GDPR is approaching, prowling behind us, waiting. On May 25, 2018, it’ll pounce. Despite this looming deadline, 52% of companies still don’t feel ready, expecting to be fined for non-compliance.
The compliance struggle is exacerbated by misunderstandings about how software solutions fit into GDPR regulations. Many businesses mistakenly believe that they have (or offer) GDPR compliant software. Sadly, GDPR compliant software just isn’t possible – it doesn’t exist. Howard Williams, marketing director at software development specialist Parker Software, explains.
Jargon, claims, and confusion
By now, most businesses are well-versed on the basics of GDPR. So, we all know that as of 25 May, any organisation that does business with an EU citizen must abide by GDPR. We’re also clear on the fact that any data a business collects that falls under the category of ‘personally identifiable information’ (PII) is subject to the new regulations.
Beyond the basics, however, is a grey area that is causing some companies to panic. As they scramble to ensure compliance by the deadline, it’s natural to look for quick solutions and easy fixes. This is where jargon and claims become rife. You might have seen adverts that make the hot claim of ‘GDPR compliant software’. Without mincing words: this is a lie. Don’t fall for it.
The root of the muddle
Software solutions used to handle PII data are required to follow the principles of Security by Design (SbD) and Privacy by Design (PbD) under GDPR. However, assurance that these principles are being followed are leading to the more general claim of ‘GDPR compliant software’. This is where the confusion is likely to have first arisen. Unfortunately, following SbD and PbD doesn’t make for a GDPR compliant solution. A piece of software, in and of itself, cannot be compliant.
The new regulations also place requirements on both ‘data controllers’ and ‘data processors’. This has added to the misunderstanding on compliant software, as many SaaS companies process the data controlled by their customers. The requirements on data processors means that these companies must also be GDPR compliant – and when they believe they are, they mistakenly claim that they have GDPR complaint software.
Delivering a foundation
Therein lies the crux of the problem: it’s the company that needs to be GDPR compliant, not the software or tools they use. So unfortunately, you can’t just install a software product, press go, and magically become GDPR compliant. All is lost. Some software products (those that do follow SbD and PbD, for example), might be easier to use in a compliant way. The software is not a compliant entity itself. To reiterate, that job falls on the companies and the correct use of the software. It can, however, make compliance less of a hurdle.
There just is no such thing as GDPR compliant software. Basically, the software products that you use can only provide you with a foundation that will help you achieve GDPR compliance. Ultimately, its up to how you use the software, it’s up to you to understand the types of data the software collects, and it’s up to you handle PII correctly. Think of it this way: a gun is not evil or unlawful, but the incorrect use of it is. It’s the same with software and GDPR compliance.
Be ready for GDPR
If you aren’t compliant by the deadline, your company could face penalties as high as €20million or 4% of your annual global income (whichever is higher). But by knowing the right questions to ask, you can give your company the best chance of being fully compliant with GDPR by the deadline.
So, don’t get caught out by confused or misleading claims of this fictional ‘GDPR compliant software’. When implementing software products, ask whether it will be able to support GDPR compliance, not if it is compliant itself. There might not be any quick fixes, but there’s still time to get ready for GDPR, and still software that can integrate well with the new regulations.