Maybe the mere mention of GDPR at the beginning of January, when you’ve just got back into work after a festive couple of weeks is something you think you need like a hole in the head. Maybe this wasn’t top of your New Year’s Resolutions list—Make sure we are GDPR compliant before 25th May.
However, the thing to remember is that this new law is for our benefit and the benefit of all our clients, customers and associates. It promises enhanced rights for citizens, greater transparency and increased accountability. How can anyone say that’s not a good thing?
Another thing to remember is that if you’ve kept your data protection up to speed in recent years, the changes you’ll have to make aren’t that massive anyway.
Bust those GDPR myths…
There’s a whole lot of information out there, and misinformation—some of which is a result of several revisions of GDPR, so that some legislation, originally proposed, has not been ratified and will not apply. Here are five of the most common myths which are doing the rounds—entertaining to read about, but not true, or at least, reality heavily embroidered for effect.
Myth # 1 – Massive fines will ensue if your company isn’t compliant
The fact of the matter is that fines could be bigger—£17 million or 4% of turnover is the new maximum—but according to the Information Commissioner’s Office (ICO), this will not become the norm. Minor infringements in the early stages of implementation will not be stamped on and the ICO’s commitment is to guidance and education rather than punishment. ‘Issuing fines has always been, and will continue to be, a last resort,’ says Elizabeth Denham, UK Information Commissioner. While there is no intention of allowing breaches to pass by unnoticed, there are warnings, reprimands and corrective orders in the ICO toolbox before they bring out the mighty sledgehammer of punitive fines.
Myth # 2 – Now that Brexit is going ahead, GDPR rules won’t apply to the UK
Apparently 1 in 4 UK businesses have stopped preparing for GDPR compliance, thinking it won’t apply to them if and when the UK leaves the EU, which is forecast to happen in March 2019. Well, for a start, GDPR enforcement begins 10 months before Brexit is predicted to happen. In addition, the government has issued a statement of intent to instigate a new Data Protection Bill, which will implement GDPR in full.
Myth # 3 – Our company is based in America so GDPR doesn’t count
But…do you offer goods and services to companies or individuals in the UK and the whole of the EU —either resident or visitor—or anyone from Britain or the EU living in a non-EU country? Many companies from across the globe may have offices overseas. If you have to process data from UK/EU citizens or visitors to Europe, including the UK, then, yes, GDPR applies to you.
Myth # 4 – My company data is stored with a cloud service provider, so it’s their responsibility to be compliant, not mine
Wrong – for the most part. You have a high duty of care to anyone for whom you store personal data and, to that end, it’s your responsibility to choose a reputable service provider to hold that sensitive information. You will be held responsible for GDPR compliance relating to your database – though service providers must comply with GDPR requirements too.
Myth # 5 – GDPR doesn’t apply in retrospect, so personal data we already have on our database isn’t subject to GDPR rules.
GDPR rules will apply regardless of when you collected the data—as long as that data is associated with a living person who was in the UK or the EU at the time. As an example, if you have contact information from prospective customers (B2C or B2B) gathered before 25th May 2018, this data must be compliant with GDPR.
Don’t believe everything you read in the media! And always err on the side of caution when it comes to data compliance. Remember that’s both B2C and B2B. If you are struggling with the finer details, at Mailing Expert we’ll be happy to talk you through them.