3 Common Misconceptions on GDPR, Encryption & Erasure

29 May 2018 | Michael Waksman
Bored child thinking of monster

Who’s afraid of the big GDPR?

There are already so many articles talking about GDPR, encryption and erasure, but people are still left feeling confused about some basic concepts. Let’s now take GDPR out of the shadows to examine 3 common misconceptions and explain them once and for all.


If for some reason you haven't heard about GDPR by now, here is a quick summary:

  • Enforcement is active starting from 25 May 2018. GDPR - or the EU General Data Protection Regulation is the most comprehensive privacy law in the world, replacing the 1995 Data Protection Directive. It also streamlines privacy laws across all 28 EU member states.
  • The primary focus of GDPR is the protection of ‘digital privacy rights’ of EU residents. It requires organizations to ensure transparency in collecting and processing user data. Every organization which is handling the personal data of EU residents is subject to the regulation, including non-European organizations.
  • GDPR was first introduced to the European Parliament in January 2012 and adopted by the European Parliament and Council of the European Union in the spring of 2016. After 25 May 2018, organizations must prove they are compliant with GDPR unless they want to pay substantial fines, as much as 4% of global annual turnover or €20 million.

We’ve seen, however, that most organizations are not taking GDPR seriously enough. As the enforcement is about to begin, recent reports have shown a staggering number of unprepared organizations. The Financial Times reported in March 20181 that fewer than one in 10 small British businesses were fully prepared for GDPR, while more than two-thirds were either still in the early stages or had not taken any steps to prepare. A study by Forrester2 also estimated that 80% of companies would fail to comply with GDPR.

Figures about the GDPR Financial Times

Those are alarming numbers. It's like arriving at a final exam and finding out that 7 out of 10 classmates didn't study the night before, and one other guy wasn't even aware there was a test (looking at you, Billy!).

A guy studying encryption

There are several reasons why organizations are taking their time to be compliant with GDPR. One reason is the broad language of the regulation, which makes it even more difficult for organizations to interpret. Here we’ll look at 3 common misconceptions - including how organizations can implement proper data protection practices for the new regulation.
 

#1: Only European organizations need to care about GDPR, encryption and erasure

There seems to be a presumption that since the regulation was passed by the EU, then only European organizations are subject to comply - which is false.

GDPR Article 33 states, “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services ... to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union”.

In other words, any company (American, Brazilian, etc.) which is processing personal data of EU residents to provide them goods or services must comply with GDPR, just like their European counterparts.

#2: Nothing’s gonna change under the new regulation

Over the last few months, I have been invited to a number of seminars and business forums, talking with many people about GDPR, encryption and erasure. I noticed many business owners likening GDPR to the infamous Y2K bug.

Just for anyone who might not know, the Y2K problem, or Millennium bug, was an infamous computer error related to the formatting and storage of dates and years at the beginning of the year 2000 – specifically the widespread use of 2 digits (00) instead of 4 (2000). Y2K captured global attention mostly because of its unknown potential consequences. Some even predicted mass computer crashes, planes falling from the sky, and nuclear war starting by accident. Much of the hysteria was fueled by media with apocalyptic headlines. The cover of Time Magazine in January 19994 displayed a resurrected Jesus walking in Times Square, wearing a board stating, “The End of The World!?!” Yet when the new millennium arrived, everything continued as usual.

There’s similar growing sentiment regarding GDPR. So often we are seeing ‘apocalyptic’ headlines about large corporations struggling to be compliant with the new regulation. The hysteria has raised doubts in many people’s minds about the real impact of GDPR. Some business owners even told how they intended to wait it out until the first violation and see the damages before taking any action.

Let’s be straight – there are fundamental differences between GDPR and Y2K. First of all, unlike Y2K, there is much less uncertainty about GDPR. We’ve had 2 years ahead of the enforcement date to prepare for the regulation. There are already government institutions in place to help businesses for the rollout of GDPR. For example, the UK’s Information Commissioner’s Office has updated its Guide to General Data Protection Regulation (GDPR), explaining the key concepts and giving specific advice for businesses on the road to GDPR compliance. On the European Commission’s website, you will find a helpful interactive infographic that displays the elements of personal data and the cost of non-compliance.

Then, whatever happens just after 25 May 2018, it will not be the end of GDPR. This date is not a 'deadline' as people often refer to, but the beginning of an ongoing process. Afterwards, any company who is found in violation of GDPR will face punishment. So holding out is not an option.

#3: The GDPR ‘Right to Erasure’ only applies to the data I store myself

As we all know, data protection and personal privacy rights are the main points of GDPR. And one of the key elements is the GDPR ‘Right to Erasure.’ This so-called GDPR ‘Right to Be Forgotten’ entitles the customer (data subject) to request a complete removal of their personal data and cease further distribution of the data. This personal data includes names and addresses, emails, phone numbers, social security numbers, birthdates, healthcare codes, credit card numbers, identification numbers, and so on.

However, there is an additional bit that’s usually glossed over when people talk about the GDPR ‘Right to Erasure.’ GDPR Article 175 indicates that, “...the controller has made the personal data public... shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data."

What does this mean in practice? Well, do you use an outside service to store and process customer data, such as for sales and marketing? Then you must make sure the service provider is aware of all customer removal requests and that they carry out the complete erasure of the customer data.

What's next?

Now that the GDPR enforcement date is upon us, it’s about time to be prepared. Here are a few suggestions:

Be Transparent When Collecting Personal Data

GDPR will not stop the collection of data for marketing purposes, but it will undoubtedly change the way organizations are handling personal data. After GDPR, automatic 'opt-in' is no longer acceptable. You must make the privacy notice clear and easy for customers to spot. In addition, you should include a statement in the privacy policy which clearly tells the purposes for which you will use any personal data.

Protect The Data You Have

Think of your organization as a daycare center and the data you collect is like the children. Your customers have entrusted you with their children, and it is your responsibility to implement essential practices to keep your customers' data safe. Some examples:

  • Educate yourself and your employees about the threat of data breaches
    (what are the risks to the children’s safety?)

  • Apply necessary data protection methods, such as encryption
    (maintain locked boundaries, so children only stay where they are allowed)

  • Avoid unauthorized or unlawful processing of personal data
    (Make sure that the children only participate in activities permitted by their parents)

  • Quickly inform the authorities about likely harmful data breaches
    (Parents are immediately informed about threats to their children’s safety)

Erase The Data You No Longer Use

Imagine you are going through a rough break-up. What might you do? You’d clean your house, remove all the stuff that reminds you of the other person, delete their pictures off your mobile phone and feel sad. But you are eventually determined to move on, however painful it is.

GDPR by Woody Allen

Now getting back to the main point, you should do the same things once customers use their GDPR 'Right To Be Forgotten' (minus the teardrops). Though one major difference between going through a break-up and exercising customers' GDPR 'Right To Be Forgotten', is that under GDPR, you will be in serious legal jeopardy if you skip the steps to clean up.

Best practices for doing a complete removal of data:

  • Perform a complete inventory to locate your data

  • Use proper data wiping tools to permanently erase selected data on active systems. For your old hard drives, be sure to run a whole disk wiping tool to prevent data leaks.

  • Employ trustworthy CRM providers who have shown their intention to follow the GDPR rules, such as by certifying with Privacy Shield. Then ensure the CRM provider has followed through on all customer removal requests.

Don’t be afraid! Get educated and act!

Unlike a mysterious monster hiding in the shadows, GDPR is a known risk and there are basic preparations to keep you safe. Fear and ignorance are not excuses.

The meaning of being GDPR compliant goes beyond avoiding heavy fines and public shaming. After the recent scandals affecting Equifax and Facebook, GDPR is the EU's latest attempt to fix the loopholes in current privacy laws and gain public trust. People everywhere are demanding better social responsibility and will not tolerate companies mishandling their personal data. Organizations doing their best to comply with GDPR will gain competitive advantage and see higher customer retention.

As a data protection solution provider, Jetico understands your requirements for GDPR compliance. BestCrypt is the best solution for protecting your file storage ecosystem in a world constantly threatened by lost hardware, cyber attacks, and unauthorized account access. Meanwhile, BCWipe helps you practice the GDPR ‘Right to Erasure’ for your customers by erasing all their personal data beyond forensic recovery.


To learn more about Jetico's GDPR encryption and erasure solutions, go to https://info.jetico.com/gdpr.

 

1 The Financial Times. “Most UK small businesses unprepared for new EU data rules” [Online]. Available: https://www.ft.com/content/87a11d2c-1e35-11e8-aaca-4574d7dabfb6 [2 May 2018]

2 Forrester. “Predictions 2018: A year of reckoning” [Online]. Forrester Report. Available: https://mktg.forrester.com/2018-predictions-gdpr [2 May 2018]

3 The European Parliament and The European Council. “Article 3: Territorial scope”. General Data Protection Regulation. Available: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

4 Time Magazine. “Remember Y2K? Here's How We Prepped for the Non-Disaster” [Online]. Forrester Report. Available: http://time.com/3645828/y2k-look-back/ [2 May 2018]

5 The European Parliament and The European Council. “Article 17: Right to erasure (‘right to be forgotten’)”. General Data Protection Regulation. Available: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN


Do you want to know more about GDPR Encryption & Data Erasure? Contact a Data Protection Specialist now.

 

Jetico logo
Michael Waksman
Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 15 years of communications, technology and leadership experience.

At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the compliance market and for personal privacy.

Waksman is vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As a native New Yorker he has been living in southern Finland for over 10 years.