The General Data Protection Regulation (GDPR) came into force in May 2018, and by the letter of the law, virtually every business in the UK needs to comply with it. However, there are still some misconceptions surrounding the law and what it means to organisations. This can lead to difficult situations where mistakes can be made.
Here are six myths about the GDPR that some individuals and businesses still believe are the truth.
Myth 1: The large fines are just a threat.
The GDPR made headlines for a long time back in early 2018 before the regulations came into force. During this time, much was made of the extremely heavy fines that could be placed in businesses that failed to comply with the regulations. These were reported to be up to €20 million or 4 percent of global turnover, whichever figure was greater.
These numbers are obviously enormous, and some companies still believe that these account for nothing more than a threat which couldn’t be carried out. However, it is important to remember that large companies have faced enormous data protection fines in the past.
For example, in 2016 WhatsApp was issued with a penalty of €10,000 for each day that they failed to comply with Dutch data laws. This was before the GDPR came into force, but since the instigation of laws, there has been an extremely heavily penalty issued against Google for the company’s failure to comply with the rules.
Indeed, France’s data protection agency, CNIL, fined the tech giant €50 million. It seems Google was not complying with a key part of the regulations and had failed to provide information to their customers about how their data was being used. The discrepancy between the €10,000 per day and the €50 million is enormous, and it shows just how much the GDPR has changed things.
Myth 2: The GDPR won’t apply to the UK after Brexit.
There is a common misapprehension which might be something of wishful thinking on the part of business owners who don’t want the hassle of achieving compliance with GDPR regulations. This is that UK businesses will not need to comply with the GDPR after Brexit because it is an EU law and that this standard will not apply to Britain.
However, it is important to note that the UK transposed all of the rules of the GDPR into the Data Protection Act 2018. This means that UK businesses will have exactly the same compliance requirements after Brexit as they did before.
Additionally, it should be noted that any British business that has dealings with EU citizens will still need to comply with the GDPR directly.
Myth 3: Once you are compliant you can stop worrying.
You might assume that as soon as your business is GDPR compliant, you can simply forget about the issue and go back to business as usual. But it is important to note that complying with the GDPR is actually an ongoing process rather than something that you achieve forever. Businesses need to ensure that they are taking regular steps to keep personal data secure.
Myth 4: GDPR is just a way to punish organisations.
Some businesses believe that the GDPR is simply a method of punishing organizations and finding new ways to fine them. The truth is that regulations and rules surrounding data protection had become extremely outdated and that these laws and an important improvement to what was in place before.
While it is true that the GDPR has provided regulators with greater powers to fine organizations, it has also created a consistent framework for companies to operate in so that they can understand what is required from them.
Myth 5: Consent must be explicitly obtained.
You might remember when the GDPR came into force in May 2018 that there were a huge number of emails flooding into your inbox requesting consent for something that you had previously signed up for. This was because of a myth about consent to send marketing materials.
Some organizations believed – and continue to believe – that consent needs to be explicitly gained. However, this misses the fact that businesses can utilise a clause in the GDPR that allows organizations to contact individuals if there is legitimate interest from the individual.
Myth 6: Organisations need to appoint a DPO.
The GDPR makes reference to the importance of a Data Protection Officer (DPO) which led many organizations to assume that a DPO is required for all businesses. This is incorrect. In fact, a DPO is typically only required if you are a public body that processes data, your core activities involve regular monitoring of data subjects or you process sensitive data on a large scale.
Complying with the GDPR is not optional – it is a legal requirement for any organization that does business with EU clients, customers, partners or suppliers. If you are concerned that you don’t understand the GDPR and aren’t sure if your business is fully compliant, it is worth consulting with experts. Getting compliance right will help you avoid the risk of large fines and give your business added security.
About the Author: Mike James is a Brighton-based cybersecurity professional with over 20 years’ experience working in different IT roles. An author for many online and print magazines, Mike has covered a range of different aspects within business and personal cybersecurity – including penetration testing, ethical hacking and other threat detection measures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.