Have you or your clients fallen for a GDPR myth?

In a recent mini survey carried out amongst our members, 40% of respondents were confident that their businesses were GDPR compliant with the remaining 60% saying they had taken some steps but knew they were not finished.  These results suggest that our members are well aware of their data protection obligations but are you 100% confident you know exactly what compliance involves?  Would you be as confident in the cold light of a data breach, a subject access request or a complaint to the ICO?  If you wavered on any of these questions, you might want to consider the GDPR myths that we are still hearing over a year after GDPR came into force:

GDPR is just like Y2K

25th May 2018 came and went – just like 31st December 1999 – but despite what many still believe, GDPR is not like the Y2K millennium bug.  The requirement to prepare for it didn’t end on 25th May 2018, it began. GDPR compliance is a journey. Even if you were compliant on 25th May 2018, you may no longer be compliant.  Your systems, practices and procedures need continual review to ensure that the data you hold (and process) remains appropriate, necessary and secure. The regulator and your clients are becoming ever more alert to privacy control.

I have a privacy notice, I’m compliant

It is still a widespread belief that having an up-to-date privacy notice equals compliance with GDPR.  This is just the start – along with paying your data protection fee to the ICO.  You also need to put physical and cyber security measures in place, define policies and procedures around the handling of data in your organisation and train your staff in these, have processes in place for data breaches and subject access requests and ensure that the businesses you share data with are also compliant.  And once you’ve done all of that, you need to make sure that all your data protection systems remain up-to-date and compliant over time as your team, the ways you work and the data you need change.

I’m not likely to have a breach

In the first 11 months after GDPR came into force, over 14,000 breaches were notified to the ICO.  And according to a recent survey by the Department for Digital, Culture, Media & Sport, 32% of businesses identified cyber security breaches or attacks in the previous 12 months.  Bear in mind that cyber-attacks represent only 16% of data breaches and you start to understand the scale of the problem.  The question is when rather than if you have a breach.

GDPR doesn’t matter because of Brexit

Whilst the EU GDPR would no longer apply in the UK after a no deal Brexit, the UK Government has taken steps to ensure that data protection still works from day one – by basically creating a UK GDPR.  It has stated that ‘the fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.’

Don’t take a risk

Our data protection partner Astrid offers a free compliance check – just create an account, go through to stage 1 of their process and take the quick GDPR test.

The IAB has negotiated a 10% discount for professional members with Astrid for full access to the tools and guidance they provide to help small and medium sized businesses become and remain GDPR compliant. To find out how to gain the discount please login to the Members’ Area of our website and visit the Member Benefits section.

Comments are closed.

Latest News