Combating Misinformation about GDPR Compliance

June 04, 2018
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

As companies got their GDPR compliance efforts underway, many were confused by the regulation’s lack of detail regarding how compliance can be assured. That confusion caused some common misconceptions to spread, and even now, a little over a week after GDPR went into effect, those misconceptions are still out there. To combat this misinformation, I recently wrote an article for InformationWeek, where I dispel some of the most common myths that I’ve encountered.

1. Focus on keeping data secure, not on where data resides.

GDPR states that “flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation,” so there’s no need to worry that you’ll have to move your data from outside the EU to the EU. However, the appropriate data protection and security measures must be in place to ensure compliance, regardless of where the data is stored. If that storage location is in the US, companies should make a few additional arrangements, such as executing the Model Clauses or registering to Privacy Shield.

2. Requests pertaining to privacy rights are not ultimate.

Companies have grown concerned about individuals requesting that their data be deleted, which is especially problematic if the data is stored in multiple systems or is otherwise valuable to the business. Fortunately, an individual’s request is not the ultimate deciding factor. Under GDPR, the data must only be deleted when there is no other valid reason for a company to store and process it.  However, companies still need to maintain inventories of their data and clean up any personal data which is no longer needed as a part of their standard processes.

3. Companies will need to figure out how to ensure ongoing compliance after May 25.

GDPR isn’t simply a checklist of criteria; it’s a framework that will constantly evolve or shift as we move forward. Consequently, ensuring compliance isn’t a one-and-done requirement but an ongoing effort that will need to frequently be recalibrated. Though compliance programs are now already in place, those programs will need to continue to be monitored and adjusted in the future as new information comes to light.

When you’re thinking about compliance, remember that GDPR is first and foremost about privacy and security, and that comes down to a fundamental difference between the US and the EU. For the EU, privacy is the most important human right, and must be honored and respected above all others. By keeping this concept in mind for your future efforts, you’ll be likely to find continued success and ongoing compliance.

Want to ask about something specific?

Contact us