The date is approaching when the new GDPR (General Data Protection Regulation) will replace the 1995 data protection legislation and, as time passes, its application is taking relevance in the conversations of security experts and responsible for all the companies. Remember that the GDPR will help strengthen the protection of the user’s fundamental rights in the online environment and will give them back control of their personal information. Therefore, companies must be prepared to adopt mandatory measures.

We’ve already explained the fundamental changes to the legislation. We also went over some of the most widespread myths regarding the GDPR: its scope of application, the timeframe for reporting incidents, or requirements related to data encryption. Today we are going to analyze more myths that enshroud this new regulation.

Myth number 4: “The personal data already contained in our database is not subject to the GDPR”

One of the most overwhelming issues for companies is the massive amount of information they already have in their possession. Does the new legislation apply to these databases collected before its entry into force? The answer is, “Yes. Definitely.” All user data of a personal nature must comply with the regulation, regardless of the date of collection of said data. The only exception to this rule is in the case of deceased persons, since in this case the regulation would not apply to their personal data.

Myth number 5: “The data is stored by my cloud provider, so the GDPR is their problem, not mine”

Some have contended that since companies that use third party cloud storage are not technically responsible for directly storing data, we are not responsible for applying the measures imposed by the GDPR. However, whenever you deal with a user’s information, you will most likely fall into the controller or processor category. If you hire an external company to store the data, your company would become the controller, or controller and processor, while the cloud service would be solely in a processor role. But both are within the scope of the new regulation. So even if the controller uses a third-party service to store their data, it will still be responsible for complying with the GDPR.

Myth number 6: “The GDPR is restricted to personal identification information”

It is advisable to take extra precautions when approaching the changes indicated by the GDPR. That’s because, to date, the definition of what we consider to be personally identifiable data has fallen short. As the GDPR explains, the EU has substantially expanded this definition of personal data to efficiently reflect the types of data that is ordinarily collected. The new regulation expands the definition to include online identifiers or even IP addresses, since these are now considered to be personal data. Other data, such as economic, cultural, genetic or mental health information, are also considered to be personally identifiable information.

Panda Security can help you make the change

The GDPR will bring along with it a series of profound changes in the way a company operates. To help get things up and running, Panda Security has prepared this “Preparation Guide to the New European General Data Protection Regulation”. We respond to important issues related to the GDPR, such as: how does it affect my business? What obligations does this regulation require? What happens if I do not comply with these obligations?

We also work on solutions, so that the data and systems remain completely safe and in full compliance with the GDPR. For example, Adaptive Defense, with its state-of-the-art protection tools (NG EPP) and detection and remediation technologies (EDR), serves as a critical means of ensuring compliance. The GDPR is not to be underestimated, and understanding its finer points will be a differentiating factor in every sector that handles personal data.