DEV Community

Cover image for Security Compliance- 3 Myths about General Data Protection Regulation (GDPR)
Shufti Pro
Shufti Pro

Posted on

Security Compliance- 3 Myths about General Data Protection Regulation (GDPR)

A legal framework that sets guidelines for the collection and processing of personal or confidential information of individuals who live in the European Union (EU), is known as GDPR.
On the 25th of May 2018, EU General Data Protection Regulation (GDPR) entered into force. To ensure compliance with the new law, companies have spent billions of dollars since that time. To comply with the strict requirements of GDPR, the top 500 companies of U.S have spent $7.8 billion.
Many myths still surround the new EU law. Here we’ll discuss 5 myths and evaluate their realism.

GDPR does not apply to non-EU companies:
Territoriality principle often applies to the field of law. For example, patent protection is provided by United States patent providers in the U.S. only. In order to ensure that the personal data of EU residents will not be used by illicit foreign companies, the authors of GDPR took a different approach. However, for customer due diligence process, GDPR applies to both, EU and non-EU companies if:
1- The organization have branches in EU and include data processing.
2- An organization is providing goods or services to EU residents.
3- Third and most important is, if a company is monitoring the behaviour of EU residents.

GDPR will not impose actual fines:
More than 1.5 billion websites are in the World Wide Web. Many of those websites fall within the scope of GDPR as they interact with EU residents. Many websites don’t comply with the requirements of GDPR due to the less human and financial resource. But Eu believes in “Ignorance of the law is not an excuse.” A fine of 50 million euro was imposed on Google by French data Protection authority for violating GDPR in Jan 2019.
More and more data protection authorities are imposing hefty fines on privacy violators, despite the fact that the GDPR has recently entered into force. Germany sanctioned a social media company with a fine of 2 million euros for infringing GDPR.

Publishing a privacy policy on a website is enough:
Numerous websites are offering “GDPR-compliant” templates of the privacy policy. According to the need of a business, various other websites even allow their users to customize privacy policy. But drafting a privacy policy is a small step for an organization to become GDPR compliant. There are many other steps, some of them include:
Conduct data mapping.
In case of a data breach, a system must be capable of generating alerts for relevant data protection authorities.
Appointing a data protection officer to keep check and balance.
Installing a cookie pop-up banner.
Ensuring data protection in non-EU countries and check that data processors have adequate levels of data protection.

If your organization is dealing with European residents, either you are providing services or selling products, your business must be GDPR compliant. Ignoring GDPR will result in bearing hefty fines and for small businesses, these fines could be devastating. Implementing a well-written privacy policy is a good step but update your privacy policy on a regular basis to reflect the latest changes in the data protection.

Top comments (0)