Why you need to reframe the way you’re thinking about GDPR

March 14, 2018
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

In my discussions regarding data privacy and GDPR, I’ve found that a lot of people: colleagues, customers, and analysts to name a few,  are thinking about GDPR in the wrong way - as a checklist of requirements to meet. GDPR is not a set of defined procedures or a checklist of requirements companies can make sure they’ve met to become compliant; GDPR is more of a mindset that hinges on the fact that, in the EU, privacy is a fundamental human right which takes precedence over other rights — including one’s right to freedom. For decisions where the government has to weigh freedom against personal privacy, the EU chooses to preserve an individual’s privacy above all else, which is at odds with the U.S.’s preference to protect freedoms over privacy.

That’s why there’s this misunderstanding — because GDPR is heavily informed by the EU’s cultural priorities. If you look at GDPR as just another data privacy standard, you’ll overlook that it’s also intended to push companies to reevaluate how they use and protect individual data. In fact, if companies would begin to consider the impact of their actions on individuals, they would find themselves already moving towards compliance.

The creators of GDPR were intentional when they designed it without strict checkbox requirements. Rather than providing a detailed framework with certain criteria, the creators wanted GDPR to make companies integrate a culture of privacy into their business. First, companies need to be honest and think about how they collect personal data, what they use them for and how that may affect individual privacy. Based on that exercise, companies can think about the actual guidance outlined in GDPR and how it relates to the way they do business. With a strategy in place for how to respond to GDPR and improve their data privacy measures, companies should also document the decisions they’re making so they can demonstrate that they’ve considered the individual’s privacy and made a conscious decision that makes business sense while still preserving an individual’s right to privacy..

GDPR compliance can seem confusing until companies realize that they need to shift how they think about privacy to this European mindset when collecting data of EU citizens. In addition, when determining compliance, regulators are primarily concerned with the process that companies undergo as they improve their privacy measures. As long as companies can prove to regulators that they’ve taken tangible steps that keep data privacy in mind, they’re likely to be safe from fees.

Want to ask about something specific?

Contact us