With May 2018 fast approaching, the GDPR is quickly becoming a reality for many businesses and organisations. As most people turn to the internet for GDPR guidance, they’ll face a mass of information and misinformation, which can be a little daunting. With this in mind, I want to unpick a few misunderstandings which I find time and time again as an email executive, to reveal the truth before you take a wrong turn.
“It’s the IT department’s job to ensure we’re GDPR compliant’’
The new regulations are linked with collecting data and the way that data is handled, so the GDPR is often associated with IT issues. Nonetheless, the GDPR is a substantial change to the outstanding Data Protection regulation, so complying with the new rules must be a team effort from different departments. It’s important that your whole organisation is aware of the new regulations that come into play from May to ensure there’s no room for error. If you’re not up to speed, youl might incure a hefty fine – 20 million or 4% of your brands annual global turnover. No big deal, right?
“Complying with GDPR will only take a few weeks”
Oh, how I wish this was true. To kick start your GDPR compliance, it is essential that your organisation takes a look at how they process personal data and the handling of it. This will need work from all departments ranging from HR, sales, marketing and finance. What better time to start preparing than now?
Although the final guidance has yet to be published by the ICO, it is unlikely that the revisions will change significantly in its final form, so you can be pretty sure that any prep you do now will be worth the effort. Luckily, we’ve written a handy GDPR guide to kick-start your compliance process. You can’t say we don’t treat you!
“As the UK is leaving the EU, I don’t need to worry about GDPR”
Recent studies from ItProPortal show that 25% of businesses have stopped preparing for GDPR as they feel it won’t apply to them given Brexit in 2019. The GDPR will be enforced ten months before the final Brexit deadline and as most data processing will cover UK and EU citizens, GDPR rules will still apply.
“All data breaches need to be reported to the ICO”
After hours of research, I came across this GDPR myth pretty consistently. The fact is only breaches that influence people’s rights and freedoms need to be reported. The threshold to determine whether a data breach needs to be reported to the ICO depends on the risk it poses to people involved, for example, those who could be affected legally or financially should be reported.
“My data is stored in a cloud service provider so it’s their responsibility for making sure they are GDPR compliant with my data”
Although any third parties you use are responsible for making sure they are GDPR compliant, it is your responsibility to ensure your data is handled and stored correctly. So, even if you’re using a third party data storage facility e.g. The Cloud, you will still be held responsible for compliance uder the new regulations.
“I will have to get rid of all of my data and collect it again from scratch”
You need to ensure that your existing data meets the GDPR standard and that each record is specific, detailed, documented and easily accessible. If you don’t think your organisation meets the required standard, this is when you’ll need to change your consent process and seek new GDPR compliant consent. Think of it more as a re opt-in task to update your records with the necessary information rather than a completely new opt-in.
Please note that all the information contained in this blog is for guidance only. If you are concerned about the impact of GDPR and would like bespoke advice for your business, please call 01273 208913 or email firstname.lastname@example.org.