Why GDPR Compliance and Security Aren’t Synonymous

AUGUST 22ND, 2018
Though the General Data Protection Regulation (GDPR) has inspired many companies to be more careful with their customer’s data, a large majority haven’t become compliant. According to Deloitte, only one-third (34.5%) of businesses surveyed who are working on their GDPR infrastructure say they have reached full compliance.

A Problem Businesses Face with GDPR Compliance

The GDPR states that businesses must appoint one person as a Data Protection Officer (DPO). Whether organizations create a new role of DPO or amalgamate another position is up to the company. Many organizations have turned to one member of the IT team for compliance, but is it really just an IT job? Although an IT specialist or CIO may know how to control the data that a business collects, it doesn’t necessarily know how to process it. Each individual department will be processing data specific to their business line. So in actuality, compliance should be overseen by a large number of people, not only a member of IT.

If I’m GDPR Compliant, Does That Mean My Data Is Secure?

It may seem safe to assume that the 34.5% of organizations who have achieved full GDPR compliance are also on point with their cybersecurity. But these regulations actually have little to do with data security. Rather, they focus on whose hands customers’ data is in and customers’ rights to privacy. For example, there are strict rules about who you can send emails to. Individuals have to “opt-in” to each specific type of email you send (whether ads, newsletters or offers) before you start sending. Although it protects individuals from being inundated with spam from companies they never even knew existed, it doesn’t explicitly state their data should be encrypted and secure from hackers.

How to Keep Data Secure and GDPR Compliant

Even though the two aren’t synonymous, cybersecurity and GDPR compliance can work hand-in-hand. Being able to process your data, as outlined by the GDPR, means an organization must be privy to where information is stored, who has access to it and what these individuals do with it. This knowledge is also necessary for controllers to know to keep your data secure. There are some simple questions you can ask yourself and your IT team to ensure your data is both GDPR compliant and secure:
  • Do you know the difference between the role of the controller (IT team member dedicated to security and the control of data) and processor (any member of a business who handles client data)?
  • Are your service providers GDPR compliant? Can they document what they do with your data and all the details about the length of holding, what it’s used for and where it happens?
  • Do you know the difference between compliance (documenting your adherence to regulations) and data security (finding and closing gaps that leave your data vulnerable)?
  • Are your privacy and security procedures up to date?


Data security should be seen as strict a regulation as GDPR. The results of a breach can damage the reputation and earnings of a business, meaning for the safety of your company, cybersecurity must be taken as seriously as GDPR compliance. StorageCraft is the online data recovery pro. We know what it means to a business to protect, store and sort through its data, and we can help you with your security needs. Contact us today for all the information about our security, storage and recovery solutions.