Shannon Yavorsky was quoted on May 11, 2018, in Law360 in an article about the myths associated with the EU's General Data Protection Regulation (GDPR) that will take effect in just two weeks. GDPR promises to revolutionize how companies around the globe handle personal data while imposing stiff penalties on those that don't comply. But attorneys say that although companies have had two years to get up to speed, several troubling myths still persist.
"A big myth we've been hearing is that if you breach the law, you're going to be fined 4 percent or €20 million, whichever is higher," said Ms. Yavorsky. "There's been a lot of fear mongering about very significant fines being imposed and people are really focused on them, but we're trying to talk clients off the cliff and reassure them that really significant fines are most likely going to be reserved for egregious breaches."
"Customer data is usually the first thing companies think about when it comes to personal data," Yavorsky said. "They're often not thinking about things like employee data, other businesses' data and all the other buckets of personal data, including things like device identifiers and IP addresses that are swept up by the regulation."
Since the fines are so significant, companies would be wise to treat all the data they hold that could be used to identify a person — including hashed and pseudonymous data, which is frequently falsely assumed to fall outside the gamut of the regulation — in order to avoid running afoul of the law, Yavorsky said.