The General Data Protection Regulations (GDPR) is described as the most important legislation concerning data privacy in 20 years. It runs under the assumption that European Union (EU) consumers own their data and that companies, businesses, governments, etc. must handle it with care. Organizations worldwide must adhere to the legislation or risk heavy fines. Fines will be heavy, reaching as high as 4% of global annual revenue. This means that as we approach the deadline for compliance in 9 days, May 25th, the rush toward compliance is on. To help with your efforts, we have compiled some of the common misconceptions about GDPR. Here is a list of things to watch out for:
Does GDPR apply to you?
Let’s make this simple: GDPR applies to anyone who handles personal data from EU consumers. This means any organization, anywhere can fall under GDPR compliance. Furthermore, companies that store personal data must be compliant as well as companies who process requests to reach personal data. Just because you are located outside the EU does not mean that you can avoid GDPR. You are just as liable as anyone else.
Fraud Prevention > GDPR Compliance
You may think that following KYC and AML procedures overshadows GDPR compliance, but this is not the case. All these compliance rules now have to work together. It can be easy to ask for large amounts of data for authentication purposes, but storing this data is no longer allowed. Under GDPR, you can collect personal data during the onboarding process for verification purposes, but storing it unnecessarily is no longer allowed. Furthermore, you can’t ask specific questions during access such as Date of Birth and a specific address.
72 hours to notify EU citizens about breaches
Many organizations are worried about the turnaround time for informing regulators about breaches. Ideally, if a company finds out about a breach they should find out what the breach is, who has been affected, how big the breach is and how it happened – all within 72 hours. Many organizations do not have such a breach plan in place though. While this can be panicking, it’s important to note that the 72-hour time frame starts after the breach has been discovered, not after it has occurred. This gives organizations some wiggle room to develop processes and put them into place before beginning to track breaches in their systems.
GDPR compliance only applies to online channels
If you are a company that stores personal data from EU consumers, GDPR applies to you. It doesn’t matter if you talk to these people in person, on the phone or some other way. GDPR applies to any entity that stores high amounts of data from EU citizens. One good example is a call center. Call centers store information from consumers such as emails, phone numbers, and addresses; therefore, they fall under compliance. The best way to reduce the risk of noncompliance at a call center is to verify the customer’s identity at the beginning of the call and lower the amount of personal data used during phone calls.
GDPR compliance can be tricky, but you can’t avoid it any longer. The sooner you begin processes to comply with the new legislation, the easier it will become. GDPR sets a new standard for the retention of personal data of EU consumers. It will have a lasting effect for organizations all around the globe. IDMERIT can help you toward your goal of GDPR compliance. Contact us for more information today.
