With the new General Data Protection Regulation around the corner there is a lot information popping up everywhere and there is bound to be more as the May 25th2018 date approaches.
So, to help you get a quick overview of some of the myths that are floating around and to help you get on the right track here are a few of those myths debunked.
- GDPR does not apply to small businesses. This is probably the most common myth and complete nonsense. The bottom line is if you record, capture and retain any data that is personally identifiable then you need to take some action. HR records, customer relationship software, accounting software, payment processing software and systems all likely contain personally identifiable information. You need to document how you obtained that information, how you got consent, what you intend on doing and who you may share that data with. There are some other steps like how you categorise this data but for the most part establishing how and what you do with that data is always applicable.
- GDRP will not affect us when we leave the EU. Again, this is complete codswallop. In fact, what the information commissioner office (ICO) has said is that upon leaving the EU on March 29th, 2019, GDPR will remain exactly as it is and a UK specific version of it will be in force and businesses of all sizes should remain on track and continue to work to the current regulation that is proposed for May 25th, 2018. GDPR is coming into place to create a consistent data protection regime across the EU, and a framework on how we use data\to better protect data.
- All data breaches need to be reported to the ICO. Once again not true, the fact is only breaches that influence people’s rights and freedoms need to be reported. For example, if the breach meant that those affected could possibly suffer legally or financially as a result then it would need to be reported to the ICO.
- Your business could be fined £17 million or 4% of your turnover. This could be true if you are a huge organisation that holds a large amount of personal identifiable data and you do nothing about GDPR or security of those records and that data becomes compromised. The truth is fines are proportionate. That means that the ICO is not going to impose a multi million pound fine on a small business even if it does in fact fall foul to the new regulation. This is not a reason to ignore GDPR in the same way you have not ignored the current data protection regulation.
- You won’t be able to do email marketing under the new GDPR. This is more of a conversation around consent and less about email marketing. The truth is you will of course be able to communicate with customers and prospects using email, direct mail and text messaging if you have consent to do so. Consent is a positive opt in giving you complete specific permission to contact them for a specific reason. This does not mean you can get consent once and then use that to send lots of different types of communication using different methods. If you want to share marketing emails with them then that’s what you must make clear that you are requesting permission for and only use that permission for that reason. You also need to make sure that people can easily opt out of receiving communications using the same method as they did for opting in where possible.
So, there are 5 of the most common myths that we hear about GDPR and hopefully you have a better understanding of what is fact and not fiction.
If you are new to GDPR and want to get a brief introduction to GDPR over a spot of lunch, we run monthly Lunch and Learn sessions that 100% free and open to all. You can find them also listed here.
Maybe you understand what GDPR is but need some help understanding how you implement the required changes in your business? We run 1-day workshops that will help you get a much better understanding of what this looks like in your business and what you need to do. You can find out more information by emailing firstname.lastname@example.org