The top 5 Misunderstandings of GDPR
Since its implementation in May 2018, GDPR has remained on the tip of every business owner’s tongue and processing and storing personal data securely continues to be a minefield. In order to unravel their complicated nature we decided to examine what data security really means and explore the top 5 misunderstandings of GDPR.
The Information Commissioners Office (ICO) defines personal data as ‘information that relates to an identified or identifiable individual’. This simply means that any information which identifies an individual, such as a name, number, IP address or a cookie identifier is regarded as personal data.
It is important to remember that information which is truly anonymous is not covered by the GDPR; although there is very little information which comes under this umbrella. The ability to identify an individual, even from the smallest piece of data is still subject to GDPR advice.
What are the top 5 misunderstandings of GPDR?
1: “Everyone is going to get fined”
Whilst the fines of 4% of annual turnover or €20m whichever the greater is a threat looming over organisations, in reality these fines have only been issued to those who’ve made no effort to comply, are in complete disregard for the regulation or for those who have been a victim of a significant data breach. However, a fine is still possible and every effort should be made to abide by the GDPR. However the larger threat to organisations for non-compliance is class action lawsuits from disgruntled employees and customers along with loss of revenue from brand damage and lack of trust.
2: “Brexit means we don't need to bother”
How Brexit will affect our everyday lives and commercial activities is still uncertain. The UK regulator has confirmed that the GDPR will continue to be enforced in the UK and the facilitation of mirroring laws stated within the EU will remain imperative. See our blog on How to Prepare for a No Deal
All communications such as emails and lengthy privacy policies regarding the processing of EU Citizens' personally identifiable information are an important part of GDPR, but are not enough on their own. GDPR requires that organisations comply with the GDPR by documenting the decisions taken about processing all activity and the security measures taken to prevent personal data being deceptively obtained or misused.
4: “It’s just a tick in a box”
Compliance must be unambiguous; it is not enough to ask people to un-tick a box if they want to stop receiving emails or do not consent to their personal data being processed or stored. A person must actively ‘check’ a box or provide written consent that they are happy for this to take place and be made fully aware of what this involves, including being able to withdraw consent as freely as it was given.
5: “GDPR is only for large companies”
Regardless of the amount of personal information that is being processed/stored then the GDPR, UK Data Protection Act and Privacy & Electronic Communications Regulations still apply in the UK.
At ConsentEye our award winning Consent Management Solution brings together all preference data into a comprehensive and easy to manage cloud application. Affordable price plans are available for all sizes of organisations and SME's can be up and running in 15 seconds whilst integrations to a few preference data stores can take only a few days using the ConsentEye API. Speak with one of our GDPR qualified specialists today!