The General Data Protection Regulation comes into force in May 2018. We explore common myths surrounding GDPR
The General Data Protection Regulation (GDPR) comes into force in May 2018. For the information commissioner, GDPR creates an onus on companies to understand the risks they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework that can be used to build a culture of privacy that pervades an entire organisation, the information commissioner recently said.
Let’s explore a few areas of misunderstanding I have encounters when speaking to IT suppliers and customers.
Myth 1: It is just about hacking – Although many of the news stories focus on hacking and GDPR breaches, GDPR is not just about hacking. For example, it currently costs £10 for individuals to get their data from organisations under data protection law. Under the GDPR, it will be free subject to various exemptions such as repetitive requests, manifestly unfounded or excessive requests or further copies.
As a result, organisations can probably expect more individuals wanting a copy of their data, including customers and employees both past and present. The time limit for responding to these requests is 30 days. If an organisation receives many requests from employees or customers, is it prepared to provide this personal data to them within the 30-day time limit?