The one thing that the upcoming General Data Protection Regulation (GDPR) seems to be creating is this – misconceptions.
There seems to be enough that it can be hard to keep up with them. A few weeks ago, there were nine common GDPR misconceptions, and now there is a new batch that came from a chat with the director of governance, risk and compliance at security firm Cipher UK, Clover Boonzaaier:
- Contrary to the inclusion of the word “compliance” in his title, and the widespread use of that term to describe companies that are abiding by GDPR’s requirements, Boonzaaier says too much emphasis on that term misses the appropriate way to view the new regulations. In his view, “compliance” is most properly used to describe obeying a clearly defined legal regulation, like a speed limit. But much of GDPR is left unspecified, allowing a wide range of approaches to implementation, as long as the end result is protecting the personal data of consumers. He told me that adherence to GDPR is like saying, “You should deploy security measures.” The aim is to keep hackers and other data thieves away, but many of the specific ways to accomplish that goal are left up to you and your company. It’s better to think of adherence to GDPR as “risk management 101,” he said, since your company is adopting new policies, software and attitudes to minimize the risk of leakage or misuse of personal data.