GDPR Mythbusters!

Are you GDPR ready?


A hot topic for companies of all sizes right now is the GDPR (General Data Protection Regulation), which will be implemented on 25th May 2018. There are lots of useful online resources (the DMA is a great starting point), but to kick things off and also help ease your mind, here we’ll debunk some of the common myths surrounding the GDPR! 

The Basics

 Under the new regulation, companies are obliged to review how they process, store and use personal data (such as a customer database). It affects any department within a business that comes into contact with personal data (so most likely to be finance, HR, IT and Sales and Marketing).  While there are a number of details within the new regulation that are still being finalized, businesses are wise to spend the time running up to the 25th May implementation to understand what is required and make plans to ensure you are GDPR compliant. 
Myth 1: The UK’s decision to leave the European Union makes GDPR irrelevant

Afraid not! The UK Government has already confirmed its commitment to implement GDPR regardless of the Brexit negotiations. 

Myth 2: GDPR only affects companies in the European Union

GDPR rules apply to all companies that offer goods or services to people from the EU, regardless of where their offices or servers are located. Therefore, the GDPR applies to all companies that process information from EU citizens, making this the first global data protection law. For example, if an EU citizen makes an online purchase from a company in Australia, or uses a USA-based social network site, those companies must comply with the GDPR.  

Myth 3: You won’t be able to e-mail your customers anymore

This is not the case. However, the data subject must have opted in and given consent for that type of marketing communication; i.e. you would be in breach if you e-mailed people who had previously opted out of marketing communications. Under GDPR you may continue to e-mail customers “informational” content relating to their contract, maintenance and transactional e-mails (e.g. invoices, service updates, order updates) 

Myth 4: All data must be encrypted in order to be GDPR compliant

This is false for several reasons. The GDPR requires that measures be implemented to provide an appropriate level of security, based on an assessment of the risk involved in any action that requires, for example, the processing or storage of personal data. Although encryption is a recommended measure, it is not a must.  

Myth 5: Huge fines will be imposed if GDPR legislation isn’t being followed 

It’s understandable that businesses are concerned by this. But remember the GDPR exists to protect the data rights and privacy of citizens. The Regulation gives a great opportunity for all of us to improve customer trust by putting data under extra scrutiny and improving the relevance of what we are doing with it. Maximum fines will not become the norm and GDPR does not set out to make an example of those who unintentionally fall below its standard! 

Top Tip: 

Develop your own action plan. To avoid being overwhelmed, start with a plan!  

Begin with an analysis of the way your business currently obtains, processes, stores and uses personal data.  What do you need to change to fall in line with regulations?  Once you know this you can start to note all of the actions you need to take, and the time you will need to complete them! 

The DMA can offer guidelines for making the transition to GDPR compliance.  

Since every business is different and the GDPR takes a risk-based approach to data protection, companies should independently assess their data collection and storage practices, and where necessary seek independent legal advice to ensure that business practices comply with the GDPR.