GRC Tuesdays: 3 GDPR Myths that Could Cost Your Organization Millions
When it comes to GDPR, the European Union’s General Data Protection Regulation, many organizations appear to be asleep at the wheel. If you think that GDPR won’t affect you or your organization, chances are you’re incredibly wrong, and it could cost you and your company in tremendous ways.
GDPR: The Basics
First, companies must be able to show compliance with GDPR by May 25, 2018. GDPR affects not only the EU nations but all companies that keep data on EU customers, even if the company doesn’t maintain offices or servers in the EU.
GDPR affords customers in the EU protection of the following identifying types of information:
- Racial and ethnic information, as well as sexual orientation
- Identifying information, like names, addresses, and ID numbers
- Health, biometric, and genetic data
- IP addresses, cookie data, location, and RFID tags
- Political leanings
The Top 3 GDPR Myths
1. A product can make you GDPR-compliant
There is no product on the market that can make your organization GDPR-compliant. The tools provided are meant to make the implementation of GDPR simpler by recording all information about customers in a single database.
GDPR laws state that consumer permissions must be validly obtained, and that data collections and storage must be transparent. Customers in the EU will be able to demand a right to be forgotten, which means that they can request organizations to erase all data that is held about them. Having this information in one location will greatly increase the assurance that your company is GDPR compliant.
Other important facets of GDPR include the fact that consumers must be notified within 72 hours of a data breach, and that safeguards need to be put in place for protection of customer data, such as data protection risk assessments (DPIA).
One of the most important and overlooked aspects about GDPR is that the best system in the world won’t work if employees are not properly trained.
All organizations will be required to appoint key positions to ensure that GDPR compliance is being met: Data controller, data processor, and data protection officer (DPO).
The DPO is responsible for driving the GDPR strategy, including security measures and overall compliance. The data controller oversees how personal data is collected and processed, as well as ensures that outside contractors are complying with GDPR. Data processors can include members from your organization as well as partners like cloud providers. GDPR maintains that processors are liable for data breaches or non-compliance.
2. GDPR doesn’t affect me
Think of the analogy of a tree falling over in a forest: If nobody hears it, does it make a sound? This is very similar to GDPR: If the EU passes a privacy law, can anybody in the US hear it?
GDPR will be funded by a concept very familiar to most Americans – ticket book motivation. Imagine GDPR as a quaint town that derives most of its income from speed traps that are set throughout. Unsuspecting drivers pay large fines for violating traffic laws that are strictly enforced. GDPR operates much the same way – organizations will face steep penalties for not following the rules.
Any organization that believes GDPR doesn’t affect them might have a big surprise come June of 2018. Even if your company doesn’t have servers or a business presence in the EU, you must comply with GDPR if you:
- Process personal data of EU citizens or residents
- Have more than 250 employees
- Have less than 250 employees, but regularly collect and process personal data of citizens
From purchasing a product to newsletter subscriptions to promotional offers, each facet of customer interaction requires that GDPR compliance is met.
3. GDPR won’t be taken seriously
If you think for a moment that GDPR won’t be strictly enforced, you are setting your organization up for an incredible and expensive shock.
For instance, before GDPR, Equifax could have been fined $27 million for the stunning data breach which exposed the personal, identifying information of over 143 million consumers. After GDPR, Equifax could face over $125 million in fines.
GDPR penalties for non-compliance can be steep: Up to $20 million, or 4% of global revenue, whichever is higher. All indications are that GDPR will be strictly enforced and that companies who aren’t demonstrating compliance will serve as the first examples of the very serious nature of this law.
GDPR myths could cost your company millions. Be prepared, and start preparing now.
- Visit SAP’s GDPR compliance webpage for more information and education about GDPR
- Check out the GDPR product webpage for resources about which SAP solutions and services could help you govern your GDPR program and manage and protect your data for sustainable GDPR compliance
- Read our other GDPR-specific blogs
NOTE: The information contained in this blog represents the author’s personal opinion and is for general guidance only and provided on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto. It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR compliance.
This article appeared in the SAP D!gitalist Magazine and has been republished with permission.