A common misconception is that IT teams can manually compile a list of sensitive data
(1) The GDPR only applies to companies with physical presence in EU.
Fact: The GDPR applies to any company that handles the personal data of EU residents, even if the company has no physical presence in the EU.
(2) GDPR compliance is a one-time effort.
Fact: Let’s say your organization has implemented GDPR’s right-to-erasure requirement. However, IT systems are constantly changing. New sensitive data locations will be created, eventually. Will you get notified when that happens?
(3) We know where our customer personal data is stored.
Fact: Customer personal data could be stored in unsuspected locations:
- You may not know what is stored in your database’s varchar/clob/blob columns. Personal identifiers could be stored in these opaque free-form text fields.
- Personal data proliferation is a growing concern. In a typical IT organization, data proliferation is the norm. With the rise of cloud and analytics, data gets copied to Hadoop, cloud stores, on-premise data warehouses, etc.
(4) My organization has little customer personal data.
Fact: Your organization may have more customer personal data than you think:
- IP addresses and mobile device IDs are considered personal data.
- Biometric data (e.g. facial images) is considered sensitive personal data.
- Pseudonymous data may still be considered a type of personal data. This, however, is subject to interpretation.
(5) Fines will not break my business.
Fact: GDPR fines and penalties can go up to 20 million Euros or 4 percent of annual global turnover, whichever is higher.
A few things to note about the non-compliance fines and penalties:
- It is up to 4 percent of annual global turnover, not just EU turnover — an enormous number for large companies.
- It can go up to 20 million Euros, even if 4 percent of annual global turnover is less than that, making it disproportionately punitive for small companies.
In a related blog post, we lay out how Kogni, with its automated sensitive data discovery engine and monitoring, can help accelerate the GDPR compliance journey.
Interested in learning more about Kogni? Request Demo