3 GDPR mythbusters

Chaucer / Chaucer Viewpoints  / 3 GDPR mythbusters

Can a product make you compliant under the General Data Protection Regulation?

There are absolutely no products on the market that can make your organization compliant under the General Data Protection Regulation (GDPR). There are tools that you can use to assist you in your compliance journey relating to, for example:

  • Dealing with unstructured data
  • Data mapping
  • Setting up processes and procedures

The Regulation makes it clear that you must obtain consent in order to lawfully process personal data, and that the collection and storage of all personal data must be transparent. Data subjects will be able to demand a right to be forgotten, meaning that they can request organizations to remove/erase all data that is held about them as long as there is no overriding legislation that stops them from doing so.

Another important element of GDPR is that if your organization suffers a data breach you have 72hrs in which to inform all or any data subjects who have been affected by the breach.

Employee training is key and should not be overlooked or underestimated. Having the best systems, procedures policies and processes won’t work if employees are not properly trained.

All organizations will be required to appoint key positions, where appropriate and necessary, to ensure that data compliance is being met. These include:

  1. Data controller – The data controller oversees how personal data is collected and processed, as well as insures that all third parties are complying with the Regulation.
  2. Data processor – Data processors can include members from your organization as well as partners and third-party providers.
  3. Data Protection Officer (DPO) – The DPO is responsible for driving data protection and compliance strategy throughout your organisation. They also have a direct relationship with the Supervisory Authority in the UK, namely the Information Commissioners Officer (ICO). If your organisation has offices within Europe where personal data is processed, then the DPO will also maintain a relationship with the relevant Supervisory Authority in that country.

GDPR doesn’t affect me

Think of the analogy of a tree falling over in a forest: If nobody hears it, does it make a sound? This is very similar to GDPR: If the EU passes a privacy law, can anybody in the US hear it?

GDPR will be funded by a concept very familiar to most Americans – ticket book motivation. Imagine GDPR as a quaint town that derives most of its income from speed traps that are set throughout. Unsuspecting drivers pay large fines for violating traffic laws that are strictly enforced. GDPR operates much the same way – organizations will face steep penalties for not following the rules.

Any organization that believes GDPR doesn’t affect them may have a big surprise. Even if your company doesn’t have servers or a business presence in the EU, you must comply with GDPR if you:

  1. Process personal data of EU citizens or residents
  2. Have more than 250 employees
  3. Have less than 250 employees, but regularly collect and process personal data of citizens

From purchasing a product, to newsletter subscriptions to promotional offers, each facet of customer interaction requires that GDPR compliance is met.

  1. Data controller – The data controller oversees how personal data is collected and processed, as well as insures that all third parties are complying with the Regulation.
  2. Data processor – Data processors can include members from your organization as well as partners and third-party providers.
  3. Data Protection Officer (DPO) – The DPO is responsible for driving data protection and compliance strategy throughout your organisation. They also have a direct relationship with the Supervisory Authority in the UK, namely the Information Commissioners Officer (ICO). If your organisation has offices within Europe where personal data is processed, then the DPO will also maintain a relationship with the relevant Supervisory Authority in that country.

GDPR won’t be taken seriously

If you think for a moment that GDPR won’t be strictly enforced, you are setting your organization up for an incredible and expensive shock.

For instance, prior to GDPR, Equifax could have been fined $27 million for the stunning data breach which exposed the personal, identifying information of over 143 million consumers.

After GDPR, Equifax could face over $125 million in fines

If you think we can help you to implement your project or programme strategy, please call us on:
+44 (0) 203 141 8400 in UK/Europe, or ​​​+1 713 821 1783 in the USA.

Alternatively, please send us some brief information and we can discuss things in more detail.