With less than two months to go until the GDPR comes into force we decided to look at some of the most common myths that are coming up in many of our conversations with other businesses. Perhaps you've got some of the same concerns?
Top 7 myths relating to the GDPR...
- We need consent from data subjects for all processing activities
Yes, consent has been the most talked about of the lawful basis for processing data, but don’t forget that there are five others! You should choose the basis that is most appropriate for your data processing needs.
- All data breaches need to be reported
This isn't entirely true - the ICO Guide to the GDPR says that where a breach has occurred you must consider 'the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it'.
- Everyone has a right to be forgotten
The new 'right of erasure’ is not absolute and only arises in certain circumstances. The ICO state that if the processing causes damage or distress, this is likely to make the case for erasure stronger.
- GDPR doesn’t apply to SMEs
Even if you are an SME, you still need to think about GDPR as it will apply to all businesses. However, if you employ less than 250 employees you may not need to keep records of your processing activities. The ICO has recognised the impact that GDPR will have on small businesses and has set up an advice line for them.
- I don’t have a website so GDPR doesn’t apply to me
Even if your organisation does not have a website, it will undoubtedly hold some personal data about someone, whether that relates to employees (e.g. personal contact details and bank account details), customers (e.g. addresses and phone numbers) or suppliers (e.g. email addresses). Personal data is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
GDPR is designed to give people more control over their personal data. It will require organisations to be more transparent and open about how the personal data relating to EU citizens is used, set out clearly what it does with that data and also ensure it has justifications to support this use.
- We have spent a lot of time (and money) data mapping so we are protected, aren't we?
Whilst data mapping is key to understanding what GDPR compliance steps are needed, compliance doesn’t stop at discovery. A data mapping exercise is just the start of the journey.
A message we are hearing over and over is that businesses have spent a lot of time and money focusing on the data problems, undertaking mapping or auditing data, which is a necessary step, but this has not given them any practical solutions. They don’t know where to go next.
- We need to delete everything post May 2018
We all like to keep data “to be on the safe side”, but the trouble with holding lots of old information is that it can be out of date, irrelevant and incorrect. Organisations should also only hold onto personal data for as long as is necessary for the purpose for which it was collected or is held. This does not however mean you need to delete all client, employee or supplier data on 25 May and start again. Some documents will need to be kept for a long time, but others have a shelf-life. Businesses also have to set out clearly how long they keep data for in their Privacy Notice and this will vary depending on the type of data in question and the purpose for which it is held. If there is any doubt take advice.
Working towards compliance
With such a short time to go we are surprisingly still hearing about businesses that seem to know about GDPR but either think the new rules don’t apply to them, think they are already complying with data protection or think that the GDPR is simply too scary to think about!
Our advice is to not leave compliance until the last minute, no matter how complicated or scary it seems. GDPR has a wide reach and will have implications for all aspects of your business. Marketing, HR, IT and senior leaders are going to have to work together to establish a compliance plan.
Also, please remember that compliance does not stop on 25 May, it is an ongoing duty. GDPR is an “evolution” in the words of the Information Commissioner.
How we can help
We can help you assess your current compliance, draft policies and procedures, and review your agreements with third party suppliers.
GDPR is about changing the culture of how personal data is viewed by the whole organisation and educating staff that there is a value in data. Training can help you on the road to GDPR compliance. Boyes Turner is able to provide bespoke training to all areas within your organisation and we also have workshops running at our offices. The next scheduled event is a Leisure & Hospitality GDPR workshop. For more information on how we can help you please email [email protected].
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.