There is one thing we know for certain that the upcoming General Data Protection Regulation (GDPR) is creating: misconceptions.
It’s hard to keep up with them. But, after noting nine common GDPR misconceptions a few weeks ago, we now offer a new batch gleaned from a chat with Clive Boonzaaier, director of governance, risk and compliance at security firm Cipher UK:
- Contrary to the inclusion of the word “compliance” in his title, and the widespread use of that term to describe companies that are abiding by GDPR’s requirements, Boonzaaier says too much emphasis on that term misses the appropriate way to view the new regulations. In his view, “compliance” is most properly used to describe obeying a clearly defined legal regulation, like a speed limit. But much of GDPR is left unspecified, allowing a wide range of approaches to implementation, as long as the end result is protecting the personal data of consumers. He told me that adherence to GDPR is like saying, “You should deploy security measures.” The aim is to keep hackers and other data thieves away, but many of the specific ways to accomplish that goal are left up to you and your company. It’s better to think of adherence to GDPR as “risk management 101,” he said, since your company is adopting new policies, software and attitudes to minimize the risk of leakage or misuse of personal data.