the location
where that data is stored. Much of GDPR was written specifically to handle
data collection of organizations based outside the EU.

Yet just because GDPR regulations span the globe and require special
considerations for EU member citizens, some IT security professionals take
it too far and believe they must separate EU member citizen data from all
other collected data and maintain EU data within EU data centers. It's
important to note that if protections can be met, there's no reason to make
drastic changes to collection and storage methods. There are ways to
properly anonymize data to prevent the mosaic effect. When data protection
is properly implemented, businesses should have no trouble complying.

Misconception 3: Ignoring other global international regulations
IT departments often err by focusing solely on European Union regulations.
GDPR is likely the first international regulation that will eventually
become a large list. Countries including Australia, Japan and Singapore are
also pursuing their own regulations. While some compliance factors may end
up being the same, you can count on others to be more or less strict. So,
assuming that because you comply with GDPR, your work is done is the
incorrect mindset to have in 2018.

Misconception 4: Rushing to meet the May 25 deadline
One final aspect of GDPR that concerns many is the fact that enforcement
starts May 25 of this year. That's not much time for those that haven't yet
started preparing. However, it's highly improbable that the GDPR police are
going to come banging on your door looking to see that the necessary
protections are in place. Instead, GDPR enforcement is likely to be
reactive and based on companies that announce data breaches once the
regulations go into effect. If stolen data includes information on EU
member citizens, it could trigger a compliance audit. So, technically,
businesses could fly under the radar and reach compliance well after the
May 25 deadline. This is obviously a risk. However, if you're rushing to
meet the looming deadline when regulation begins, you're likely to make
mistakes. Therefore, it may make sense to choose to miss being fully
prepared by May 25 to ensure processes and procedures are put in place
correctly.

Conclusion
It's so easy to jump to the extremes of either wasting time and money
implementing massive changes to data collection and storage methods -- or
ignoring the situation altogether. Instead, a level-headed approach is a
far better mindset to be in. The EU is not out to get us. Instead, they've
proposed logical and meaningful regulation to protect their citizens. We
should be applauding that and assuming these types of regulations will soon
take hold for many more regions around the globe. Although we as US
citizens don't yet have these types of individual data rights, as global
businesses that have EU member citizens within our data collection base,
it's our duty to comply while also not going overboard.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180412/d3295c46/attachment.html>