Paul Gillingwater MBA, CISSP, CISM, RHCE

Associate Partner

  • Data Strategy

23 Mar, 2018

3 GDPR mythbusters

Can a product make you compliant under the General Data Protection Regulation?

There are absolutely no products on the market that can make your organization compliant under the General Data Protection Regulation (GDPR). There are tools that you can use to assist you in your compliance journey relating to, for example:

  • Dealing with unstructured data
  • Data mapping
  • Setting up processes and procedures

The Regulation makes it clear that you must obtain consent in order to lawfully process personal data, and that the collection and storage of all personal data must be transparent. Data subjects will be able to demand a right to be forgotten, meaning that they can request organizations to remove/erase all data that is held about them as long as there is no overriding legislation that stops them from doing so.

Another important element of GDPR is that if your organization suffers a data breach you have 72hrs in which to inform all or any data subjects who have been affected by the breach.

Employee training is key and should not be overlooked or underestimated. Having the best systems, procedures policies and processes won’t work if employees are not properly trained.

All organizations will be required to appoint key positions, where appropriate and necessary, to ensure that data compliance is being met. These include:

  1. Data controller – The data controller oversees how personal data is collected and processed, as well as insures that all third parties are complying with the Regulation.
  2. Data processor – Data processors can include members from your organization as well as partners and third-party providers.
  3. Data Protection Officer (DPO) – The DPO is responsible for driving data protection and compliance strategy throughout your organisation. They also have a direct relationship with the Supervisory Authority in the UK, namely the Information Commissioners Officer (ICO). If your organisation has offices within Europe where personal data is processed, then the DPO will also maintain a relationship with the relevant Supervisory Authority in that country.

GDPR doesn’t affect me

Think of the analogy of a tree falling over in a forest: If nobody hears it, does it make a sound? This is very similar to GDPR: If the EU passes a privacy law, can anybody in the US hear it?

GDPR will be funded by a concept very familiar to most Americans – ticket book motivation. Imagine GDPR as a quaint town that derives most of its income from speed traps that are set throughout. Unsuspecting drivers pay large fines for violating traffic laws that are strictly enforced. GDPR operates much the same way – organizations will face steep penalties for not following the rules.

Any organization that believes GDPR doesn’t affect them may have a big surprise. Even if your company doesn’t have servers or a business presence in the EU, you must comply with GDPR if you:

  1. Process personal data of EU citizens or residents
  2. Have more than 250 employees
  3. Have less than 250 employees, but regularly collect and process personal data of citizens

From purchasing a product, to newsletter subscriptions to promotional offers, each facet of customer interaction requires that GDPR compliance is met.

  1. Data controller – The data controller oversees how personal data is collected and processed, as well as insures that all third parties are complying with the Regulation.
  2. Data processor – Data processors can include members from your organization as well as partners and third-party providers.
  3. Data Protection Officer (DPO) – The DPO is responsible for driving data protection and compliance strategy throughout your organisation. They also have a direct relationship with the Supervisory Authority in the UK, namely the Information Commissioners Officer (ICO). If your organisation has offices within Europe where personal data is processed, then the DPO will also maintain a relationship with the relevant Supervisory Authority in that country.

GDPR won’t be taken seriously

If you think for a moment that GDPR won’t be strictly enforced, you are setting your organization up for an incredible and expensive shock.

For instance, prior to GDPR, Equifax could have been fined $27 million for the stunning data breach which exposed the personal, identifying information of over 143 million consumers.

After GDPR, Equifax could face over $125 million in fines

Paul Gillingwater MBA, CISSP, CISM, RHCE

Associate Partner

GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is Head of IT Security and Data Privacy Team and Registered DPO at xTech and has worked for more than 30 years as a cyber security specialist and advisor to businesses with their governance, regulatory and compliance requirements. More recently he has advised on data protection and is a passionate advocate of online privacy rights education.

Data: Our most valuable resource, without accounting monetary value

Blog 29 Jun, 2022

Data Strategy

Data: Our most valuable resource, without accounting monetary value

29 Jun, 2022

Justice Allotey, Data Strategy Lead
A Machine Learning primer

Blog 11 Feb, 2022

Data Strategy, Data, RPA, AI, Robotics, Machine Learning, CX

A Machine Learning primer

11 Feb, 2022

Smitha Dunwell

Managing Principal

Finding our equilibrium workplace

Blog 28 Sep, 2021

Data Strategy, Data Science & Analytics, Data Visualisation, Data, Data Ethics, Culture

Finding our equilibrium workplace

28 Sep, 2021

Jill Dawson

Head of Marketing

Load More Articles