As the May deadline looms and the reality of GDPR compliance begins to sink in, it’s vital that organisations can distinguish between GDPR myths and facts.
Despite the threat of hefty fines and reputational damage for non-compliance, there’s a need for clarity on exactly what will change with the new legislation.
Here, we bust the top 5 myths around GDPR:
1. GDPR doesn’t apply to the UK because of Brexit
Wrong. Many things may change when Brexit comes into force, but the ICO (Information Commissioner’s Office) has already confirmed that its strategy regarding Data Protection is to ensure GDPR is UK law once Brexit takes place.
In any case, Brexit will not happen before GDPR comes into effect - it comes into law on 25thMay 2018, whilst Brexit will be arriving (at the earliest) in March 2019. No excuses here, compliance is a must.
2. All organisations will need to appoint a Data Protection Officer (DPO)
No. DPOs are required in several scenarios, but aren't mandatory in every organisation. DPOs are mandatory for:
Organisations with more than 250 employees.
Organisations where there is regular and systematic processing of data subjects on a large scale.
Organisations where data controllers or processors are processing sensitive data on a large scale.
The European Commission expands on these mandatory requirements in this document.
3. GDPR compliance is just about avoiding fines
Well, yes and no. The GDPR substantially increases the maximum fines possible, following a breach, which could cause serious financial damage to any organisation. Being compliant means organisations have a better chance of avoiding these fines, which is hugely important.
However, there’s a reputational element associated with GDPR, with customers and service users expecting their personal data to be secure and their consent obtained.
Organisations that aren’t compliant with GDPR run the risk of reputational damage, loss of revenue and potentially lasting brand damage.
GDPR at it’s core is about protecting the rights of individuals, but there are huge implications for organisations that ignore GDPR, or don’t deal with data breaches appropriately.
4. It's an issue for the IT team to deal with
This couldn’t be further from the truth. The GDPR makes substantial changes to the way that data is gathered, processed and removed from organisations’ databases.
It is imperative for the entire organisation – from marketing to the receptionist to HR – to understand how these changes will affect their day to day operations.
Data protection has to be seen as a priority across the whole organisation, and certainly not just left to those working in IT.
5. Compliance can be achieved quickly, so preparations can wait
Understanding, implementing and evaluation an organisation’s GDPR readiness will simply not happen overnight. Compliance takes ‘buy in’ from senior leaders and must be filtered down through the entire organisation before changes are truly in effect.
We may be 7 months away from the GDPR coming into effect, but until you’ve started your preparations, you don’t know when you’ll be ready.
So, what to do?
Working with specialist Data Privacy lawyers, Me Learning has launched a suite of tailored e-learning courses especially for GDPR.
For further details and to find the course package that best suits your organisation, click here.