HOME/NEWS & INSIGHTS

General Data Protection Regulation (GDPR) Myths …..BUSTED.

For those who have been living under a rock (or a mountain of paperwork) the biggest change to data protection law for decades, the General Data Protection Regulation, comes into force on 25th May. The countdown for compliance is officially on, and a staggering number of organisations across the country are in a mad panic over how to be compliant. If you are one of these businesses, here are a few myths that you should be aware of:

Myth 1: I will have to delete all data as soon as I finish my relationship with an individual

Not always; there may be a number of reasons why you should hold on to information about a client, employee or other individual when your relationship with them has come to an end. You might be obliged to hold on to it for tax purposes for example, or be asked to provide a reference for an existing employee. Think carefully about the reasons you may need the data going forward. If there is no good reason to keep hold of it, then delete it, otherwise hold onto it until those reasons fall away.

Myth 2: I can only use personal data if the individual has consented to me using it in that way

You can process data as long as one of six different conditions apply; getting the consent of the individual is only one. What for example if a client refused to allow you to chase them for a payment they owed – how would you be able to operate? If you can rely on one of the other conditions (for example you have a legal duty to process the data in that way) then you do not need consent. Please bear in mind however that if you do need consent, then you need to make sure you are clear and upfront, don’t use pre-ticked boxes or hide a paragraph asking for consent in your terms and conditions.

Myth 3: I will automatically be fined millions of pounds if I commit any breach

To quote Richard Nevinson, the policy and engagement manager of the Information Commissioner’s Office (ICO) “It is not our aim to put organisations out of business. If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR.” This does not mean that hefty fines will not be levied in some cases, but these will mostly be aimed at those organisations who are deliberately disregarding the law.

So what should organisations be doing in the lead-up to GDPR?

  1. Get out from under that rock / mountain of paperwork and start to read up on what is required from you.
  2. Document the steps you are taking to become compliant, for example set out how long you will hold onto personal data for and why.
  3. Make sure everyone in your organisation who deals with personal data (including anyone that deals with HR, marketing and accounts) is aware of GDPR.
  4. Understand how you collect, store, use and transfer personal data. Creating a map of this information will help you understand your obligations.
  5. Be aware that you will need to be upfront with individuals about the way in which you intend to use their data. Prepare suitable notices and make sure you provide this to individuals when you collect their data so they understand what they are signing up for.
  6. If in doubt ask an expert to help.

If you need any assistance then please contact one of our Data Protection experts.

This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.

Share article

Our offices

Contact Us

5 Poole Road
Bournemouth
Dorset
BH2 5QL
Tel 01202 377800

9 Poole Road
Bournemouth
Dorset
BH2 5QR
01202 377800