GDPR Confusion: 7 Common Myths Busted

The day before the deadline for GDPR compliance, I received emails from 8 different companies asking for my consent for them to collect data about me. But I can’t even remember how I got on these vendors’ mailing lists, and I haven’t received any other communication from them lately. Obviously, they gathered my personal information for no purpose some time ago, realized at the last moment that they now fall under GDPR compliance and decided to do “something.”

The irony is, according to the CEO of one personal data governance company, sending these “opt-in” emails is itself a breach of data protection rules. Moreover, it’s the most serious type of GDPR violation, punishable by the maximum fine.

Lots of companies are taking rash actions like sending these emails in part because of all the “last minute GDPR compliance” headlines that are flooding the internet with myths about the GDPR and causing panic. My advice is to step back and get an overview all your compliance activities, and check whether any of these GDPR myths are preventing your company from truly getting GDPR-ready.

Myth 1. The GDPR is all about consent.

Roughly speaking, consent comprises 90% of the GDPR, but you shouldn’t invest all your time on meeting the consent requirements.

The foundation of the GDPR is data protection by design and by default. Therefore, to comply with the law, your organization needs to attend to security basics. First, identify the most important risks and make plans to mitigate them. Second, aim your technical and organizational efforts at minimizing the processing of personal data — make sure that you collect only as much data as necessary, process it only to the extent that is necessary, and store it only as long as necessary. For example, if you use a social platform, ensure it enables users to set their own profile settings in the most privacy-friendly way, to collect the minimum information you need.

If you don’t know how to start, check out these two other compliance standards that provide extensive guidance: ISO 27001 explains how to secure personal data from the technical and organizational perspectives, and BS 10012 provides guidance on establishing personal data protection in a manner that is closest to GDPR requirements.

Myth 2. Sending out emails requesting consent from customers is enough.

To obtain customer consent for personal data collection and processing, most companies put a special tick-box on their website or send out emails that explain how to opt out written in tiny font at the end.

However, the GDPR changes the essence of consent, and these approaches will not suffice anymore. Consent is no longer general; you must clearly explain all the ways you will use an individual’s data. For example, if you plan to carry out six different actions with the subject’s data, make sure you explain why you need to do so and ensure the subject has agreed to each of them. In particular, if you want to provide people with product and marketing updates via direct mail and customized online advertising, make sure you have gotten their consent for both methods.

Furthermore, you must make sure your organization processes each subject’s data exactly how you said you would. This can have a significant impact on your business processes, since you will have to change the ways you deal with data. These changes will affect all employees who collect and store sensitive data about your customers, such as your marketing, sales, HR, support and legal departments.

Myth 3. The scope of work looks impossible.

The scope of work may seem daunting. The trick is to split the challenge into smaller tasks. Here are some of the most important steps to take:

  1. Determine what sensitive data you hold and which processes touch it. To start, the IT team should collaborate with the heads of other departments to identify data owners and find what types of personal data they deal with.
  2. Decide which data is the most critical. Ideally, you want to cover all risks, but in practice, you have to set priorities and protect your most important or sensitive data first. Since data owners know their data best, work with them individually to organize data into categories from the most sensitive to the least sensitive.
  3. Delete excessive data. It is essential to collect and retain only the minimum information you need for your business processes. For example, if some individuals have moved to another city and are therefore unlikely to be your customers anymore, delete all information about them. Doing so reduces risks and frees up storage.
  4. Make sure that all regulated data is stored in a secure location according to its value and sensitivity.
  5. Update access rights to make sure that protected information is available only to authorized personnel and only on a need-to-know basis.
  6. Update your security policies according to the changes you have made. These policies are the evidence that your company has a secure plan to process the personal data of customers.

Myth 4. GDPR is destructive for marketing strategy.

Most companies have been working with the marketing funnel model for ages, trying to broaden their reach as much as possible to increase sales. Now they are afraid they might lose their customer database because individuals might require them to erase all their personal information.

However, the people who want you to erase their data are hardly your loyal customers, so why should you spend time and money storing and processing their data? These people do not even want to hear from you! Today, it is more effective to target your marketing efforts at the specific needs of a clearly defined audience that has an interest in your brand. The 80/20 rule, which states that 80% of effects come from 20% of causes, applies here:  The largest part of your revenue always comes from your loyal clients and highly relevant leads.

Think of it this way: The GDPR is the perfect opportunity to strengthen your marketing strategy by building a lean database of highly relevant leads and customers.

Myth 5. GDPR-related costs will ruin my business.

 Many organizations are alarmed by the large figures for GDPR compliance presented in the media. For example, one survey predicts that companies will have to spend nearly $1 million on technology alone to achieve GDPR compliance. They’ll face other expenses, too; for example hiring data protection officers could cost a lot due to the combination of a shortage of talent on the market and high demand.

Fortunately, many vendors offer software that can help you comply with the GDPR for a lot less money. I recommend that you invest in software rather than hire qualified security professionals, as it will pay off quickly. But do not purchase any solutions until you assess your IT risks. Determine which compliance requirements you can meet with your current tools and processes, and which ones require further investments. Evaluate your risks and put the largest part of your budget toward the most crucial ones.

Myth 6. The GDPR imposes enormous fines for every mistake.

GDPR fines are indeed huge: 2% to 4% of the company’s annual global revenue, or €10–20 million. But there’s no need to panic.

Consider this: Under the current data protection laws, the Information Commissioner’s Office can fine companies up to 500,000 pounds — but they have never levied this maximum fine. There is no reason to think that they will change their approach with the GDPR.

Regulatory authorities take into account whether you have a credible compliance plan and cooperate with them. Therefore, make sure you can prove that you have effective security policies and procedures. Demonstrate how you have followed the compliance plan, what you have done and what is ahead. If you do, the authorities are not likely to slap you with a huge fine if you experience a security incident or fail part of an audit.

Myth 7. Auditors aim to punish businesses.

Most SMBs in the EU have never worked with auditors before, since the regulatory standards for personal data have never been mandatory. So they feel uneasy about their new obligation to report to strangers about their cybersecurity issues.

To reduce this stress, know what auditors are looking for and prepare. They want to see that you can explain the goals of your security strategy and know your risks. Show them evidence that you can control the activity of your privileged users. Make sure you can answer their questions in a timely manner and help them to do their job. Be ready to work on any security gaps they point out or you’ve discovered on your own.

It makes no sense to be afraid of auditors; rather, you should cooperate with them, because both of you have the same goal. If you cooperate, you will pass GDPR compliance audits more easily. You’ll also get some additional benefits. First, you will get a new perspective on the security problems in your organization, because auditors have a broader view and can give you valuable recommendations. Second, you will improve your skills in managing your compliance processes.

Instead of thinking of the GDPR as a burden your organization has to bear, consider it an opportunity to bring your information security up to a completely new level. My message is this:  Stop following the news about specific GDPR requirements. Instead, think about how you can make your company more secure and build trust with your customers by treating their data with respect. If you do, you won’t have to be afraid of the GDPR — or any of the other standards that follow in the future.

Former General Manager EMEA at Netwrix. Matt holds a CISSP certification and has over 19 years of experience in the cybersecurity industry. He has worked for many organizations, specializing in areas such as risk management, identity and access management, and network and database security. In the Netwrix blog, Matt shares insights on how to achieve greater levels of security and compliance.