1- GDPR compliance is a black and white business
One of the biggest legal complications with understanding GDPR is that in not a rule-based piece of regulation. When you're driving at 90 km per hour in a 70 kmph zone, the parameters of the law are clear cut and little need for interpretation. GDPR, on the other hand, is a principle-based regulation. Should an investigation arise, such judgements would be at the discretion of the Supervisory Authority Level and would involve an assessment.
So it's easy to see how organisations who might consider they're on top of GDPR may in reality be at risk of being found to be non-compliant.
2- Change your privacy policy, tweak your contracts and you're done!
For most people governance and accountability requirements are often overlooked and they are going to be surprised when they realize that it is not enough to comply; you have to be seen to comply. The GDPR mandates demonstrable compliance by way of documentation of actions carried on data flows and process. It is like showing the method by which maths problems are solved - not just the final answer.
3- Anyone can make you delete all their data
There is a right of erasure, but it is not absolute and you may be able to retain the data where, for example, it is still necessary for a lawful purpose, you are legally obliged to, or, in some circumstances, if you have an overriding legitimate interest in doing so.
4- The compliance team bears full responsibility for GDPR
GDPR is something that every executive must fully understand will flow from the top to be effective. At the regulation's core is the sanctity of personal data and this is centred on the notion that personal data belongs to the individual and that organisations are mere custodians. It represents a fundamental change in the way that every organisation uses, manages and protects data - and ignorance or buck-passing will be no defence at all. GDPR's core spirit is to effect a cultural and paradigm shift in balancing the right of the individual and the organisation. It is absolutely the responsibility of both the executive leadership and the Board of directors that they understand what GDPR means and apply the tenets into the core execution of their duties.
5- GDPR is a Problem for the IT Team Only
This relates not just to GDPR, but to data protection as a whole. The word "data" seemingly applied exclusively to IT. Nothing could be farther from the truth. Issues with data protection are often simply palmed off to IT departments. In reality, for effective data protection (and in particular, GDPR) organisations need to work inter-departmentally to ensure compliance.
In order to fully understand where personal data resides, where it originated from, who uses it, how it's used and more, information and multiple departments will be required. You must educate your whole organisation on best practices for meeting GDPR in order to stand a chance of meeting the stringent requirements.
6- GDPR is really about security
Security is always important but the GDPR does not require any specific new steps (although you may need to conduct a Privacy Impact Assessment around security). Businesses will aslo need to implement privacy by design and default, and consider data protection and privacy enhancing technologies i.e. data minimisation and pseudonymisation. Security is important for privacy but Privacy extends beyond Security.
Finally, GDPR requires a paradigm shift - changing behaviours, changing values and changing cultures in organisations. And this is possible only through understanding the importance of establishing a SYSTEM thinking and bring about transformation change through increased employees awareness on GDPR.
Among other thinks and BSI Group with it's formal Management System Standards like BS 10012 has benefited many companies by giving them an integration of systems, Information Security, Cyber security, and Communications.
