If you run a business in the UK, you will probably have heard of the EU’s General Data Protection Regulation (GDPR). This new piece of legalisation will come into force next year and it’s important for you to be making the necessary changes to your company to ensure that it will comply with the rules. But there is a lot of information out of there about the regulation which has led to a number of myths floating around. Here we clear up six of the most common misconceptions about GDPR.
Myth 1: Our cyber security is strong so we’ve got nothing to worry about
One of the key features of the GDPR is the need for powerful cyber defences but many businesses are under the false apprehension that they are already sufficiently protected. But these regulations are no joke and can lead to fines of up to €20 million or 4 per cent of global turnover (whichever is greater) – you can’t afford to be complacent.
If you truly believe that your cyber defences are fully capable, it’s a good idea to have them comprehensively challenged to check how effective they are in the real world. Cyber security experts Redscan help firms with the GDPR by using a range of methods including vulnerability assessments and penetration testing. If your system doesn’t stand up to penetration testing, you might wish to work with cyber security specialists in order to upgrade your defences.
Myth 2: Brexit means GDPR won’t affect us
The GDPR is set to come into force in May 2018, which has led some businesses to believe that it won’t actually affect them at all. This is because the GDPR is a European regulation and the UK voted to leave the EU on 23 June 2016. The conclusion drawn by some is that EU rules will no longer apply to British companies. However, this is not the case. Despite the vote, the country is still currently in the EU and will remain there until March 2019 at the earliest. This means that your company will need to follow EU rules at least until this date.
Additionally, even if the UK leaves the EU as is currently planned, any UK business that trades with the EU will need to follow their rules. Ultimately, this means Brexit will have little effect on the GDPR. In any case the smartest thing to do is to forget about Brexit and just focus on the fact that you will need to be prepared.
Myth 3: Personal data we already have is not subject to GDPR
You might assume that the data that you have already collected is not subject to GDPR rules, however this wrong. As long as the data can still be associated with an individual who was in the EU when the data was collected from them, the data will fall under GDPR protection.
You need to update your system so that data you have collected in the past can be afforded the same protection as data you collect in the future. Failing to do so will mean that past data could be compromised in a hacking attack and you could then be severely fined for allowing the breach to occur.
Myth 4: As we are a small business, GDPR doesn’t apply to us
Some small businesses believe that they may be exempt from GDPR due to their size, but this is incorrect. While there are some regulations that do not apply to smaller companies, GDPR applies to all businesses and organisations that process any kind of personal data. Whether the rules apply to you depend entirely on whether you process data rather than having anything to do with the size of your company – as long as your business processes personal data, you need to be compliant.
Myth 5: Our IT department can be left to deal with it
Of course, much of the GDPR centres around data and that is usually an issue for your IT department to deal with. So does that mean that sorting out everything relating to GDPR compliance should be left to your IT team? Certainly not. Your whole business culture will need to change to adequately prepare you to comply with the rules. Firstly, managers and leaders will need to take a key role in changing policies. Then information needs to be disseminated to staff at all levels of the business. This is not something that the IT department can do alone.
Myth 6: We need to appoint a data protection officer
Many guides on preparing for GDPR suggest that appointing a qualified data protection officer (DPO) might be a requirement. However, this is not the case. In general, larger businesses will benefit from appointing an independent DPO to oversee issues regarding data and in some organisations it is mandatory, but for the majority of small and medium sized enterprises (SMEs) this role is not necessary.
It’s a much better idea for SMEs to simply work with an outside specialist with digital security expertise who can provide insight into GDPR and create a plan to help your business. In fact, when you work with this sort of advisor, they will be able to tell you if you would benefit from a DPO.