Less than 12% of global companies understand what GDPR is and what it means for them.
“A number of companies jumped on the GDPR bandwagon and claimed to be experts…Many companies that had never operated in the privacy space or even knew what privacy really meant, are all of a sudden were GDPR experts.”
Sheila Fitzpatrick holds strategic seats on several committees including the European Union Data Protection Advisory Council, the Asia Pacific Data Protection Framework Advisory Board and the Pacific Rim Privacy and Cybersecurity Advisory Group, in addition to presiding over her own business- FitzPatrick & Associates.
She’s on a mission to dispel the misconceptions around GDPR- starting with the difference between security and privacy.
“When I ask you about your privacy program and you start telling me about your security program, I’m going to slap you, because security and privacy are not the same thing,” FitzPatrick told the European Data Protection Summit.
She explained “security is one component of data privacy compliance” while “privacy is all about an individual owning his or her data. As an organisation you’re storing that data, but you never own that data.”
Under the privacy laws, organisations should not be holding any more data than necessary to manage the relationship with the customer. If the company is collecting and encrypting information they don’t need or not legally allowed to have, upscaling security through technology is not going to help.
“Every IT company jumped on the bandwagon and all of a sudden we saw tools and technology coming out to solve your GDPR issue, and as we know that’s a myth,” FitzPatrick said.
This misunderstanding can prove costly for companies, with failure to comply potentially suspending the business from data processing or a fine of up to $32 million AUD, or 4% of global annual turnover.
“First and foremost, GDPR and data privacy compliance overall is a legal and compliance issue. It’s a risk issue. It is not an IT issue. IT is a partner in the compliance journey, but IT alone is not going to solve or manage your compliance issue.”
As Fitzpatrick explains in another presentation, tools and technology alone are not the solution to the GDPR. There are 99 articles on the GDPR but only 8 involve technology.
She stresses GDPR is foremost a compliance issue and companies should start with the compliance foundation- not with the second floor tools.
According to the European Commission, the key principles to ensure compliance include:
- Communicate in plain language who you are, why you need the data, how long it will be kept and who will have access to it
- Obtain consent to collect, process and use data
- Let people access and transfer their data to other companies
- Inform consumers of data breaches if there is a risk to them
- Give people the right to erase their data
- Give consumers the right to opt out of marketing which uses their data
- Safeguarding sensitive data
- When collecting data from children under the age of 16, parental consent must be given
Hear from Sheila FitzPatrick directly at The Data Privacy and Protection Summit, running at the Sydney Harbour Marriott from 27-29 August 2019. With a host of speakers at the forefront of data privacy and protection, this is a unique opportunity to adapt to regulatory requirements, build a privacy-aware culture and strengthen customer trust in your business.