Debunking the Myths of the GDPR

Debunking the Myths of the GDPR

The GDPR (General Data Protection Regulation) is a hot topic among experts in cybersecurity and privacy. For consumers, the GDPR will strengthen the protection of basic rights on the internet and give control of personal data back to the user. But what does this mean for companies?

As the date for its entry into force approaches, and having explained the most important changes the regulation will bring about, in this article we will have a look at some of the myths surrounding the GDPR.

Myth 1: “The GDPR only affects companies in the European Union”

This is far from being the truth. The GDPR rules will apply to all companies that offer goods or services to people from the EU, regardless of where their offices or servers are located. Therefore, the GDPR applies to all companies that process information from EU citizens, making this the first global data protection law. For example, if an EU citizen uses a US-based social network, makes an ecommerce transaction in Japan, or uses an Argentinian platform for vacation rentals, all those companies must comply with the GDPR.

Myth 2: “All security incidents must be reported within 72 hours”

This is one of the most widespread myths and has been accepted as a general rule, but there is some nuance to it. First, only personal data leaks need to be reported — it is not required in the case of security incidents or data breaches that do not involve personal data. This means that any breach that affects the confidentiality or integrity of personal information must be reported.

Moreover, the countdown for the 72 hour deadline does not start when the incident occurs, but rather when the company becomes aware that it has suffered a personal data breach. If for some reason it is not possible to report the breach to the authorities within this time period, the limit can be extended provided that the organization justifies the delay.

Myth 3: “All data must be encrypted in order to be in compliance with the GDPR”

This is false for several reasons. The GDPR requires that measures be implemented to provide an appropriate level of security, based on an assessment of the risk involved in any action that requires, for example, the processing or storage of personal data.

Although encryption is a recommended measure, it is not a must. Everything depends on the risks associated with not encrypting said personal data. Thus, in the case of sensitive data, such as patient medical information, the GDPR recommends encryption and other robust security measures, such as secure algorithms.

Panda Security Can Help Ease the Transition

These are just three of the myths shrouding a regulation that will mark a before and after in the protection of personal data. To help all types of companies adapt and comply with the GDPR, at Panda we have prepared the “Preparation Guide to the New European General Data Protection Regulation”. In this guide, we respond to major issues related to the GDPR: How does it affect my business? What obligations does this regulation bring about? What happens if I do not comply with these obligations?

With this whitepaper, and using tools included in our Adaptive Defense solution, Panda can help meet the requirements imposed by the new regulation. Although the law will not come into effect until 2018, it is vital to understand the implications of the GDPR and to implement a plan of action.