Top 5 GDPR Myths Revealed

GDPR stands for the European General Data Protection Regulation, and this new data protection and privacy law came into effect on 25th May 2018. As with any other data regulation, there are a lot of myths that surround GDPR and most came about when the legislation was first introduced. This caused quite a bit of panic with many companies who didn’t fully understand what data they were collecting, where it was stored and why. 

As with all myths, it’s important to dispel any incorrect assumptions in relation to the GDPR – both to make sure you’re actually following the right guidelines and to ensure you’re not making unnecessary precautions that could be costing you time and money. 

So what are the GDPR myths, why are they wrong, and what’s the right advice for you and your business?

Only Large Companies Require a GDPR Policy

Most business stakeholders believe that the law requires only large companies to follow the reformed GDPR legislation. This is not true, as the GDPR policy requires all organisations who are collecting or processing personal data in the EU, regardless of size, to abide by the data protection laws.

Data protection law requires all companies and businesses to share personal data securely and fairly. The company must use the right tools and follow guidance according to the data sharing codes that maintain trust within organisations.

So, if you’re a new start up company or only have a small team, ensure you read the checklist containing the right procedure you should follow before sharing any personal data. 

You can also undergo a Data Protection Impact Assessment (DPIA) to ensure your organisation is on the right track or speak to the team here at ICT Solutions who are able to advise, consult and guide you and your business to ensure you’re staying compliant with GDPR, now and in the future.

GDPR is Only Applicable to Senior Managers

Although it’s a commonly held opinion that only senior managers are the ones liable for the GDPR, this isn’t strictly true. 

Senior management is often responsible for developing policies that ensure the organisation complies with GDPR – whether that’s through a GDPR compliance program, creating guidance within staff handbooks or the use of updated data tools. 

However, if the company does break any part of the law, whether that’s through staff error or fundamental issues, then senior management is not personally liable for this – the business as a whole is. 

That’s why it’s vital that any senior stakeholders or management within your company are fully aware of what data is being handled, why and how it should be treated by all other members of the team. 

Personal Data Can’t be Shared in an Emergency

Another myth is that organisations can’t share personal data in an emergency, if someone is mentally, physically, or emotionally injured. A business is legally allowed to share data in an emergency to help save an individual’s life, so if there is a public health crisis, or it’s a matter of national security, you can share your employee or customer’s details.

However, if you are regularly controlling or processing data which could be needed in this type of emergency situation, it’s important to make sure you have a suitable plan in place to avoid any breaches which may not fall under appropriate jurisdiction. Training staff on how to handle emergencies and letting them know the process if this instance did ever arise, could save your company a lot of time and effort in the future.

You Just Require a Simple Checkbox on Your Website

Although it seems like an easy quick fix, you can’t just become GDPR compliant by adding a simple checkbox on every form on your website. 

It’s important to take stock of which data you’re currently asking for, why you’re asking for it, where you’re storing it and what you’re going to do with this data. 

If a user submits details within a form and its stated use is clear, this provides consent. For example, if a user sends a support request, the intended use of the collected data is to respond to the raised ticket so in this instance, there’s no need for an additional consent checkbox.

However, if any other actionable uses of the collected data exist, an explicit consent checkbox is necessary.

We understand this can be confusing – which elements must be updated and which can stay as they are? ICT Solutions can help implement a series of on-site changes to ensure your website is updated to reflect new opt-in regulation. 

If you’re maintaining email marketing customer lists, it’s vital that these are managed well. At ICT Solutions, we help clients with their mailing list management and upkeep, so can help make sure that you’re following the rules and are not at risk of running into any issues with your customers, past and present.

All Data Breaches Must be Immediately Reported to the Relevant Authorities

You may think that all businesses must report all data breach cases to the relevant authority. However, this is not strictly true, as GDPR only requires all organisations to report certain personal data breaches.

You should report specific personal data breaches to the relevant authority within 72 hours of learning about the breach. For example, you must report data theft (i.e. where the company’s database is stolen) to the appropriate authority within this time frame.

Hackers can use this personal data to commit a wealth of cyber security crimes that can cause huge losses both for the individual and the company in question. 

In contrast, although it strictly falls under personal data processing, you don’t have to report if you’re altering internal staff contact lists, for example. 

When faced with a data breach, it’s important to assess the extent of this and how to best limit any negative effects on the company as a whole.

Ensure you have the right GDPR support

Many companies and the wider population can misinterpret the GDPR requirements; following the wrong advice for your business can prove costly. 

Whether that’s in the form of fines which can total up to 4% of your annual turnover, or implementing needless procedures for your staff and customers it’s important that you’re doing exactly what the regulations require. 

There are a range of elements to the GDPR bill that require ongoing maintenance of systems and processes, and that’s where we can help. 

Here at ICT Solutions, we work with a range of companies as GDPR consultants to ensure that the right things are in place, at the right time, for the right reasons. 

To hear more about how we can support your business moving forward, please get in touch with us today for more information.