The General Data Protection Regulation (GDPR) will finally and totally keep data private, no?
It’s all over the news: companies around are getting ready to comply with a European law that, beginning on May 25, will be the biggest shake-up in personal data privacy since the internet was born.
Thing is, there are several issues surrounding online privacy that companies need to pay attention to that go beyond GDPR compliance. Indeed, beyond the hype and hyperbole, several noteworthy aspects of this regulation have quietly slipped underneath the radar.
GDPR: Misconceptions, Loop Holes and Soft Spots
1) Personal Data Will Become Your Data: Not quite. This is a common misconception about GDPR, which in fact draws a clear distinction between “private data” and “sensitive data.” Private data includes IP address, name or street address. Meanwhile, sensitive data includes religion, sex, union membership or level of education. As a result of this distinction, there are differences between how the two types of personal data can be stored and what you can do with them. For example, sensitive data cannot be used for making business decisions such as approving a home mortgage application.
2) No Teeth: Even though the GDPR aims to protect European Union citizens whose personal data is controlled by organizations located outside the EU, it may in fact not be able to do so. This loophole is the result of weak, ambiguous wording that makes it possible for organizations to gather data and ignore the GDPR. Once such data leaves the boundaries of the GDPR, it can be transferred without legal protection.
3) Already Outdated? Speed of innovation is one of GDPR’s biggest soft spots since the former tends to move faster than governance models. The GDPR approach is based on the belief that the next big thing will be just like the last. However, since the next great technological leap forward is, by definition, not currently in existence, clever data processors and controllers will ultimately be able to circumvent GDPR in ways that regulators haven’t even thought of.
4) Hidden Costs: One of the great unknowns is how much additional compliance burdens and costs GDPR will place on businesses. So great is the uncertainty that the UK Information Commissioners Office (ICO) commissioned a study with the London School of Economics to look into such implications. One of the key findings: a majority of businesses are presently unable to reliably quantify their current spending in relation to data protection. Such fuzziness makes it difficult to estimate potential increases in operating cost under GDPR with any degree of accuracy.
5) Meet GDPR’s Secret Sister, ePrivacy Regulation: Lost in the din of hysterical comparisons between GDPR and Y2K, the European Commission’s pending ePrivacy Regulation has gotten precious little coverage. The regulation is designed to complement the GDPR to provide internet users additional control over all their data and ensure that businesses handle data with care. ePrivacy also comes with some hefty fines.
GDPR: Necessary, Not Cure-All
Starting in May, 2018, the EU’s General Data Protection Regulation will present global companies with significant challenges, as well as golden opportunities. A recent PwC survey found that 92% of U.S. companies said GDPR is a top priority on their data-privacy and security agenda.
Despite its undeniable importance, some perspective regarding GDPR is in order. Compliance with this broad-based effort should be one aspect of a company’s overall approach to data. Strict compliance with GDPR is necessary, but not sufficient, for companies that are both security- and privacy-oriented.
Companies such as bob that take security and privacy issues seriously are thus buttressing GDPR compliance with such widely accepted certifications as the ISO/IEC 27000 family of standards and SOC, type II certification that are designed to keep sensitive data secure. Another good way to keep the hackers away is to take into account the legislation of all countries that data resides in and passes through.
Ultimately, even the most exquisitely detailed and perfectly implemented regulation can’t completely solve your security problems. To turn the vision of complete data security into reality, companies need to fuse GDPR compliance with constant diligence and relentless innovation.
From Kobi Afoota
Kobi has over 10 years of experience in information security management. An expert in his field, he is currently hibob's Information Security Manager.