As everyone is aware, GDPR came into effect on 25th May and by now all organisations should be working towards and maintaining their compliance to minimise the risk of a data breach. There are many interpretations of the legislation and from this stems a variety of misconceptions which we address in this practical GDPR guide.
1. “GDPR doesn’t apply to small businesses”
We hear from a lot of business owners saying that GDPR doesn’t apply to them because they are such a small entity, or saying that the full rules don’t apply because they are a small business. This is incorrect. GDPR applies to ANY organisation that processes personal data; so even if you only have 1 customer, GDPR applies to you and apart from a few differing accountability obligations, the rules aren’t more flexible for smaller organisations. A smaller organisation may have more obligations than a larger organisation due to the type and level of personal data processed.
2. “Is it personal data?”
Remember that GDPR only applies to “personal data” and not all data in its entirety. Two common misconceptions are:
- Company data – if it’s general company data (i.e. company accounts) then it’s not identified to an individual and therefore it is not covered under GDPR.
- Anonymised data – If you can’t identify someone from the information then it’s not covered under GDPR. An example of this would be equal opportunity forms in employment – these should not include an employee’s name therefore unless it is obvious from the information provided on the form (i.e. they are the only female in the company so it is obvious which one is their form) then it’s not covered under GDPR.
3. Worried about “consent”?
People are rushing to get data subject’s consent for everything however it’s not always necessary and definitely not always the best option. Under the legislation there are 6 lawful bases to choose from and consent is only one of them. If you can rely on another lawful basis, then why go through the hassle of obtaining consent, especially given someone can withdraw their consent at any time without refusal. If you believe you would struggle if someone withdrew their consent then chances are, you’re not relying on the correct lawful basis.
Imagine if a doctor in an A&E department refused to treat an unconscious patient because they don’t have their “consent” to process the patients’ medical records and is worried about breaching GDPR. This wouldn’t happen because the doctor would rely on the lawful basis of “in the vital interests of the data subject”. If another of the lawful bases can be used, consent is not required. For example; you don’t need consent to deliver a parcel to a customer’s address if they have purchased something online because you need to do this for the “performance of the contract” with the customer, which is one of the other lawful bases.
Similarly, you don’t need consent for a lot of the processing of employee personal data as you’ll likely use the other lawful basis of “legitimate interests”. The best thing to do is to map out all of the personal data you hold in the organisation and for the different purposes and then decide on your lawful basis for each. If it doesn’t fit into one of the other 5 lawful bases, you should then look at obtaining compliant consent.
4. Privacy Notices
Many organisations have been sending emails to their contact list, leading up to 25th May to make us all aware that they “take our privacy seriously”. This has led to lots of organisations believing they should be doing the same. You are legally required to have Privacy Notices in place for all data subjects where you are the controller of that personal data (i.e. employees, candidates, customers, patients, suppliers, etc.) however the legislation only states that is must be “easily accessible”, therefore there is no active need to issue this to data subjects or ask them to sign anything.
As long as you have the notice somewhere easily accessible if they want to view it, this is sufficient. Maybe some organisations have decided to send it out as a commercial decision to show customers they are working on GDPR or maybe they wrongly think there is an obligation on them to do so because they’ve received emails from others. The Privacy Notices should also be in “plain language” that is easily understandable, so you don’t need any fancy wording put together by a lawyer – you just need to be clear on what data it is you process and a few other requirements in regards to the content of the Privacy Notice.
5. “Fully compliant”
Some organisations are claiming to be “fully compliant” or asking others to confirm that they are “fully compliant” but the truth is, it’s impossible for anyone to claim this. You can’t, in every situation, completely eradicate all risk of a data breach occurring and in some situations, the impracticalities may outweigh the risk. For example; if you are legally required to retain a document for 6 years then retaining it for 6 years and 1 week means you’re technically in breach of GDPR and the requirement to retain “only for as long as necessary”.
It would be impractical to dispose of all data on the exact date it is no longer required but it would also be incorrect to say you were “fully compliant” – it’s a risk likely to be tolerated by many as the ICO are not going to be throwing around millions of pounds worth of fines because of this slight delay. Also, the legislation says you need “appropriate technical and organisational measures” in place however nobody can guarantee what the ICO or the courts will deem as “appropriate” so how can anyone confirm they are “fully compliant” with the measures they’ve put in place?
6. “What do I need to do?”
Many businesses who have contacted Wirehouse have panicked at the potential scale of the regulations and have asked “what do I need to do?” One size does not fit all as every organisation will hold different categories of personal data, will process this data in different ways for different purposes and have differing levels of current compliance. If you’re starting from scratch, undergoing a data mapping exercise would be the best starting point, or signing up for a report from Wirehouse Employer Services so that we can establish what data you process and point you in the right direction. There is no quick checklist that every organisation can run through to comply with GDPR.
7. “GDPR isn’t an ongoing responsibility”
Organisations wrongly believe that after they’ve put in the initial work on GDPR, it’s all over with. The truth is, it’s like any legislation and it needs to be maintained and reviewed. For example, you may put Health and Safety measures in place when you first open a business but due to changing functions in the business and changing laws, it needs to be reviewed and kept on top of.
For example, you need to consider GDPR whenever you process personal data in a new way than before, whenever you implement a new system which holds personal data, implementing a new CCTV camera, whenever you get a request from a data subject in relation to any of their rights under the legislation and ongoing training and awareness for new and current staff.
8. Accepting mistakes | Data Breach
Mistakes and breaches of GDPR will inevitably happen – its how you deal with a data breach that matters too. Can you mitigate it? Should you report it? Accept that breaches can happen or data can get hacked but be open about it when it does and have a plan in place to deal with it effectively.
9. “GDPR Experts”
There are a lot of people out there claiming to be “experts” on GDPR but remember; there is no case law or precedents yet so nobody can be entirely sure how the legislation will be interpreted and there are a few grey areas. You should be considering all options available and keeping an open mind as to how the ICO or the courts will deal with certain breaches and then make an informed decision whilst weighing up the risk.
10. Fines for a data breach
Everyone is fixated on the idea of a €20,000,000 fine for a breach of GDPR. We can’t guarantee an organisation won’t be fined that but remember that organisations could be fined up to £500,000 under the old data protection laws, how many people do you know who were fined that amount? It is a maximum fine as opposed to a set fine – so businesses could be fined £100 or £1,000 etc. The ICO confirmed in one of their recent articles that their first priority isn’t to fine organisations for a data breach and they have the option to provide recommendations for change in some situations instead.
If you’re still unsure about GDPR and what your company needs to do, we would recommend opting for our Report Service to give you an idea of how to move towards compliance and minimise the risk of a data breach. If you want the added security of being able to seek advice from our GDPR Practitioner with access to a full range of GDPR template documentation, we would recommend our Advice Line Service.
For further details about these GDPR Services from Wirehouse, contact us on email@example.com | 033 33 215 005