This publication was written by the Information Governance Initiative as part of our ongoing series exploring issues, strategies, and techniques related to information governance. As part of our commitment to excellence and to maintain objectivity, the IGI will not recommend, evaluate, or endorse specific products, services, or providers.
GDPR Myths & Misconceptions was made possible by OpenText’s support of the IGI. OpenText is an IGI Charter Supporter. More information about OpenText is available at www.opentext.com
“The only thing that is constant is change.”
– Heraclitus of Ephesus (c. 500 BCE)
– Every IG practitioner (every day)
Change is a fact of life in Information Governance (IG). Technology changes, best practices evolve, our organizations shift and grow. Laws also change. In fact, in 2018, “the most important data privacy regulation in 20 years” will go into effect. Authorities, wielding the power of massive fines, will enforce this law on all organizations that process the personal data of European Union (EU) residents, regardless of where those organizations are based.
With a GDP bigger than the U.S or China, an economy that imports USD $180 billion from the rest of the world each month, and a population of 508 million, the EU and its laws have a massive impact on the world. The GDPR cannot be ignored.
The EU’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, is poised to have a profound impact on IG programs worldwide. With the authority to levy fines on an organization of up to EUR 20 million (about USD $23 million) or 4% of annual global revenue, whichever is greater, the GDPR rightfully has the attention of the Information Governance Initiative and our community of thousands of IG professionals.
However, our research and discussions have revealed that there are several common myths and misconceptions about the GDPR. Much like stories from a friend who swears that a truly unbelievable thing happened to a friend of a friend of a friend of theirs, many GDPR “urban legends” are being swapped around metaphorical water coolers, and over actual after-work drinks.
Although it is impossible to definitively answer some questions about the GDPR until authorities begin to enforce the law, there is little uncertainty about its most important provisions and what organizations must do to prepare and comply.
What is certain is that organizations with well-built and mature IG programs are best positioned to adapt to the GDPR. After all, at its heart the GDPR is about organizations understanding and exerting control over information based on its value and risk, i.e., the sine qua non of IG.
Confusion and uncertainty about the GDPR’s potential impact and how to prepare for it is widespread. According to one estimate, more than half of organizations affected by the law will not be ready to comply by the deadline.
To help organizations understand and adapt to the GDPR, in this paper we will identify and correct seven of the most common GDPR myths and misconceptions.