General Data Protection Regulation (GDPR) Myths …..BUSTED.
17th May 2018 by Sam Freeman
For those who have been living under a rock (or a mountain of paperwork) the biggest change to data protection law for decades, the General Data Protection Regulation, comes into force on 25th May. The countdown for compliance is officially on, and a staggering number of organisations across the country are in a mad panic over how to be compliant. If you are one of these businesses, here are a few myths that you should be aware of:
Myth 1: I will have to delete all data as soon as I finish my relationship with an individual
Not always; there may be a number of reasons why you should hold on to information about a client, employee or other individual when your relationship with them has come to an end. You might be obliged to hold on to it for tax purposes for example, or be asked to provide a reference for an existing employee. Think carefully about the reasons you may need the data going forward. If there is no good reason to keep hold of it, then delete it, otherwise hold onto it until those reasons fall away.
Myth 2: I can only use personal data if the individual has consented to me using it in that way
You can process data as long as one of six different conditions apply; getting the consent of the individual is only one. What for example if a client refused to allow you to chase them for a payment they owed – how would you be able to operate? If you can rely on one of the other conditions (for example you have a legal duty to process the data in that way) then you do not need consent. Please bear in mind however that if you do need consent, then you need to make sure you are clear and upfront, don’t use pre-ticked boxes or hide a paragraph asking for consent in your terms and conditions.
Myth 3: I will automatically be fined millions of pounds if I commit any breach
To quote Richard Nevinson, the policy and engagement manager of the Information Commissioner’s Office (ICO) “It is not our aim to put organisations out of business. If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR.” This does not mean that hefty fines will not be levied in some cases, but these will mostly be aimed at those organisations who are deliberately disregarding the law.
So what should organisations be doing in the lead-up to GDPR?
- Get out from under that rock / mountain of paperwork and start to read up on what is required from you.
- Document the steps you are taking to become compliant, for example set out how long you will hold onto personal data for and why.
- Make sure everyone in your organisation who deals with personal data (including anyone that deals with HR, marketing and accounts) is aware of GDPR.
- Understand how you collect, store, use and transfer personal data. Creating a map of this information will help you understand your obligations.
- Be aware that you will need to be upfront with individuals about the way in which you intend to use their data. Prepare suitable notices and make sure you provide this to individuals when you collect their data so they understand what they are signing up for.
- If in doubt ask an expert to help. Contact Laceys if you have any questions, we’d be happy to help.
For further information please contact Sam Freeman at firstname.lastname@example.org or on 01202 557256.