ASG is now part of Rocket Software! Please visit to learn more. Follow our journey
Blog > May 2017 > Ready for GDPR? 7 Common Misconceptions about GDPR Preparation

Ready for GDPR? 7 Common Misconceptions about GDPR Preparation

With the countdown to compliance clock ticking down to May 25th, 2018, many companies have GDPR at the top of their priority list. I’d like to address common questions and misconceptions about the breadth of the regulations and how companies can prepare.

Assumption:  I collected considerable data before the GDPR were in place.  We were given consent at the time, so I think we can keep using this data.
Reality: False.  You can only use or process – as the regulation reads – personally identifiable data when you have consent for the specific planned use.  You must also periodically update consent.

Assumption:  We’ve always used an “opt out” model, meaning visitors must say we can’t use their data, otherwise we assume we can.  Since that’s so standard, I assume it will still be ok.
Reality:  False. Under the old rules opt-out was fine.  Opt-in is the new standard within the European Union (EU), meaning you need specific active consent.

Assumption:  We can send everyone in our database an email asking them for consent and we’ll be all set.
Reality:  Careful here. While that seems to be a reasonable approach, be sure you only contact those who have given consent for specific purposes.  The UK Information Commissioner’s Office fined two businesses that couldn’t show they had current consent for contacting the individuals for marketing purposes.  In addition, you cannot get blanket approval for all uses.  You’ll need to tell them how you’ll use their data and how they can later withdraw consent.  Also, be sure to record the responses and your actions in case you’re audited.  Since this is a tricky area, I suggest you get support from legal counsel before moving forward.

Assumption:  I doubt anyone knows where all the personal data is within the greater data repositories we have internally.  We’ll move forward with new data. 
Reality:  True, finding all the data within a large organization can be hard.  However, you cannot ignore it!  Unused personal data stored in your organization is at risk of security breaches and a liability under the GDPR.  Showing an effort to locate and purge unused data may reduce penalties should something happen.  Since you can’t use the data, the best approach is start a project to identify and delete it.

Assumption:  I’ve heard the fines are really big, but rumor has it they won’t really be levying them.
Reality: False. It is true that the fines are very large, €20million or 4% of global turnover (revenue).  However, the regulators set these fines for a reason and will likely levy them.  Planning on compassion from the authorities seems a poor strategy when so much is at risk.

Assumption:  We’re a US-based corporation so I’m sure we don’t have to worry about these regulations.
Reality:  This should be a priority for companies outside the EU too. Global entities that collect personal data on protected individuals as defined by GDRP (basically, people residing in the EU) must comply with the regulations. And, Brexit doesn’t relieve UK companies from the regulations if they’re collecting data on residents of their former trading block, though UK residents are no longer protected. 

Assumption:  I need to start preparing my organization now for these regulations.
Reality:  Absolutely true!  But, if you haven’t started, you’re not alone. A survey by the Center for Information Policy Leadership and Avepoint showed that 49% of companies had not yet made a decision on budgeting for compliance.  There is a lot to do!  Here’s a great resource to help you get started.

As mentioned already, ASG provides a range of capabilities that can support GDPR compliance programs The Enterprise Data Intelligence solution can scan through your data estate and report the important lineage of data.  The ASG Content Solutions can manage the lifecycle of personal data, while also capturing and managing individual’s consent. A solid technology platform can provide the basis for compliance and demonstrate efforts to comply with the regulations should administrators come knocking.

I hope I’ve cleared up some misconceptions and provided some ideas for moving forward to comply.  How have you begun preparing for GDPR? Let me know in the comments!

Posted: 5/17/2017 12:11:59 PM by Rob Perry
Filed under :content, Data, Enterprise, GDPR, governance, Intelligence, lineage, privacy, solutions