Like it or not, fear, uncertainty and doubt [FUD] are time-honoured tactics for some vendors to scare up easy sales. The General Data Protection Regulation (GDPR) is seeing its fair share of FUD, and Brian Honan has called out the ‘fake news’ surrounding the regulation.
GDPR = Y2K?
In an audio interview with Information Security Media Group, Brian said many companies are worried about what will happen once GDPR enforcement begins in May. That’s because misinformation about GDPR has made them unsure of what to do, Brian said. A common trope is to liken GDPR to the Y2K problem, when in fact they are very different. Companies are so intimidated that preparing for GDPR will be a huge task. As a result, many either haven’t started preparations, or have ignored the problem.
Brian lay the blame at the door of unscrupulous vendors, and commentators with little track record in data protection. “Companies are struck by fear… Suddenly everywhere you turn there is a GDPR or data protection ‘expert’,” he said.
Here are three of the biggest misconceptions:
- 1: consent is the only basis by which to use someone’s personal information (it isn’t)
- 2: regulators will regularly issue €20 million fines – the maximum for non-compliance (they won’t)
- 3: GDPR’s right to be forgotten applies in all cases (it doesn’t).
Another misconception stems from the title of GDPR itself, which makes many people think it relates only to electronic data. That invariably leads to technology-focused conversations, but Brian noted that GDPR is an evolution of European data protection rules. As such, its reason for being is to protect people’s rights to privacy.
“We have ‘experts’ in data protection that … a few years ago wouldn’t have even touched the topic,” Brian said. It even led to a hashtag on Twitter, #GDPRubbish, which highlights the fake news and misinformed comment about GDPR.
In the interview, Brian aimed to put the regulation into its proper perspective. He said the EU simply wants companies to take a responsible approach to managing personally identifiable information. Consequently, companies need to implement good practices and good procedures around storing and managing this data. “They need to put in a lot of transparency and accountability around how they manage the personal data belonging to the people who entrust their data to those companies,” he said.