Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

The top five GDPR myths . . . answered

By / / In Best practice /
The General Data Protection Regulation coming into force next May will create new rules to keep data safe. But it is causing concern for companies aiming to ensure the data they hold stays within that new law. Panic has spread rumours and now there are many GDPR myths circulating. Sam Reed explores five of the biggest myths around GDPR and discusses its impact.
gdpr myths

One of the consequences of living in the digital age is the amount of sensitive data we all share every day. Retailers, insurers, medical professionals, numerous other service providers – all keep hold of some of our most sensitive data.

However, the way our data is used and how secure it actually is, isn’t very clear to the public. The new General Data Protection Regulation (GDPR) that the EU is introducing next May aims to tackle this by creating new rules to keep data safe.

While many organisations are now aware of the legislation, they are not as clear about the precise impact it will have on their businesses and what changes they need to make. What’s more, there are no shortage of myths on the subject. 

Debunking the GDPR myths 

Here’s a list of the top five concerns and queries that have been circulating, answered:                                                                                                                    

1: “There isn’t enough clear information; how can I possibly start to prepare?”

One of the key changes GDPR will make is raising the standards for getting consent to use people’s data.

Some organisations believe they should wait for the UK Information Commissioner’s Office to issue its final guidance on consent before they make any changes, but this isn’t necessary.

The ICO says it is waiting for Europe-wide consent guidelines to be published, so it can offer consistent guidance. In the meantime, it has given draft consent guidance which is believes will be very similar to the official guidelines.

When it comes to consent, an important point to clarify is that you don’t always need consent. For example, banks sharing data for fraud protection, or local authorities processing council tax information, can use a different lawful basis to consent.

2: “This will put a huge burden on my business!”

There are some who feel GDPR is putting undue pressure on businesses to change their working practices, or risk a hefty fine.

However, the ICO has pointed out that the new higher fines being quoted are the maximum allowed and will not be routine. So, those concerned that the maximum fine of £17 million, or 4% of turnover, will be used on companies to set an example, can rest assured this will not be policy.

Rather than putting undue pressure on businesses, the new legislation offers the ideal opportunity to review your data and ensure it is up to date. So, in the end, you may end up with less data but it will be of a better quality.

It is also a good opportunity to review your cyber security measures because new threats are constantly emerging and can affect business of all sizes. Some small businesses mistakenly believe they are unlikely to be targeted.

However, according to the Federation of Self Employed and Small Businesses (FSB), cybercrime is one of the fastest growing risks to small businesses. An FSB report found that 19,000 cybercrimes are committed against small businesses in the UK every day. While a government report estimates that the average cost of a breach to a small business is £3,100.

Making sure you have robust cyber security measures in place is wise, regardless of the legislation. The National Cyber Security Centre gives 10 steps you can take to protect yourself.

Rather than hampering the ability of businesses to use data, GDPR may make people more willing to share their data because of the new security standards. ICO research shows that people ‘would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly’.

3: “This isn’t relevant to my UK business due to Brexit”

Because the legislation is being introduced while Brexit is being negotiated, some believe it won’t apply to the UK. Others believe it will only apply until March 2019, when we are due to leave the EU.

In fact, the legislation will apply to anyone who offers services to EU citizens, regardless of where you are based. Even if you don’t handle EU citizens’ data, you will still have to adhere to new data protection laws being introduced to the UK. The government says the proposed changes, which have already been detailed in a Data Protection Bill, will incorporate the GDPR’s rules. They are doing this to help Britain prepare for a successful Brexit.

The new UK law will replace the 1998 Data Protection Act and aims to make the UK fit for the digital age.

4: “Now we all need a data officer”

There is some concern that every organisation now has to appoint a data protection officer. The DPO is meant to be the data protection expert in an organisation. Although many organisations will need a DPO, including small businesses, everyone doesn’t need to appoint one.

Under GDPR, you must appoint a data protection officer (DPO) if you:

  • are a public authority (except for courts acting in their judicial capacity)
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data, or data relating to criminal convictions and offences.

It is important to make sure you fully understand the role of a DPO before appointing one, because the position needs to meet particular requirements laid out in the law. For example, the DPO needs to be independent and the business must provide them with the resources to complete their work.

gdpr myths5: “GDPR will be a data revolution!”

 No! The ICO is keen to point out the new law is “an evolution not a revolution”.

The new law will aim to simply build on the existing regulations around data.

Those who follow the current data protection laws are already likely to be in a good place. They now simply need to review and update their current procedures, which won’t just keep them on the right side of the new law, but will benefit them, too.

What’s next?

With roughly six months to go before GDPR comes into effect, there is no reason to wait before you review your data practices. The ICO has laid out 12 steps you can take now to prepare. Using this simple guide (see the image included here – click to enlarge) is a good way to start getting ready for GDPR, but be sure to get expert legal advice on anything you are unclear about.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Sam Reed
Author: Sam Reed
Chief technology officer at Air IT | www.air-it.co.uk

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing

  • This field is for validation purposes and should be left unchanged.